Security

Reply
Occasional Contributor II
Posts: 15
Registered: ‎02-19-2014

problem aaa roles

Hi all, i have running aruba wireless on my clients site for over a year. but i found something wrong this week it is my wireless client could not doing http or ftp to one of their server but i can ping it. then im doing ' show datapath session table ...ip..) i found the flag is FYDCA. question is how can i now what policies is block it? because i create whole new policies, role and then ssid but still blocked. please help.

MVP
Posts: 420
Registered: ‎11-04-2011

Re: problem aaa roles

I would go from your screenshot to the firewall policies in the following steps:

 

1) Get the IP for which you have this issue; look it up in the user-table and find the corresponding role:

(Aruba7005) #show user

Users
-----
    IP                          MAC            Name          Role           Age(d:h:m)  Auth    VPN link  AP name              Roaming   Essid/Bssid/Phy                    Profile             Forward mode  Type     Host Name
----------                 ------------       ------         ----           ----------  ----    --------  -------              -------   ---------------                    -------             ------------  ----     ---------
fe80::10c5:ccab:a65a:a360  5c:f5:xx:xx:x:xx  userid        BYOD           00:01:29    802.1x            AP215-BG-8f:1e       Wireless  WLAN_WPA2/ac:a3:1e:d8:xx:xx/a-HT   WLAN_WPA2-aaa_prof  tunnel        iPad

This user has the role BYOD.

Now check the firewall policy for this role with the show rights command:

(Aruba7005) # show rights BYOD

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'BYOD'
 Up BW contract = 5M-BYOD(5000000 bits/sec)   Down BW contract = 5M-BYOD(5000000 bits/sec)
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Number of users referencing it = 0
 Periodic reauthentication: Disabled
 DPI Classification: Enabled
 Youtube education: Disabled
 Web Content Classification: Enabled
 ACL Number = 105/0
 Max Sessions = 65535

 Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name  Type
----  ----

Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------
Position  Name               Type     Location
--------  ----               ----     --------
1         global-sacl        session
2         apprf-BYOD-sacl  session
3         BYODsession

global-sacl
-----------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
apprf-BYOD-sacl
-----------------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
BYOD
------
Priority  Source  Destination              Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------              -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     255.255.255.255          svc-dhcp               permit                           Low                                                           4
2         any     10.0.0.0 255.0.0.0       any                    deny               Yes           Low                                                           4
3         any     172.16.0.0 255.240.0.0   any                    deny               Yes           Low                                                           4
4         any     192.168.0.0 255.255.0.0  any                    deny               Yes           Low                                                           4
5         any     any                      any                    permit             Yes           Low                                                           4

Expired Policies (due to time constraints) = 0

 

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC.
Occasional Contributor II
Posts: 15
Registered: ‎02-19-2014

Re: problem aaa roles

Hi, thank u for the reply im aware with that, here are the output :

user role are ftp

Spoiler
Name: , IP: 10.50.32.12, MAC: e8:b1:fc:18:60:1e, Role: ftp, ACL: 83/0, Age: 00:03:54
Authentication: No, status: not started, method: , protocol: , server:
Role Derivation: AAA profile default role
VLAN Derivation: Default VLAN
Idle timeout (global): 30 seconds, Age: 00:00:00
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=0, mba=0, vpnflags=0, u_stm_ageout=1
Flags: innerip=0, outerip=0, vpn_outer_ind:0, download=1, wispr=0
IP User termcause: 0
phy_type: g-HT-20, l3 reauth: 0, BW Contract: up:0 down:0, user-how: 1
Vlan default: 5, Assigned: 5, Current: 5 vlan-how: 1 DP assigned vlan:0
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, Flags=0x0
SlotPort=0x2100, Port=0x1008f (tunnel 143)
Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role: n/a
    Current Role name: ftp, role-how: 10, L2-role: ftp, L3-role: ftp
Essid: aruba-ap, Bssid: ac:a3:1e:db:f5:c2 AP name/group: AP15-TIK03/semar-lowpower Phy-type: g-HT-20
RadAcct sessionID:n/a
RadAcct Traffic In 175199/30660140 Out 131188/18575510 (2:44127/0:0:467:54828,2:116/0:0:283:28822)
Timers: L3 reauth 0, mac reauth 0 (Reason: ), dot1x reauth 0 (Reason: )
Profiles AAA:ftp, dot1x:, mac: CP: def-role:'ftp' sip-role:'' via-auth-profile:''
ncfg flags udr 0, mac 0, dot1x 0, RADIUS interim accounting 0
IP Born: 1462161617 (Mon May  2 11:00:17 2016)
Core User Born: 1462161616 (Mon May  2 11:00:16 2016)
Upstream AP ID: 0, Downstream AP ID: 0
User Agent String: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.32
HTTP based device-id info - Index: 45, Device: Windows
Overall device-id info - Index: 27, Device: Windows
L3-Auth Session Timeout from Radius: 0
Mac-Auth Session Timeout Value from Radius: 0
Dot1x Session Timeout Value from Radius: 0
CoA Session Timeout Value from Radius: 0
Dot1x Session Term-Action Value from Radius: Default
Reauth-interval from role: 0
Number of reauthentication attempts: mac reauth 0, dot1x reauth 0
mac auth server: N/A, dot1x auth server: N/A
Address is from DHCP: yes
Per-user-log pointer 0x1972d34 (id 9671), num logs 1


The phy column shows client's operational capabilities for current association

Flags: A: Active, B: Band Steerable, H: Hotspot(802.11u) client, K: 802.11K client, R: 802.11R client, W: WMM client, w: 802.11w client V: 802.11v BSS trans capable

PHY Details: HT   : High throughput;      20: 20MHz;  40: 40MHz
             VHT  : Very High throughput; 80: 80MHz; 160: 160MHz; 80p80: 80MHz + 80MHz
             <n>ss: <n> spatial streams

Association Table
-----------------
Name        bssid              mac                auth  assoc  aid  l-int  essid     vlan-id  tunnel-id  phy             assoc. time  num assoc  Flags  Band steer moves (T/S)
----        -----              ---                ----  -----  ---  -----  -----     -------  ---------  ---             -----------  ---------  -----  ----------------------
AP15-TIK03  ac:a3:1e:db:f5:c2  e8:b1:fc:18:60:1e  y     y      1    250    aruba-ap  5        0x1008f    g-HT-20sgi-2ss  3h:55m:22s   1          WA     0/0

e8:b1:fc:18:60:1e-ac:a3:1e:db:f5:c2 Stats
------------------------------------------
Parameter                            Value
---------                            -----
Channel                              1
Channel Frame Retry Rate(%)          6
Channel Frame Low Speed Rate(%)      0
Channel Frame Non Unicast Rate(%)    1
Channel Frame Fragmentation Rate(%)  0
Channel Frame Error Rate(%)          0
Channel Bandwidth Rate(kbps)         260
Channel Noise                        97
Client Frame Retry Rate(%)           9
Client Frame Low Speed Rate(%)       0
Client Frame Non Unicast Rate(%)     0
Client Frame Fragmentation Rate(%)   0
Client Frame Receive Error Rate(%)   22
Client Bandwidth Rate(kbps)          200
Client Tx Packets                    306082
Client Rx Packets                    121225
Client Tx Bytes                      38698277
Client Rx Bytes                      16966623
Client SNR                           45
A2c_SM SeqNum, Old SeqNums           3563 0

and ftp role is

Spoiler
(Aruba7220) #show rights ftp

Derived Role = 'ftp'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 DPI Classification: Enabled
 Web Content Classification: Enabled
 ACL Number = 83/0
 Max Sessions = 65535

 Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name  Type
----  ----

Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------
Position  Name            Type     Location
--------  ----            ----     --------
1         global-sacl     session
2         apprf-ftp-sacl  session
3         allowall        session

global-sacl
-----------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
apprf-ftp-sacl
--------------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
allowall
--------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     any          any                   permit                           Low                                                           4
2         any     any          any-v6                permit                           Low                                                           6

Expired Policies (due to time constraints) = 0

allow all, because i create this role for troubleshoot so i just give allow all but the problem is traffic to port ftp n http still blocked

 

MVP
Posts: 420
Registered: ‎11-04-2011

Re: problem aaa roles

Your output also shows the flag: Y (No SYN); which indicates that the blocked session does not go through the firewall from the start of the session; or it can be that you have asymetric routing (the client is connected to two networks; can it be wired and wireless??)

 

If you have your client connected to the wired as well, please disconnect your wired connection and restart your application before you test again.

 

Advanced Services > Stateful Firewall > Global Settings; uncheck the option: Enforce TCP Handshake Before Allowing Data.. This option should not be needed to unchecked, unless there are some issues in your routing/network.

 

If this does not help, please work through your partner with Aruba TAC to get this investigated. It looks weird to me and does not reflect what I normally see.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC.
Occasional Contributor II
Posts: 15
Registered: ‎02-19-2014

Re: problem aaa roles

first no there is no other connection, i just turn on the wifi. second its unchecked already. thanks anyway

Search Airheads
Showing results for 
Search instead for 
Did you mean: