Security

Reply
Occasional Contributor II
Posts: 12
Registered: ‎09-09-2014

User role with "allowall" immediately reconnects, removing "allowall" causes 48/68 second pause

Hello all, we're having an odd issue and after a 4 hour call with support, we're waiting to hear if they can figure it out. Maybe someone here has dealt with it before.

 

We have a guest SSID with a captive portal. Config'd so that the portal just has an "I accept" button. Upon accepting, the guest users have access to internet sites, but not internal sites. The issue is that if a device sleeps/restarts or otherwise loses connectivity, it will switch to "No IP address" or a 169 address for 48 or 68 seconds once it tries to reconnect, at which time it will get its former IP address. If we add "allowall" as the final rule in our user-role, this stops happening and they immediately reconnect. Support recommended leaving "allowall" enabled to fix the problem, but from a security side we'd like to avoid that and find the specific "thing" that it's allowing that we need to explicitely define.

 

Our current role created during the support call, and it is:

1. cplogout

2. Guest-Internet-Only

    a. Allow dns

    b. Allow internal subnet for webpages

    c. Allow multicast/airplay/Clearpass 

    d. Deny internal subnets 

    e. Allow web traffic

    f. Deny ICMP for internal, allow ICMP for external

3. allowall

 

 

Guru Elite
Posts: 20,577
Registered: ‎03-29-2007

Re: User role with "allowall" immediately reconnects, removing "allowall" causes

You need to have an "any any service svc-dhcp” in your ACL rules.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 4,173
Registered: ‎07-20-2011

Re: User role with "allowall" immediately reconnects, removing "allowall" causes

Not sure if you forgot to include it but do you have allow DHCP in the ACL rules ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 12
Registered: ‎09-09-2014

Re: User role with "allowall" immediately reconnects, removing "allowall" causes

Thank you cjoseph and victorfabian! Looks like we overlooked the super simple when we remade the role. Must've been too focused on getting the captive portal and clearpass to play nicely

Search Airheads
Showing results for 
Search instead for 
Did you mean: