to configure validuseracl - you need to follow these steps, but it presumes you have a pefng license.
** note / disclaimer **
I have tried to follow your subnets, but you must doublecheck the below before just cut/pasting it into the controller CLI. Further, I strongly recommend you make a 'backup flash' just before doing this, in case you hit any issues and want to back out the changes (restore flash). You can also backup the flash from the controller webui , go to Maintenance -> Backup Flash -> Create Backup.
step 1> create a network destination called VALID_SUBNETS, add to it all your DHCP scopes for all VAPs. Note that in the future if you create a new subnet, you will need to add it to this list or the user will *not* appear in the controller, despite being able to associate.
configure t
netdestination VALID_SUBNETS
network 10.20.4.0 255.255.252.0
network 10.114.138.0 255.255.255.0
network 10.170.138.0 255.255.255.0
network 10.1.1.0 255.255.252.0
!
step 2> create a network destination called PROTECTED_HOSTS, add to it all your important host IPs that reside within user subnets (i.e. default gateways, AD servers, radius servers, external captive portals etc.)
I have scraped the below from your config, please double check each one. These IPs can never become users in the controller (which is a good thing).
configure t
netdestination PROTECTED_HOSTS
host 10.20.4.1
host 10.114.138.5
host 10.170.138.1
host 10.1.1.61
host 10.1.1.10
host 10.1.1.5
host 10.1.1.3
!
step 3> we are going to create two new rules in the valid user ACL, and delete one rule:
i) add a rule "deny anything that is using a source IP within PROTECTED_HOSTS"
ii) add a rule "allow anything with a source IP within VALID_SUBNETS"
iii) delete the rule "allow anything from anywhere" (rule 6 below)
the existing ACL looks like this (tidied slighly to fit in this screen)
# show ip access-list session validuser
validuser
---------
Priority Source Destination Service Application Action
-------- ------ ----------- ------- ----------- ------ ---------
1 127.0.0.0 255.0.0.0 any any deny
2 169.254.0.0 255.255.0.0 any any deny
3 224.0.0.0 240.0.0.0 any any deny
4 255.255.255.255 any any deny
5 240.0.0.0 240.0.0.0 any any deny
6 any any any permit
so we need to insert our new two rules at position 6 and 7, and then delete the existing rule at position 6.
configure t
ip access-list session validuser
alias PROTECTED_HOSTS any any deny position 6
alias VALID_SUBNETS any any permit position 7
no any any any permit
!
which we check after with "show ip access-list validuser", you should see now this (again tidied to fit, and ipv6 stuff removed)
(sg-7030) #show ip access-list validuser
ip access-list session validuser
validuser
---------
Priority Source Destination Service Application Action
-------- ----------- ----------- ------- ----------- ------ ---------
1 127.0.0.0 255.0.0.0 any any deny
2 169.254.0.0 255.255.0.0 any any deny
3 224.0.0.0 240.0.0.0 any any deny
4 255.255.255.255 any any deny
5 240.0.0.0 240.0.0.0 any any deny
6 PROTECTED_HOSTS any any deny
7 VALID_SUBNETS any any permit
<ipv6 stuff below here>
at this point, you should be good to go - you should find that the junk IPs are no longer appearing in the usertable and Airwave. You can check it's working using "show acl hits", in this below example you can see a couple of allows and a reject, this is from a windows 8 client that is dual stack but also leaking the VPN IP into the controller, usually it has 3 IPs
> before validuseracl
(sg-7030) #show user
fe80::a4ae:a862:2451:2211 5c:c5:d4:00:00:01 authenticated
10.11.12.13 5c:c5:d4:00:00:01 authenticated
192.168.1.3 5c:c5:d4:00:00:01 authenticated
(sg-7030) #
> added validuser acl to allow 192.168.1.0/24, disconnect -> reconnect client
(sg-7030) #show acl hit
User Role ACL Hits
------------------
<snip>
Port Based Session ACL
----------------------
Policy Src Dst Service/Application Action New Hits Total Hits
------ --- --- ------------------- ------ ----------- ---------- ----- ---------
validuser VALID_SUBNETS any any permit 0 1
validuser fe80::/64 any any-v6 permit 1 1
validuser any any 0 deny 2 2
> can see two hits on deny, and an allow in VALID_SUBNET - now the usertable shows:
(sg-7030) #show user
fe80::a4ae:a862:2451:2211 5c:c5:d4:00:00:01 authenticated
192.168.1.3 5c:c5:d4:00:00:01 authenticated
(sg-7030) #
and if all is well, "write memory" at the end.
regards
-jeff
* edited a few times for clarity/typos etc. *