Higher Education

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Highlighted
Frequent Contributor II
Posts: 251
Registered: ‎09-14-2011
Role to a port for wired users?

Can a role be applied to a port for unauthenticated wired traffic? In my lab, I created VLAN 100 on the controller (7010) and put it on port 14 (access not trunk). For testing purposes I am using the controller for DHCP. I connect my test laptop up and draw the right address and I get out to the universe. I get to the universe on VLAN 10. here is the quick breakdown:

 

VLAN 10 - 192.168.30.X (port 2) inter VLAN routing enabled, not NATing

VLAN 100 - 172.16.100.X (port 14) inter VLAN routing enabled, not NATing

Controller IP - 192.168.30.225 (VLAN 10)

wired laptop IP - 172.16.100.2

 

So I created a role called VLAN-100-LAN and applied it to VLAN 100. I then created a session based ACL rule to deny access to 192.168.30.218 which is a printer. 

 

problem - I can still get to the printer... Any ideas?

 

Scott McNeil - IT Specialist, Global Process Automation
Network+ | CWNA | CWTS | ACSP | ACMP | ACMA | BREC
Guru Elite
Posts: 8,792
Registered: ‎09-08-2010
Re: Role to a port for wired users?
You need to create a AAA profile, apply it to the interface or VLAN and then make the interface or VLAN untrusted

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 251
Registered: ‎09-14-2011
Re: Role to a port for wired users?

AAA profile - check

trying to make port changes but keep getting error every time I try to apply it

error - Invalid value for xSec key. Length should be 16 bytes

 

Whats that about?

Scott McNeil - IT Specialist, Global Process Automation
Network+ | CWNA | CWTS | ACSP | ACMP | ACMA | BREC
Frequent Contributor II
Posts: 251
Registered: ‎09-14-2011
Re: Role to a port for wired users?

Did some quick digging and - 

I do not have xsec enabled on the port or VLAN

I do not even have the license for xsec on this controller

Now I am really confused LOL

Scott McNeil - IT Specialist, Global Process Automation
Network+ | CWNA | CWTS | ACSP | ACMP | ACMA | BREC
Frequent Contributor II
Posts: 251
Registered: ‎09-14-2011
Re: Role to a port for wired users?

Interesting - changed the port to trunk instead of access and error went away, was then able to make settings changes and set it back to access.

 

weird...

Scott McNeil - IT Specialist, Global Process Automation
Network+ | CWNA | CWTS | ACSP | ACMP | ACMA | BREC
Frequent Contributor II
Posts: 251
Registered: ‎09-14-2011
Re: Role to a port for wired users?
[ Edited ]

And back to the subject at hand...

 

When I make either the port untrusted or the VLAN untrusted I can no longer get out on the hard wired laptop. when ever I try to go to any web site I get taken to an Aruba page saying that web authentication has been disables, please see your network administrator. I don't recall enabling any sort of  web authentication at all.

 

What do ya say there Cappi?

Scott McNeil - IT Specialist, Global Process Automation
Network+ | CWNA | CWTS | ACSP | ACMP | ACMA | BREC
Guru Elite
Posts: 8,792
Registered: ‎09-08-2010
Re: Role to a port for wired users?
If you're not using authentication, set the initial role in the AAA profile to the role you want

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 251
Registered: ‎09-14-2011
Re: Role to a port for wired users?

VLAN-100-No-Auth AAA profile has initial role of VLAN-100-LAN

VLAN-100-LAN role is applied to VLAN 100 (I know, shocker right)

VLAN 100 is applied to port 14 and VLAN is UNtrusted (also tried UNtrusting the port too, same results)

 

Still getting "Web authentication is disabled, please contact... blah blah blah"

 

I feel like I am missing a setting somewhere...

Scott McNeil - IT Specialist, Global Process Automation
Network+ | CWNA | CWTS | ACSP | ACMP | ACMA | BREC
Frequent Contributor II
Posts: 251
Registered: ‎09-14-2011
Re: Role to a port for wired users?
[ Edited ]

ha-HA! I figured it out!

 

It's my ACLs on my role. I just need to refine them!

 

Thanks for the help as always Cappi - MUCH appreciated!

 

I spoke too soon.... grrr. was testing with a cached website and didnt realize it...

 

so still same problem

Scott McNeil - IT Specialist, Global Process Automation
Network+ | CWNA | CWTS | ACSP | ACMP | ACMA | BREC
Frequent Contributor II
Posts: 251
Registered: ‎09-14-2011
Re: Role to a port for wired users?

any other thoughts by chance Cappi? (or anyone LOL)

Scott McNeil - IT Specialist, Global Process Automation
Network+ | CWNA | CWTS | ACSP | ACMP | ACMA | BREC
Search Airheads
Showing results for 
Search instead for 
Did you mean: