Security

Reply
d.p
Contributor I
Posts: 29
Registered: ‎08-29-2011

SSH between wireless clients is being refused

[ Edited ]

But is working from LAN < > wireless and vice versa.

 

Any idea why that would be?  Do I need to add/edit an ACL to allow it? 

Aruba Employee
Posts: 509
Registered: ‎07-03-2008

Re: SSH between wireless clients is being refused

You should check to ensure that type of communication isn't being blocked by whatever policies are contained in the user's role.

 

Also, make sure firewall deny-inter-user-traffic isn't on.

d.p
Contributor I
Posts: 29
Registered: ‎08-29-2011

Re: SSH between wireless clients is being refused

[ Edited ]

The user role they get is authenticated and it has allowall firewall policy configured. 

 

Not sure where the deny-intra-user traffic option is? 

Aruba Employee
Posts: 100
Registered: ‎12-02-2011

Re: SSH between wireless clients is being refused

Run "show firewall" command on the controller CLI. 8th option from the top will be "deny inter user bridging". Make sure it is disabled.

Aruba Employee
Posts: 117
Registered: ‎09-21-2010

Re: SSH between wireless clients is being refused

You have to ensure both deny inter user bridging (denies L2 tarffic) and Deny inter user traffic (denies IP traffic) are diabled.

Deny inter user bridging is a global setting and is  available under the stateful firewall tab in the GUI. make sure this is disabled.

In the latest ArubaOS versions Deny inter user traffic can be set either globally under the stateful firewall tab in the GUI or local under a VAP profile. Make sure this is diabled both in the global and VAP settings. 

 

deny inter user.png

d.p
Contributor I
Posts: 29
Registered: ‎08-29-2011

Re: SSH between wireless clients is being refused

Thanks guys but they are both disabled.  Not sure where the VAP settings are but if they are off by default then they were never turned on by me when this was rolled out.

 

Learning as I go for the most part and I appreciate the help.

 

Is there a log I can see when I attempt to ssh from wireless to wireless to see if its actually denying the traffic?

Guru Elite
Posts: 21,543
Registered: ‎03-29-2007

Re: SSH between wireless clients is being refused

On the commandline, type:

 

show datapath session table <ip address of user>

 

That will determine if any traffic is being denied.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

d.p
Contributor I
Posts: 29
Registered: ‎08-29-2011

Re: SSH between wireless clients is being refused

[ Edited ]

Ok tested it and see this:

 

172.23.88.88 172.23.88.241 6 22 4243 0/0 0 96 1 tunnel 10 7 Y  (wireless to wireless) - not working
172.23.23.70 172.23.88.241 6 22 4239 0/0 0 96 3 tunnel 10 31   (LAN to wireless)  - working

 

 

 

The only different is the first one has a Y in 'FLAGS" coloumn.  What does that mean?

Guru Elite
Posts: 21,543
Registered: ‎03-29-2007

Re: SSH between wireless clients is being refused

Y means that traffic is flowing in one direction.

 

What role do your wireless users get when they authenticate?

 

type "show rights <that role>" to see what ACLS they are subject to.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

d.p
Contributor I
Posts: 29
Registered: ‎08-29-2011

Re: SSH between wireless clients is being refused

##############

The role when doing a show user-table is  'authenticated.'  When I do show user rights authenticated I get is below.  Vanialla allow all so not sure why SSH is being refused between wireless clients. 

 

###################

access-list List
----------------
Position Name Location
-------- ---- --------
1 allowall
2 v6-allowall

allowall
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any any permit Low 4
v6-allowall
-----------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any any permit Low 6

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: