Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Aruba 3400 - allow IPSec through

This thread has been viewed 1 times

  • 1.  Aruba 3400 - allow IPSec through

    Posted Jun 03, 2013 02:49 PM

    I'm new to Aruba, and i've found that on our guest network, IPSec VPNs are being blocked by the controller...I need some guidance on how to allow IPSec out to allow people on our guest network access to their home company's resources. 

     

    Controller is Aruba 3400, software version is 6.1.3.4.  Outside internet is terminated by a Cisco ASA and firewall services are handled by the ASA (tested VPN directly out through ASA via wired LAN and it works perfectly).


    #3400


  • 2.  RE: Aruba 3400 - allow IPSec through

    Posted Jun 03, 2013 02:51 PM

     

    Is it allowed under the guest user-role?



  • 3.  RE: Aruba 3400 - allow IPSec through

    Posted Jun 03, 2013 02:55 PM

    I don't mean to sound like an idiot, but I'm going to anyway...where exactly should I be looking for the 'guest user role'?



  • 4.  RE: Aruba 3400 - allow IPSec through

    Posted Jun 03, 2013 03:07 PM

     

     

    Aruba allows you to apply policies to the users using user-role , each user-role has ACLs define.

     

    If you do show rights it would allow to see all your user-roles but if you want to see what role a certain user is getting then you can do a show user-table  | include <mac address> or <ip-address> and then this command would allow you to see what's the user-role a particular user is tie too.

     

    Users
    -----
    IP                          MAC                                   Name                              Role                          Age(d:h:m) Auth              AP name 

     

    10.10.30.209    00:11:22:33:44:55  testuser@gmail.com          GUEST-ROLE              00:01:23    Web               AP-TEST

     

     

    And you can get the specifics of how that user-role is configured by using the show rights GUEST-ROLE



  • 5.  RE: Aruba 3400 - allow IPSec through

    Posted Jun 03, 2013 03:48 PM

    great stuff.  thanks.  I'm noticing on one of our other controllers that's been up for a while that there's an 'allow all' at the end of the guest policy...i'm guessing that's what needs added to allow the VPN traffic, but at the same time, I want to make sure that i'm not allowing my guest subnet to cross over into my corporate network. 

     

    what's the best way to allow IPSec on the guest network and still maintain the integrity of my corporate wireless?



  • 6.  RE: Aruba 3400 - allow IPSec through
    Best Answer

    Posted Jun 03, 2013 04:00 PM

     

    Create an access list allowing the ports needed for VPN and applied it to the user-role

     

     

    ip access-list session GUEST-VPN-ACL

    any any svc-ike 
    any any svc-esp 
    any any svc-l2tp 
    any any svc-pptp 
    any any svc-gre 
    user any svc-natt

     

    You can configure it this way if you are nating under the VLAN ,if not you have to apply your source nating for each rule

     

     

    user-role GUEST-ROLE

    access-list session GUEST-VPN-ACL position "based on how you have your ACL configured"

     

     

     



  • 7.  RE: Aruba 3400 - allow IPSec through

    Posted Jun 03, 2013 04:17 PM

    Great stuff.  Appreciate the help!