Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

AP Management lockdown

This thread has been viewed 1 times

  • 1.  AP Management lockdown

    Posted Sep 11, 2009 10:52 AM
    We have 4 subnets that we use for AP Management (4 core Cisco routers, and each has several buldings/APs hanging from). I would like to lock the subnets so that even if a student decides to unplug the path cord from an AP and plug their laptop, they would not be able to go anywhere. So I crafted this ACL (below). The problem I have is that it does not allow APs to get a DHCP address, however, the laptops can. Our APs get DHCP by DNSing aruba-master, so I allowed DNS and DHCP in the first 2 lines. This ACL is blocking outgoing traffic from the APs point of view and is placed on the subnet interface on the router:
    ip access-list extended wireless-AP_Mngmnt-lockdown-UTS
    permit udp any eq domain any eq domain (DNS lookup to find the controller)
    permit udp any eq bootpc any eq bootps (DHCP request)
    permit ip any host 130.253.21.25 (controller)
    permit ip any host 130.253.21.26 (controller)
    permit ip any host 130.253.21.27 (controller)
    permit ip any host 130.253.253.100 (Cisco Works, we have some switches on this subnet)
    permit icmp any 130.253.0.0 0.0.255.255 (ping APs from our network)
    deny ip any any

    Any ideas? Do the APs do anything “funny” when requesting DHCP?

    Thanks!


  • 2.  RE: AP Management lockdown

    Posted Sep 11, 2009 11:28 AM
    I added a line for broadcasts and now the AP is getting an address. But seems it can't form the GRE tunnel to the controller, so I allowed GRE on the ACL. But still can't talk to the controller:
    ip access-list extended wireless-AP_Mngmnt-lockdown-UTS
    permit ip any 255.255.255.255 0.0.0.0
    permit gre any any
    permit udp any eq domain any eq domain
    permit udp any eq bootpc any eq bootps
    permit ip any host 130.253.21.25
    permit ip any host 130.253.21.26
    permit ip any host 130.253.21.27
    permit ip any host 130.253.253.100
    permit icmp any 130.253.0.0 0.0.255.255
    deny ip any any


  • 3.  RE: AP Management lockdown

    Posted Sep 11, 2009 02:03 PM
    OK, I have it working this way. I had to open all UDP ports, because looking at the datapath sesion table it was picking some random (non-well known) ports once in a while, table below. So this is what my ACL looks like, not a 100% bulletproof, but good enough for the casual student deciding to try connect his computer to an AP port/patch cord:
    ip access-list extended wireless-AP_Mngmnt-lockdown-UTS
    permit udp any any
    permit gre any host 130.253.21.25
    permit gre any host 130.253.21.26
    permit gre any host 130.253.21.27
    permit ip any host 130.253.253.100
    permit icmp any 130.253.0.0 0.0.255.255
    deny ip any any

    -------------------


    (Aruba6000-UTS-master) #show datapath session table 130.253.90.146

    Datapath Session Table Entries
    ------------------------------

    Flags: F - fast age, S - src NAT, N - dest NAT
    D - deny, R - redirect, Y - no syn
    H - high prio, P - set prio, T - set ToS
    C - client, M - mirror, V - VOIP
    I - Deep inspect, U - Locally destined

    Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Flags
    -------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- -----
    130.253.90.146 130.253.21.26 17 8211 8211 0 0 0 0 local 7 F
    0 0 0 1 local FY
    130.253.90.146 130.253.21.25 17 8211 8211 0 0 0 0 tunnel 8 7 FC
    0 0 0 1 tunnel 8 FYC
    130.253.90.146 130.253.21.26 17 2049 123 0 0 0 1 local c FY
    0 0 0 1 local FY
    130.253.90.146 130.253.21.25 17 2049 123 0 0 0 1 tunnel 8 c FC
    0 0 0 1 tunnel 8 FYC
    130.253.90.146 130.253.21.25 17 2049 514 0 0 0 1 tunnel 8 b FC
    0 0 0 1 tunnel 8 FYC
    130.253.90.146 130.253.21.25 47 0 0 0 0 0 0 tunnel 8 4 FC
    0 0 0 0 tunnel 8 FC
    130.253.21.26 130.253.90.146 17 51959 2 0 0 0 1 local 7 FC
    0 0 0 0 local FC
    130.253.21.26 130.253.90.146 17 8211 8211 0 0 0 0 local 7 FC
    0 0 0 1 local FYC
    130.253.21.25 130.253.90.146 17 8211 8211 0 0 0 0 tunnel 8 7 FY
    0 0 0 1 tunnel 8 FY
    130.253.21.25 130.253.90.146 47 0 0 0 0 0 0 tunnel 8 4 F
    0 0 0 0 tunnel 8 F
    130.253.21.25 130.253.90.146 17 123 2049 0 0 0 0 tunnel 8 c FY
    0 0 0 1 tunnel 8 FY
    130.253.21.26 130.253.90.146 17 123 2049 0 0 0 0 local c FC
    0 0 0 1 local FYC
    130.253.21.25 130.253.90.146 17 514 2049 0 0 0 0 tunnel 8 b FY
    0 0 0 1 tunnel 8 FY


  • 4.  RE: AP Management lockdown
    Best Answer

    EMPLOYEE
    Posted Sep 11, 2009 03:32 PM
    Appendix B (page 591) of the ArubaOS 3.4 user guide has all the protocols you would need to open.


  • 5.  RE: AP Management lockdown

    Posted Jan 09, 2018 10:33 AM

    Isn't it easier to configure wired authentication based on 802.1x on the switch ports? That way you know that an unsecure client never gets any access to the network by placing them in a quarantine / internet-only environment.

     

    OOPS: didn't see that this post already is VERY VERY VERY OLD!!!