Remote Networking

Reply
Occasional Contributor II
Posts: 15
Registered: ‎05-05-2011

PPTP-VPN with dynamic firewall rules

Hi airheads!

This forum helped me a few times since we acquired an Aruba 6000c controller + APs last month. I am now up and running and would like to make something a little bit more complicated with the VPN connection.

Our actual setup (without Aruba) for our VPN connection is as follows :
-Windows server 2008R2 with NPS to receive the VPN connections and authenticate the users on our Active Directory
-Custom service running on another server is watching all accounting entries in the SQL Server database to spot users logging on or off.
-Same service then sends an xml file with the pertinent info on the user in order to create Dynamic rules in our Firewall (appending the file in our Iptables firewall).

The basic principle is that our employees only have access to their own PC (remote desktop) once they are connected to our VPN.

I would like to recreate this using the Aruba setup and bypassing our custom service and firewall. Upon authenticating the user against AD I was told it is possible to read custom attributes and then take action with the values.

Scenario :

-user test logs onto the Aruba VPN.
-the AD user has attribute "PC" with the value testpc.uqtr.ca (dns name)
-Aruba would then create a dynamic rule giving access to the VPN IP this user was given to that PC's address for the Remote Desktop port (3389 TCP).
-upon user disconnect those rules have to be erased

Is this doable or a bit too intense?

thanks for your input!
Aruba Employee
Posts: 5
Registered: ‎04-11-2007

PPTP-VPN with dynamic firewall rules

I will be on PTO until 7th June and will have limited email access. If there is anything urgent, please contact Kazi Rahman.
Guru Elite
Posts: 20,985
Registered: ‎03-29-2007

Re: PPTP-VPN with dynamic firewall rules


Hi airheads!

This forum helped me a few times since we acquired an Aruba 6000c controller + APs last month. I am now up and running and would like to make something a little bit more complicated with the VPN connection.

Our actual setup (without Aruba) for our VPN connection is as follows :
-Windows server 2008R2 with NPS to receive the VPN connections and authenticate the users on our Active Directory
-Custom service running on another server is watching all accounting entries in the SQL Server database to spot users logging on or off.
-Same service then sends an xml file with the pertinent info on the user in order to create Dynamic rules in our Firewall (appending the file in our Iptables firewall).

The basic principle is that our employees only have access to their own PC (remote desktop) once they are connected to our VPN.

I would like to recreate this using the Aruba setup and bypassing our custom service and firewall. Upon authenticating the user against AD I was told it is possible to read custom attributes and then take action with the values.

Scenario :

-user test logs onto the Aruba VPN.
-the AD user has attribute "PC" with the value testpc.uqtr.ca (dns name)
-Aruba would then create a dynamic rule giving access to the VPN IP this user was given to that PC's address for the Remote Desktop port (3389 TCP).
-upon user disconnect those rules have to be erased

Is this doable or a bit too intense?

thanks for your input!




Yes you can do this. There is a default role for incoming VPN connections, and that is satisfactory for most users. If you want to derive a different role for incoming VPN connections based on an attribute in Active Directory, you would have to add the PEF-VPN license. That will allow you to write rules in the server group for VPN to change roles based on what is returned from your Active Directory (or radius) server.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 15
Registered: ‎05-05-2011

Re: PPTP-VPN with dynamic firewall rules

oh I see... I will talk to my Aruba rep to get settle the licence bit and then we'll see how to configure that!

thank you for the quick answer.
Occasional Contributor II
Posts: 15
Registered: ‎05-05-2011

Re: PPTP-VPN with dynamic firewall rules

Also while on the VPN subject... I would it to work with our actual setup but there's an accounting problem. With the Aruba VPN I only receive 2 xml messages for the "login" aspect of the VPN connection but never receive the "logout" messages upon termination.

Is it possible to configure the controller to send out those accounting messages to my Radius server?
Guru Elite
Posts: 20,985
Registered: ‎03-29-2007

Re: PPTP-VPN with dynamic firewall rules

When you say XML messages, do you mean from the XML API? How are these messages received and in what format?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 15
Registered: ‎05-05-2011

Re: PPTP-VPN with dynamic firewall rules

Well I may have jumped the gun a bit in my explanations..

The windows Radius server inserts the accounting messages it receives in a database using the XML format for the data. I don't know for sure if Radius receives the messages in XML format or if it converts them that way.

But either way the accounting provided by the Aruba controller is, as of my setup, incomplete.
Guru Elite
Posts: 20,985
Registered: ‎03-29-2007

Re: PPTP-VPN with dynamic firewall rules

So you have a radius accounting profile configured and it is sending that information to a radius accounting server for collection. Is that correct?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 15
Registered: ‎05-05-2011

Re: PPTP-VPN with dynamic firewall rules

Yes I have my Radius server setup and my VPN Authentication profile (default) references the server group that contains my Radius server. And it is on that server that I can view the XML files received for the accounting.

I also put the user logging in debugging this morning to see what went on with a connect/disconnect of the VPN and here's how it looks (Disconnect in Bold):

May 31 07:35:24 :522038: |authmgr| username=beaudet MAC=00:00:00:00:00:00 IP=132.209.2.27 Authentication result=Authentication Successful method=VPN server=Krusty

May 31 07:35:24 :522006: |authmgr| MAC=00:00:00:00:00:00 IP=132.209.2.27 User entry added: reason=Auth Request

May 31 07:35:24 :522006: |authmgr| MAC=00:00:00:00:00:00 IP=172.16.28.192 User entry added: reason=VPN

May 31 07:35:24 :522012: |authmgr| MAC=00:00:00:00:00:00 IP=172.16.28.192 IP UP: outerIP=132.209.2.27 tunnels=1

May 31 07:35:24 :522008: |authmgr| User Authentication Successful: username=beaudet MAC=00:00:00:00:00:00 IP=172.16.28.192 role=default-vpn-role VLAN=1 AP=N/A SSID=N/A AAA profile= auth method=VPN auth server=N/A

May 31 07:35:24 :522026: |authmgr| MAC=00:01:81:0e:32:15 IP=132.209.2.27 User miss: ingress=0x109b, VLAN=1050

May 31 07:35:36 :522013: |authmgr| MAC=00:00:00:00:00:00 IP=172.16.28.192 IP DN: outerIP=132.209.2.27 tunnels=1

May 31 07:35:36 :522005: |authmgr| MAC=00:00:00:00:00:00 IP=172.16.28.192 User entry deleted: reason=user request
Guru Elite
Posts: 20,985
Registered: ‎03-29-2007

Re: PPTP-VPN with dynamic firewall rules

Please open a support case to see why that message is missing. I am not sure this is done often.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: