Security

I have a problem with Aruba Guest Account that when some one connects to a Guest Access Network from a mobile device he can use many chatting apps like whatsapp without entering the guest user id on  Captive portal. As Guest Access Account is an open SSID so how can we protect from this type of usage ?

What traffic are you allowing in your captive portal logon role?

Are you sure the traffic is going over the WiFi interface? Many newer mobile operating systems are smart about captive portals and will route traffic out the cellular interface until captive portal login has been completed.


Thanks,
Tim

What's the intial role that the guest gets put into before they've authenticated?

 

On the CLI can you do, show rights <initial guest role> and show us the result?

 

Cheers

James

Sorry to say my enable password is not working on CLI. How can I see via GUI?

(HO_MC) #show rights guest-logon

Derived Role = 'guest-logon'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Assigned VLAN = 112
Periodic reauthentication: Disabled
ACL Number = 6/0
Max Sessions = 65535

Captive Portal profile = GCC_Guest

access-list List
----------------
Position Name Location
-------- ---- --------
1 IC4500
2 captiveportal
3 GCC_LAN
4 logon-control
5 vpnlogon
6 http-acl
7 validuser

IC4500
------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user IC4500 any permit Low 4
captiveportal
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user controller svc-https dst-nat 8081 Low 4
2 user any svc-http dst-nat 8080 Low 4
3 user any svc-https dst-nat 8081 Low 4
4 user any svc-http-proxy1 dst-nat 8088 Low 4
5 user any svc-http-proxy2 dst-nat 8088 Low 4
6 user any svc-http-proxy3 dst-nat 8088 Low 4
GCC_LAN
-------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any svc-icmp deny Low 4
2 any any svc-http permit Low 4
3 any any svc-https permit Low 4
logon-control
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user any udp 68 deny Low 4
2 any any svc-icmp permit Low 4
3 any any svc-dns permit Low 4
4 any any svc-dhcp permit Low 4
5 any any svc-natt permit Low 4
vpnlogon
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user any svc-ike permit Low 4
2 user any svc-esp permit Low 4
3 any any svc-l2tp permit Low 4
4 any any svc-pptp permit Low 4
5 any any svc-gre permit Low 4
http-acl
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any svc-http permit Low 4
validuser
---------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any any permit Low 4
2 169.254.0.0 255.255.0.0 any any deny Low 4
3 any any any permit Low 6

Expired Policies (due to time constraints) = 0

1 user IC4500 any permit Low 4

 

What is IC4500? Would allowing all traffic to this destination from a user allows apps to access?

 

Might well just be the case, as Tim mentioned, that they're using their celular network rather than wireless..

 

Cheers

James

IC4500 is the infranet controller for Network Access controll. It is only allowing traffic from the authorized users of our network.

 

And for the other point even you switched off the mobile data you can have internet access on some of the apps. On mobile phone when I connects to Guest network without putting the guest login ID a option appears that this Guest network is not connected to internet would you like to use it without internet? And when I accept I can see some of the apps have internet Access.

Ok. Turn off mobile data on the device. Connect to the guest network and don't login.

 

Find out the IP address on the mobiledevice.

 

On the controller CLI run the following command quickly after accessing the internet using the apps that have access.

 

#show datapath session table | include <mobile device IP>

 

This will show us the traffic that the controllers see coming from and going to your device.

 

Out of interest, what do you think still have access?

 

Also the GCC_LAN and http policies seem a little redundant. Is there a reason for them being there?

 

Cheers

James

Please have a look on the output of the command.

 

 

(HO_MC) #show datapath session table | include 10.1.112.16
10.1.112.16 31.13.93.3 6 57666 443 0/0 0 96 0 tunnel 25 2 FNCI
10.1.112.16 31.13.93.3 6 57669 443 0/0 0 96 0 tunnel 25 2 FNCI
10.1.112.16 31.13.93.3 6 57668 443 0/0 0 96 0 tunnel 25 2 FNCI
10.1.112.16 31.13.93.3 6 57670 443 0/0 0 96 0 tunnel 25 1 FNCI
10.1.112.16 31.13.93.5 6 57665 443 0/0 0 96 0 tunnel 25 2 FNCI
10.1.112.16 31.13.93.5 6 57667 443 0/0 0 96 0 tunnel 25 2 FNCI
10.1.112.16 31.13.93.3 6 57643 443 0/0 0 96 1 tunnel 25 f FNCI
10.1.112.16 31.13.93.3 6 57642 443 0/0 0 96 1 tunnel 25 f FNCI
10.1.112.16 31.13.93.3 6 57645 443 0/0 0 96 1 tunnel 25 e FNCI
10.1.112.16 31.13.93.3 6 57644 443 0/0 0 96 1 tunnel 25 f FNCI
10.1.112.16 31.13.93.3 6 57634 443 0/0 0 96 1 tunnel 25 16 FNCI
10.1.112.16 31.13.93.3 6 57657 443 0/0 0 96 0 tunnel 25 7 FNCI
10.1.112.16 31.13.93.5 6 57632 443 0/0 0 96 1 tunnel 25 18 FNCI
10.1.112.16 31.13.93.3 6 57656 443 0/0 0 96 1 tunnel 25 9 FNCI
10.1.112.16 31.13.93.3 6 57659 443 0/0 0 96 0 tunnel 25 6 FNCI
10.1.112.16 31.13.93.3 6 57658 443 0/0 0 96 0 tunnel 25 7 FNCI
10.1.112.16 31.13.93.3 6 57661 443 0/0 0 96 0 tunnel 25 6 FNCI
10.1.112.16 31.13.93.3 6 57660 443 0/0 0 96 0 tunnel 25 6 FNCI
10.1.112.16 31.13.93.3 6 57663 443 0/0 0 96 0 tunnel 25 3 FNCI
10.1.112.16 31.13.93.3 6 57662 443 0/0 0 96 0 tunnel 25 6 FNCI
10.1.112.16 31.13.93.3 6 57648 443 0/0 0 96 1 tunnel 25 b FNCI
10.1.112.16 31.13.93.3 6 57651 443 0/0 0 96 1 tunnel 25 a FNCI
10.1.112.16 31.13.93.3 6 57650 443 0/0 0 96 1 tunnel 25 a FNCI
10.1.112.16 31.13.93.3 6 57652 443 0/0 0 96 1 tunnel 25 9 FNCI
10.1.112.16 31.13.93.3 6 57655 443 0/0 0 96 1 tunnel 25 9 FNCI
10.1.112.16 31.13.93.3 6 57654 443 0/0 0 96 1 tunnel 25 9 FNCI
10.1.112.16 54.225.249.236 6 57604 4244 0/0 0 96 1 tunnel 25 42 C
10.1.112.16 54.231.18.248 6 57639 443 0/0 0 96 1 tunnel 25 13 NCI
10.1.112.16 10.1.2.201 17 54154 53 0/0 0 224 1 tunnel 25 14 FCI
10.1.112.16 10.1.2.201 17 59521 53 0/0 0 224 1 tunnel 25 13 FCI
10.1.112.16 10.0.2.201 17 59521 53 0/0 0 224 1 tunnel 25 11 FCI
10.0.2.201 10.1.112.16 17 53 58062 0/0 0 224 0 tunnel 25 3 FI
10.1.112.16 10.0.2.201 17 58062 53 0/0 0 224 1 tunnel 25 3 FCI
10.1.112.16 31.13.93.3 17 52346 33000 0/0 0 96 1 tunnel 25 4 FC
108.168.176.243 10.1.112.16 6 5222 57570 0/0 0 96 7 tunnel 25 6c
10.0.2.201 10.1.112.16 17 53 59521 0/0 0 224 1 tunnel 25 11 FI
10.1.2.201 10.1.112.16 17 53 59521 0/0 0 224 1 tunnel 25 13 FI
10.1.2.201 10.1.112.16 17 53 54154 0/0 0 224 1 tunnel 25 14 FI
10.1.112.16 178.250.2.115 6 57633 443 0/0 0 96 1 tunnel 25 18 FNCI
10.1.112.16 108.168.176.243 6 57570 5222 0/0 0 96 6 tunnel 25 6c C
31.13.93.3 10.1.112.16 17 33000 52346 0/0 0 96 0 tunnel 25 4 FY
10.1.112.16 173.252.88.128 6 57638 443 0/0 0 96 1 tunnel 25 13 FNCI
10.1.112.16 173.252.88.128 6 57641 443 0/0 0 96 1 tunnel 25 10 FNCI
10.1.112.16 173.252.88.128 6 57640 443 0/0 0 96 1 tunnel 25 12 FNCI
10.1.112.16 173.252.88.128 6 57647 443 0/0 0 96 0 tunnel 25 d FNCI
10.1.112.16 173.252.88.128 6 57646 443 0/0 0 96 1 tunnel 25 e FNCI
10.1.112.16 173.252.88.128 6 57649 443 0/0 0 96 0 tunnel 25 c FNCI
10.1.112.16 173.252.88.128 6 57653 443 0/0 0 96 0 tunnel 25 a FNCI
10.1.112.16 173.252.88.128 6 57664 443 0/0 0 96 0 tunnel 25 4 FNCI
10.1.112.16 173.252.88.128 6 57671 443 0/0 0 96 0 tunnel 25 2 FNCI
10.1.112.16 17.110.224.20 6 57551 5223 0/0 0 96 0 tunnel 25 c4 C
10.1.112.16 23.23.175.249 6 57635 443 0/0 0 96 1 tunnel 25 14 FNCI
17.110.224.20 10.1.112.16 6 5223 57551 0/0 0 96 0 tunnel 25 c4
10.1.100.1 10.1.112.16 6 8081 57664 0/0 0 96 0 tunnel 25 4 FSI
10.1.100.1 10.1.112.16 6 8081 57665 0/0 0 96 0 tunnel 25 3 FSI
10.1.100.1 10.1.112.16 6 8081 57666 0/0 0 96 0 tunnel 25 3 FSI
10.1.100.1 10.1.112.16 6 8081 57667 0/0 0 96 0 tunnel 25 3 FSI
10.1.100.1 10.1.112.16 6 8081 57668 0/0 0 96 0 tunnel 25 3 FSI
10.1.100.1 10.1.112.16 6 8081 57669 0/0 0 96 0 tunnel 25 3 FSI
10.1.100.1 10.1.112.16 6 8081 57670 0/0 0 96 0 tunnel 25 2 FSI
10.1.100.1 10.1.112.16 6 8081 57671 0/0 0 96 0 tunnel 25 2 FSI
10.1.100.1 10.1.112.16 6 8081 57640 0/0 0 96 1 tunnel 25 12 FSI
10.1.100.1 10.1.112.16 6 8081 57641 0/0 0 96 1 tunnel 25 10 FSI
10.1.100.1 10.1.112.16 6 8081 57642 0/0 0 96 1 tunnel 25 10 FSI
10.1.100.1 10.1.112.16 6 8081 57643 0/0 0 96 1 tunnel 25 10 FSI
10.1.100.1 10.1.112.16 6 8081 57644 0/0 0 96 1 tunnel 25 10 FSI
10.1.100.1 10.1.112.16 6 8081 57645 0/0 0 96 1 tunnel 25 f FSI
10.1.100.1 10.1.112.16 6 8081 57646 0/0 0 96 1 tunnel 25 e FSI
10.1.100.1 10.1.112.16 6 8081 57647 0/0 0 96 1 tunnel 25 d FSI
10.1.100.1 10.1.112.16 6 8081 57632 0/0 0 96 1 tunnel 25 19 FSI
10.1.100.1 10.1.112.16 6 8081 57633 0/0 0 96 1 tunnel 25 18 FSI
10.1.100.1 10.1.112.16 6 8081 57634 0/0 0 96 1 tunnel 25 17 FSI
10.1.100.1 10.1.112.16 6 8081 57635 0/0 0 96 1 tunnel 25 14 FSI
10.1.100.1 10.1.112.16 6 8081 57638 0/0 0 96 1 tunnel 25 13 FSI
10.1.100.1 10.1.112.16 6 8081 57639 0/0 0 96 1 tunnel 25 13 FSI
10.1.100.1 10.1.112.16 6 8081 57656 0/0 0 96 0 tunnel 25 a FSI
10.1.100.1 10.1.112.16 6 8081 57657 0/0 0 96 0 tunnel 25 8 FSI
10.1.100.1 10.1.112.16 6 8081 57658 0/0 0 96 0 tunnel 25 8 FSI
10.1.100.1 10.1.112.16 6 8081 57659 0/0 0 96 0 tunnel 25 7 FSI
10.1.100.1 10.1.112.16 6 8081 57660 0/0 0 96 0 tunnel 25 7 FSI
10.1.100.1 10.1.112.16 6 8081 57661 0/0 0 96 0 tunnel 25 7 FSI
10.1.100.1 10.1.112.16 6 8081 57662 0/0 0 96 0 tunnel 25 7 FSI
10.1.100.1 10.1.112.16 6 8081 57663 0/0 0 96 0 tunnel 25 4 FSI
10.1.100.1 10.1.112.16 6 8081 57648 0/0 0 96 1 tunnel 25 c FSI
10.1.100.1 10.1.112.16 6 8081 57649 0/0 0 96 1 tunnel 25 c FSI
10.1.100.1 10.1.112.16 6 8081 57650 0/0 0 96 1 tunnel 25 b FSI
10.1.100.1 10.1.112.16 6 8081 57651 0/0 0 96 1 tunnel 25 b FSI
10.1.100.1 10.1.112.16 6 8081 57652 0/0 0 96 1 tunnel 25 a FSI
10.1.100.1 10.1.112.16 6 8081 57653 0/0 0 96 1 tunnel 25 a FSI
10.1.100.1 10.1.112.16 6 8081 57654 0/0 0 96 1 tunnel 25 a FSI
10.1.100.1 10.1.112.16 6 8081 57655 0/0 0 96 1 tunnel 25 a FSI
54.225.249.236 10.1.112.16 6 4244 57604 0/0 0 96 1 tunnel 25 43

---

@engrcom wrote:

.....

validuser
---------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any any permit Low 4
2 169.254.0.0 255.255.0.0 any any deny Low 4
3 any any any permit Low 6

Expired Policies (due to time constraints) = 0

---

The last firewall policy in your guest-logon role (validuser) is allowing all traffic that doesn't match the policies above it. That's why certian apps (whatsapp?) are workling. 

 

Cheers

James

To add to that, the validuser ACL should never be used in a user role.


Thanks,
Tim