Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Users are able access VPN through Guest Network without going through guest authentication

This thread has been viewed 1 times

  • 1.  Users are able access VPN through Guest Network without going through guest authentication

    Posted Sep 30, 2015 07:14 AM

    Hello Guys, 

     

    Users connected to guest network aree able to establish VPN tunnels to outside world without going through Guest authentication. Does anyone know which ports do I have to block for Guest access? 

     

    Thanks 



  • 2.  RE: Users are able access VPN through Guest Network without going through guest authentication

    EMPLOYEE
    Posted Sep 30, 2015 07:22 AM
    Create a new guest logon role with just DHCP, dns, and captive-portal. 


    Thanks, 
    Tim


  • 3.  RE: Users are able access VPN through Guest Network without going through guest authentication

    Posted Sep 30, 2015 07:22 AM

    Please share the result of the following for the role the guest is in BEFORE authentication.   If you are not sure of the role, check with "show user-table"

     

    show rights <NameofRole>

     

     

     



  • 4.  RE: Users are able access VPN through Guest Network without going through guest authentication

    Posted Sep 30, 2015 07:42 AM
      |   view attached

    Hi Celmbo, 

     

    As reqyested, please find the details about the Guest-pre auth role attached. 

     

    Thanks 

    Attachment(s)

    txt
    Guest-Pre-Auth.txt   6 KB 1 version


  • 5.  RE: Users are able access VPN through Guest Network without going through guest authentication

    Posted Sep 30, 2015 08:37 AM

    Hello Guys, 

     

    Any changes in the role which you recommend after looking at the Guest_Pre_auth role? 

     

    Thanks 



  • 6.  RE: Users are able access VPN through Guest Network without going through guest authentication

    EMPLOYEE
    Posted Sep 30, 2015 08:38 AM

    Create a new guest logon role with just DNS, DHCP and captive-portal...



  • 7.  RE: Users are able access VPN through Guest Network without going through guest authentication

    Posted Sep 30, 2015 08:39 AM

    Try removing line 5 in the logon-control ACL (svc-natt).    You should not need this in your default logon role.    Or if you are more comfortable, make a new logon-control for your needs and leave the default ACL as is.



  • 8.  RE: Users are able access VPN through Guest Network without going through guest authentication

    Posted Sep 30, 2015 10:22 AM

    Thank you guys, I have made the chage and have asked the users to test it. I will update you when I know more. 

     

    Again really appreciate your help!