Wireless Access

I'm ashamed to ask this but we have an interesting issue I hope someone can help with.

We have a VIP who is insisting that they have a wireless printer, saying "no" isn't an option

we have deny inter user bridging and traffic enabled in our controller, turning them off isn't an option

the VIP exists essentially in their own ssid, but the settings are global

how can I let this person print wirelessly?

(I'm cool with adding SSIDs if needed)

I tried putting the printer and user in different SSIDs, but I guess the firewall settings are L2, so it didn't help.

Any suggestions?

Deny inter user traffic in ArubaOS 6.1.x is now under the Virtual AP profile, so that you can do this per VAP, instead of globally under Advanced > Firewall.

The tech support guy showed me that as well, sadly we are still using sup1 cards, so 6.x.x.x is not an option :(

You know you can also create the rules to deny inter user traffic at the role level. I remember setting that up on 3.4 once.

Are you using Deny Inter user traffic bridging so that users cannot talk to each other?  That is pretty much all it is good for.  You can use role-based rules to accomplish the same.

EDIT:  I see that Zjennings already mentioned that.

We are using 3.4.4.3 and yes, those firewall options are making sure that the users (residents in a dorm) cannot see each other.

If a rule can do that and allow me to disable the firewall options I would, can an example be provided?

Thanks!

user network 10.0.0.0 255.255.0.0 any deny

The network parameter would be any user network you do not want users to get to.  This is best accomplished through an alias, of course.

You could also do a "user user any deny" in your ACL. This denies any traffic from wireless users to wireless users. I think this is what you are asking for.

Hate  to dig up an old thread... but now I'm facing a similar situation.  Been searching the forums, this is the closest posting found...

Customer wants to print from a BYOD device to a WiFi printer, while continuing to deny inter-user traffic without impacting traffic to network resources/internet.

What is the ACL "equivalent" of the "Deny Inter-User Traffic" VAP setting?  

Think it would be "user user any deny"... no good, controller (620 on v6.2) says, "Only one of source or destination must be 'user'"

In my mind, the following would accomplish this, but the controller doesn't allow the "user user any deny".

!
ip access-list session allowtest
   user (printerip) any permit
   user user any deny
   any any any permit

Any suggestions would be kindly appreciated...

I would do user subnet X any deny.

That should do it.

old thread, but recently ran into an issue where the "Deny inter user traffic" checkbox in the Virtual AP profile was not acutally blocking user to user traffic in an 8.3 cluster.  I ended up just creating a policy attached to the post-auth user role with the following Rule(Access Control):

ipv4  user  alias(internal-network) any deny

internal-network alias was:

network 10.0.0.0 255.0.0.0

network 192.168.0.0 255.255.0.0

network 172.16.0.0 255.240.0.0

Added that policy to the post-auth role handed back to guest devices after they click through the capitve portal (or perform mac auth) and they could no longer reach eachother.

Hi everbody.

Does anyone know how to do this:

---

@a_human wrote:

....just creating a policy attached to the post-auth user role with the following Rule(Access Control):

ipv4  user  alias(internal-network) any deny

---

with Instant Config and Virtual Controller?

Because i can create only Network/Application/etc rules, without user  parameter/variable.

Thank you in advance!