Security

But is working from LAN < > wireless and vice versa.

 

Any idea why that would be?  Do I need to add/edit an ACL to allow it? 

You should check to ensure that type of communication isn't being blocked by whatever policies are contained in the user's role.

 

Also, make sure firewall deny-inter-user-traffic isn't on.

The user role they get is authenticated and it has allowall firewall policy configured. 

 

Not sure where the deny-intra-user traffic option is? 

Run "show firewall" command on the controller CLI. 8th option from the top will be "deny inter user bridging". Make sure it is disabled.

You have to ensure both deny inter user bridging (denies L2 tarffic) and Deny inter user traffic (denies IP traffic) are diabled.

Deny inter user bridging is a global setting and is  available under the stateful firewall tab in the GUI. make sure this is disabled.

In the latest ArubaOS versions Deny inter user traffic can be set either globally under the stateful firewall tab in the GUI or local under a VAP profile. Make sure this is diabled both in the global and VAP settings. 

 





Thanks guys but they are both disabled.  Not sure where the VAP settings are but if they are off by default then they were never turned on by me when this was rolled out.

 

Learning as I go for the most part and I appreciate the help.

 

Is there a log I can see when I attempt to ssh from wireless to wireless to see if its actually denying the traffic?

On the commandline, type:

 

show datapath session table <ip address of user>

 

That will determine if any traffic is being denied.

 

Ok tested it and see this:

 

172.23.88.88 172.23.88.241 6 22 4243 0/0 0 96 1 tunnel 10 7 Y  (wireless to wireless) - not working
172.23.23.70 172.23.88.241 6 22 4239 0/0 0 96 3 tunnel 10 31   (LAN to wireless)  - working

 

 

 

The only different is the first one has a Y in 'FLAGS" coloumn.  What does that mean?

Y means that traffic is flowing in one direction.

 

What role do your wireless users get when they authenticate?

 

type "show rights <that role>" to see what ACLS they are subject to.

 

##############

The role when doing a show user-table is  'authenticated.'  When I do show user rights authenticated I get is below.  Vanialla allow all so not sure why SSH is being refused between wireless clients. 

 

###################

access-list List
----------------
Position Name Location
-------- ---- --------
1 allowall
2 v6-allowall

allowall
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any any permit Low 4
v6-allowall
-----------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any any permit Low 6

 

Please open a support case so they can troubleshoot. It is not apparent what is blocking SSH in your network.

In the end disabling IP spoofing fixed the problem.

 

configure terminal no firewall prohibit-ip-spoofing

 

Supposedly a bug in the version of software we are running...6.1.1.0

 

Thanks all for your help. 

Did you open any TAC ticket?

Also, just for my knowledge, what is the use case of "SSH between wireless clients"?