Security

Reply
New Contributor

Pre-auth role is permitting traffic that should be blocked

Hello,

 

I am trying to create a pre-authenticated role that only allows DHCP and blocks everything else (for the time being). This role is applied to a wired port on a RAP but is still allowing SIP and RTP traffic even though the intended configuration should be to block this traffic. All other traffic is being blocked correctly but the SIP and RTP traffic is getting through and confirmed with show datapath session table <ip>.

Am I missing something?

 

Thanks,

 

Lorn

 

(TPA-ARUBA-MC1) #show user
This operation can take a while depending on number of users. Please be patient ....

Users
-----
    IP             MAC            Name     Role                              Age(d:h:m)  Auth  VPN link  AP name            Roaming  Essid/Bssid/Phy  Profile                       Forward mode  Type  Host Name  User Type
----------    ------------       ------    ----                              ----------  ----  --------  -------            -------  ---------------  -------                       ------------  ----  ---------  ---------
10.90.212.10  e0:89:9d:fb:81:f2            ml-remote-employee-phone-preauth  00:00:19                    20:4c:03:11:b9:6d  Wired    10.80.9.15:0/1   ml-remote-employee-phone-aaa  tunnel
              WIRED
 

(TPA-ARUBA-MC1) #show rights ml-remote-employee-phone-preauth

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'ml-remote-employee-phone-preauth'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Number of users referencing it = 2
 Periodic reauthentication: Disabled
 DPI Classification: Enabled
 Youtube education: Disabled
 Web Content Classification: Enabled
 IP-Classification Enforcement: Enabled
 ACL Number = 83/0
 Openflow: Disabled
 Max Sessions = 65535

 Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name  Type
----  ----

Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------
Position  Name                                         Type     Location
--------  ----                                         ----     --------
1         global-sacl                                  session
2         apprf-ml-remote-employee-phone-preauth-sacl  session
3         ml-dhcp-clients-only                         session
4         denyall                                      session

global-sacl
-----------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  ------  --------
apprf-ml-remote-employee-phone-preauth-sacl
-------------------------------------------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  ------  --------
ml-dhcp-clients-only
--------------------
Priority  Source  Destination  Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  IPv4/6  Contract
--------  ------  -----------  -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  ------  --------
1         user    any          udp 68                 deny                             Low                                            4
2         any     any          svc-dhcp               permit                           Low                                            4
denyall
-------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  ------  --------
1         any     any          any                   deny                             Low                                            4

Expired Policies (due to time constraints) = 0                                              

 

(TPA-ARUBA-MC1) #show datapath session table 10.90.212.10


Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       u - Upstream Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       r - Route Nexthop, h - High Value
       A - Application Firewall Inspect
       B - Permanent, O - Openflow
       L - Log

Source IP       Destination IP  Prot SPort DPort Cntr     Prio ToS Age Destination TAge Packets    Bytes      Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- ---------------
10.90.212.10    10.184.5.14     6    52486 5060   0/0     6    24  4   tunnel 16   6b8  0          0          MCIO
10.90.212.10    10.84.5.14      6    52360 5060   0/0     6    24  7   tunnel 16   6b8  0          0          MCIO
10.184.5.14     10.90.212.10    6    5060  52486  0/0     6    24  4   tunnel 16   6b8  0          0          MIO
10.84.5.14      10.90.212.10    6    5060  52360  0/0     6    24  8   tunnel 16   6b8  0          0          MIO           

 

Guru Elite

Re: Pre-auth role is permitting traffic that should be blocked

6b8 hex is 1720 seconds, which means the session was started 28 minutes ago.  Existing sessions continue, but new sessions are blocked.  I would do a "aaa user delete 10.90.212.10" on the commandline of the controller to remove that user and try again.

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
New Contributor

Re: Pre-auth role is permitting traffic that should be blocked

Thanks for the reply Colin. I performed that command but the issue persists. Let me know if you have any other thoughts/suggestions.

 

Lorn

 

(TPA-ARUBA-MC1) #aaa user delete 10.90.212.10
1 users deleted
(TPA-ARUBA-MC1) #show user
This operation can take a while depending on number of users. Please be patient ....

Users
-----
    IP             MAC            Name     Role                              Age(d:h:m)  Auth  VPN link  AP name            Roaming  Essid/Bssid/Phy  Profile                       Forward mode  Type  Host Name  User Type
----------    ------------       ------    ----                              ----------  ----  --------  -------            -------  ---------------  -------                       ------------  ----  ---------  ---------
10.90.212.10  e0:89:9d:fb:81:f2            ml-remote-employee-phone-preauth  00:00:00                    20:4c:03:11:b9:6d  Wired    10.80.9.15:0/1   ml-remote-employee-phone-aaa  tunnel                         WIRED

User Entries: 1/1
 Curr/**bleep** Alloc:3/25 Free:7/22 Dyn:10 AllocErr:0 FreeErr:0
(TPA-ARUBA-MC1) #show datapath session table 10.90.212.10


Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       u - Upstream Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       r - Route Nexthop, h - High Value
       A - Application Firewall Inspect
       B - Permanent, O - Openflow
       L - Log

Source IP       Destination IP  Prot SPort DPort Cntr     Prio ToS Age Destination TAge Packets    Bytes      Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- ---------------
10.90.212.10    10.184.5.14     6    52486 5060   0/0     6    24  0   tunnel 16   9    2          977        MCIO
10.90.212.10    10.84.5.14      6    52360 5060   0/0     6    24  0   tunnel 16   0    3          1050       MCIO
10.184.5.14     10.90.212.10    6    5060  52486  0/0     6    24  1   tunnel 16   9    2          1064       MIO
10.84.5.14      10.90.212.10    6    5060  52360  0/0     6    24  0   tunnel 16   0    2          749        MIO
(TPA-ARUBA-MC1) #                                                                                                           

Guru Elite

Re: Pre-auth role is permitting traffic that should be blocked

no new flows will be allowed.  Is the phone connected directly to the RAP?  If yes, bounce the wired interface.

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: