Security

last person joined: 6 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Best way to set up ethernet port on RAP5 with no authentication but still have a firewall rule.

This thread has been viewed 0 times

  • 1.  Best way to set up ethernet port on RAP5 with no authentication but still have a firewall rule.

    Posted Aug 08, 2012 01:34 PM

    I want to designate Ethernet port 4 as a printer port on all our RAP5's. The printers will be statically assigned an ip address in vlan 48 which is only mapped to port 4. I do not want to have these authenticate but I want to build a firewall rule allowing traffic from this port/vlan to only go to specific places, like AD server and Print server. What would be the best way to do this?

     

    Thanks,

    Michael



  • 2.  RE: Best way to set up ethernet port on RAP5 with no authentication but still have a firewall rule.

    Posted Aug 08, 2012 01:51 PM

    Configure enet port of RAP5 where printer is connecting as untrusted. Thus printer will fall into the initial role of aaa profile configured there. In the initial role put required ACL to allow/block traffic. (No need to configure any type of authentication)

     

    -Alap



  • 3.  RE: Best way to set up ethernet port on RAP5 with no authentication but still have a firewall rule.

    Posted Aug 08, 2012 03:35 PM

    Alap,

    This is exactly what I had done to begin with but we occasionaly lost connectivity to the printers.

    So now I'm thinking I might have my firewall rules wrong. I've loosened my rules and I'll reapply this and see if that solves the issues.

     

    Thanks for the reply.

     

    Michael



  • 4.  RE: Best way to set up ethernet port on RAP5 with no authentication but still have a firewall rule.

    Posted Aug 09, 2012 07:42 AM

    If it was a firewall rule I wouldn't expect the problem to happen occasionaly but you never know.  On the controller, from CLI

     

    show datapath session table

     

    Is a good command to see the traffic flow from your printer.  you can pipe it to include the ip address of your printer

     

    show datapath session table | include <ipaddr>

     



  • 5.  RE: Best way to set up ethernet port on RAP5 with no authentication but still have a firewall rule.

    Posted Aug 10, 2012 11:22 AM

    I opened a support case. The went through the config and agreed it was fine. 

    Tarinelli, I think your correct it is not a firewall issue.

    The thing was that when the printers lost connectivity they were not in the user table at all. 

    Anyway, at this point I'm looking at the printers going into power save mode as the problem. When they do this they leave the user table all together and thus the user rule allowing access to them is not active. Then new jobs from the print server can't reach them to 'wake' them back up.

    I've removed or adjusted the hybernating settings on the printers and so far they are staying in the user-table.

    I'm not sure what I'll do long term for this. These printers are leased and managed by a printer/copier distributer and I'm thinking they will want their printers to hybernate when not in use.

     

    Any thought on a work around for this?

     

    Thanks for the responses so far.

     

    Michael



  • 6.  RE: Best way to set up ethernet port on RAP5 with no authentication but still have a firewall rule.

    Posted Aug 15, 2012 08:47 PM

    Can you please tell me which code are you running on the controller?

    If this is happening on 6.1.3.2 or later code, I think issue is related to "supress ARP" feature.