Wireless Access

I have been looking for a way to allow access to one of our servers from the guest network. I have tried using an outside connection that we have for testing. I works fine. I have tried going through the Guest using our remote solution and it works fine. I have put the policy before blocking the internal networks. The policy has the internal IP and an external IP address. When I try open the web page for it and cannot connect. I look to see what, "show datapath session table." I put in the client IP which is a guest IP, I see D which is deny. 

Hi ,

Please share the following output:

Aruba# show user | include <mac-address of client>

Aruba# show rights <name of role>

The role will be the one listed in the show user output.

Aruba# show datapath session table <ip-address of client> | include <ip-address of the server>

In addition to above, please change role for test client to authenticated & verifiy if you are able to access

the server.

Aruba# aaa user add <ip-address of client> role authenticated

show user | include 60:67:20:a4:2b:9c
192.168.250.97 60:67:20:a4:2b:9c 606720a42b9c GUEST-CP 00:04:41 MAC AP-080-SPARE Wireless TST-GUEST/04:bd:88:42:ae:90/a-HT TST-GUEST-aaa_prof tunnel Windows

(MASTER-CONTROLLER) #show rights GUEST-CP

Derived Role = 'GUEST-CP'
Up BW contract = mrmc-guest-upstream (1000000 bits/sec) (per-user) Down BW contract = mrmc-guest-downstream (3000000 bits/sec) (per-user)
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
DPI Classification: Enabled
Web Content Classification: Enabled
ACL Number = 115/0
Max Sessions = 65535

Check CP Profile for Accounting = TRUE
Captive Portal profile = TST-GUEST-cp_prof

Application Exception List
--------------------------
Name Type
---- ----

Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 TST-GUEST-cp_prof_list_operations session
2 global-sacl session
3 apprf-GUEST-CP-sacl session
4 Airwatch session
5 block-internal-access session
6 Block-72.50.232.243 session
7 mrmc-guest-logon-access session
8 RDP session
9 JunosPulse session
10 vpnlogon session
11 email_client session
12 auth-mrmc-guest-access session
13 EMAIL-ACL session
14 drop-and-log session

TST-GUEST-cp_prof_list_operations
---------------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 user CPPM svc-http permit Low 4
2 user CPPM svc-https permit Low 4
global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
apprf-GUEST-CP-sacl
-------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
Airwatch
--------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any 172.16.146.51 any permit Yes High 4
2 any 172.16.146.29 any permit Yes High 4
3 any Airwatch-svr any permit High 4
block-internal-access
---------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 user internal-networks any deny Low 4
Block-72.50.232.243
-------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
mrmc-guest-logon-access
-----------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 user any udp 68 deny Low 4
2 any any svc-dhcp permit Low 4
3 user Private-DNS svc-dns permit Low 4
4 user public-dns svc-dns permit Low 4
RDP
---
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any 75.149.140.49 any permit Low 4
JunosPulse
----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any 172.16.6.100 any permit High 4
vpnlogon
--------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 user any svc-ike permit Low 4
2 user any svc-esp permit Low 4
3 any any svc-l2tp permit Low 4
4 any any svc-pptp permit Low 4
5 any any svc-gre permit Low 4
email_client
------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any any svc-smtp permit Low 4
2 any any svc-pop3 permit Low 4
3 any any tcp 143 permit Low 4
4 any any svc-auth-smtp permit Low 4
5 any any svc-imap-ssl permit Low 4
6 any any svc-pop-ssl permit Low 4
7 any any svc-imap permit Low 4
auth-mrmc-guest-access
----------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 user any svc-http permit Low 4
2 user any svc-https permit Low 4
3 user any svc-ike permit Low 4
4 user any svc-natt permit Low 4
EMAIL-ACL
---------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any any svc-smtp permit Low 4
2 any any svc-pop3 permit Low 4
3 any any tcp 143 permit Low 4
4 any any svc-auth-smtp permit Low 4
5 any any svc-imap-ssl permit Low 4
6 any any svc-pop-ssl permit Low 4
7 any any svc-imap permit Low 4
drop-and-log
------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 user any any deny Yes Low 4

Expired Policies (due to time constraints) = 0

(MASTER-CONTROLLER) # show datapath session table 192.168.250.97 | include 172.16.146.29

(MASTER-CONTROLLER) # show datapath session table 192.168.250.97 | include 107.0.205.28

(MASTER-CONTROLLER) # show datapath session table 192.168.250.97

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal
A - Application Firewall Inspect

Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags
--------------- --------------- ---- ----- ----- ----- ---- --- --- ----------- ---- --------- --------- ---------------
192.168.250.97 8.8.8.8 17 62041 53 1/73 0 0 1 tunnel 2168 11 0 0 FSCI
192.168.250.97 107.0.205.28 6 62644 443 1/73 0 0 1 tunnel 2168 f 0 0 SYHC
192.168.250.97 107.0.205.28 6 62645 443 1/73 0 0 1 tunnel 2168 8 3 152 SYHC
192.168.250.97 8.8.8.8 17 52875 53 1/73 0 0 1 tunnel 2168 11 0 0 FSCI

I ran the show datapath session with the internal and external IP address.

I ran aaa user add 192.168.250.97 role authenticated. I was able to get to the server.

Above Airwatch-svr is 107.0.205.28

Hi,

1. As per the attached datapath session,, traffic to server is being source-NAT'd.

Are you seeing any ACL hits when trying to accesss that server when client is in the role GUEST-CP..

Aruba# show acl hits role <name of role>

2. The above role is pre-auth (client did not undergo CP auth).

However, the ACL should still allow the access.

Are you able to access the same server post authentication ?

The role above is post-auth. and no I cannot get to it either pre-auth or post-auth.

Yes, I can see hits to the ACL.

Hi,

I assumed the role to be pe-auth as I saw the CP profile mapped to it. That was mistake from my end.

As you have mentioned earlier, it works fine if you manually change the role to authenticated.

The only difference which it should have from the current role will be the queue set to low.

The Airwatch ACL has the traffic sent in high queue

any Airwatch-svr any permit High 4

1. We can try changing the queue to low to see if ti makes any difference. 

lease paste the ouput for "show rights authenticated", "show ap essid" & show vlan status as well.

Is it possible for you to open a TAC ticket to debug this in case it does not work post trying the above step?

Please share the TAC Case No that you had opened.