Security

Reply
Occasional Contributor I
Posts: 6
Registered: ‎04-23-2013

Traffic denied with authenticated role?

Hi,

 

I've currently some issues with our wireless network and the ACL/Firewall.

I've some thermic printers which are connected via Wifi.

They only need to join 2 hosts, but even in authenticated mode I cannot get it to work, everything is allowed (any any any permit).

And everything I've tested so far is working, only the communication between them (on some ports which uses TCP), they are always in denied mode and I can't figure it out why.

 

If some one could help me figure it out...

 

Best regards,

 

Ludovic 

MVP
Posts: 4,269
Registered: ‎07-20-2011

Re: Traffic denied with authenticated role?

[ Edited ]

 

 

What do you see when you run the show datapath session table <ip address> ?

 

And also do a show user ip <ip address>

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: Traffic denied with authenticated role?

[ Edited ]

Are the users also on WiFi?    If so, can you confirm whether you have deny inter-user traffic enabled on the virtual AP?  This can also be enabled globally in the Stateful Firewall under Advanced Services; confirm it is not on.   

 

Also,  does the printer use broadcast/multicast to talk to the host?   Again, confrim whether you are dropping this in the virtual AP.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor I
Posts: 6
Registered: ‎04-23-2013

Re: Traffic denied with authenticated role?

[ Edited ]

Hi,

 

For the show datapath session table <ip address> it doesn't show constantly all the traffic if I take the printer IP so here is the output with the AP.

http://pastebin.com/Hew6Yuiw

And for the show user ip

http://pastebin.com/U9EZBbXu

 

The printers are trying to contact other servers in the same VLAN (on the LAN).

It seems that everything that comes to the printer is denied outside the wifi network.

They have a web interface reachable from all locations but when connected to the Wifi only clients connected to same network can open it. If I try to open it from my computer on the LAN the connection dirrectly is in denied state.

 

And yes the printer does some multicast.

 

I'm surely missing something obvious.

 

thanks!

Guru Elite
Posts: 21,001
Registered: ‎03-29-2007

Re: Traffic denied with authenticated role?

Did you edit the authenticated role?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 4,269
Registered: ‎07-20-2011

Re: Traffic denied with authenticated role?

Is the show datapath session output from the IP address of the printer or the AP ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor I
Posts: 6
Registered: ‎04-23-2013

Re: Traffic denied with authenticated role?

No it is the one from the RAP, it doesn't keep the connection very long with the printer (it's only right after I start the printer.)

You can see the issue from the screenshot (status section of the printer when it starts, with the "denied" connection).

 

I didn't edit the authenticated role, so rely I don't understand where the problem is...

It seems that every incoming connection is blocked.

MVP
Posts: 4,269
Registered: ‎07-20-2011

Re: Traffic denied with authenticated role?

How do you have the RAP configured ? Tunneled , split , bridged ?

Can you please share the show rights authenticated ?

Have you tried creating an alias (using printers IP) and then allowing everything for that particular alias or allowing the ports that the printer is trying use ?

Were you to check some of the things that Clembo suggested ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor I
Posts: 6
Registered: ‎04-23-2013

Re: Traffic denied with authenticated role?

The RAP are in bridge mode and all SSID's are in used in permanent config.

Here is the result of "show rights authenticated"

http://pastebin.com/s0RwDeab

 

I actually began with my an acl which permited everything this way:

User any any permit

network 192.168.1.0 255.255.255.0 user any permit

 

But it didn't worked, so I just tried with the authenticated rôle and it seems that I've an issue with my configuration.

 

As I said it before, internal traffic isn't denied, because everything works fine with all the clients on the wifi, but if someone outside connected on the LAN throught ethernet try to do something with my clients it's always in denied.

And the printers do use broadcast on the network. I don't have any checkbox which drops broadcast in the vAP, I only have

"Convert Broadcast ARP requests to unicast"

checked in the vAP"

Thanks.

Guru Elite
Posts: 21,001
Registered: ‎03-29-2007

Re: Traffic denied with authenticated role?

Okay.  Let's talk about what happens in general here:

 

-  "show datapath session table" only works for traffic that is tunneled THROUGH the controller.  Bridge traffic on RAPs do not do this, so you would have to use "show datapath session ap-name <name of ap> <ip address of printer>" to get an accurate understanding of what is going on with that printer.

 

- each RAP is normally assumed to be on a public internet interface, so each RAP has an ACL on that interface that allows traffic from bridge users to get out, but only allows unsolicited  dhcp traffic, ping, and bonjour into the RAP and users on that RAP.  You need to change this so that unsolicited printer traffic can get to that printer that is bridged on that AP.  In the AP system profile of the AP-Group of that RAP, there is a session ACL setting.  Change that from ap-uplink-acl to authenticated to see if you can make that work:

 

session.png



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: