Wireless Access

Right now I have setup a remote network with split-tunnel and working good.

Client can get DHCP from HQ, authenticated to Amigopod (HQ) and then browse internet from their local site.

But our client wants to do some webfiltering for their guest on remote site, and only allow their Corporate Website.

I have tried to add these config on our guest-authenticated-role :

netdestination Agent-Sites-Invert
invert
name website.number1.com

name website.number2.com

netdestination Agent-Sites

name website.number1.com

name website.number2.com

-------

ip access-list session Agent-Web-01
any alias Agent-Sites-Invert svc-http deny
any alias Agent-Sites-Invert svc-https deny
any any any route src-nat

user-role guest
access-list session cplogout
access-list session dhcp-acl
access-list session icmp-acl
access-list session dns-acl
access-list session LocalNetworks
access-list session Agent-Web-01

-- or -- 

ip access-list session Agent-Web-02
any alias Agent-Sites any allow
 

user-role guest
access-list session cplogout
access-list session dhcp-acl
access-list session icmp-acl
access-list session dns-acl
access-list session LocalNetworks
access-list session Agent-Web-02

--------

but none of them seems working.

Any ideas ? 

Thanks

Sorry i forgot to mention, the controller is 3000 series OS 6.1.3.4 and access point is 105.

Thanks

Did you define a DNS name server and a domain on the controller https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-264

Hi cjoseph, 

Yes, I have configured the IP NAME SERVER and DOMAIN LOOKUP.

Our guest are using captive portal and they are already redirected to landing page as soon as they browse the internet/websites.

I also rechecked our setup as you suggest, and everything works fine.

Let's take a step back:

- Where is this web filter located?  It must be inline to the guest traffic, have the guests set a proxy that points to the web filter or use a cloud-based solution that can filter guest client traffic from a RAP, otherwise this will not work.

Exactly how does the user want this to function and what is the big picture?

The webfilter-policy actualy from HQ controller, not on some device inline with the rap or guest traffic,

There are no proxy nor cloud-base solutions for this setup.

Our clients thought that there might be some way to push the filtering to the RAP on the remote location, is it possible ? 

This setup is intended for remote guest, and our client wants to open only a few website accessible for them.

Thanks.

Okay.  Would it be fair enough to start with ip address filtering?  I don't think that the RAP can reverse lookup a URL and allow/block like the controller can...

Thanks for the headsup cjoseph,

I will try it next year..(2 more days),,  and post the result.

Happy New Year ..! 

Why you just dont do tunnel mode and on the corporate site do that?

I dont see the use of split tunneling if you doing that... i mean you just allowing to their Corporate Website

If the guest network just got a vlan that only exist on the controller and is natting well you will have to apply the webfilter to that ip, and well this will work... you dont need to do anything on the controller actually.

It would be nice if you could tell us why you need to put it on split tunneling if you just allowing only their Corporate Website.  They actually not alllowing internet it seems just a few websites that the coroporate owns?

Hi Nightshade,

Our remote sites are using their on ISPs. there are no MPLS / VPN connection from there to HQ.

We provide wireless network for our free-lance agent across the country. They need access to our corporate website (but still accessed from the Public IPs) to input queries, seek information, etc.

Thats why we need to filtered the access.

Unfortunately I can't test the IP-Based Filtering as of today I'm still on my vacation. Will update as soon I can.

Thanks

Okay let me explain you

it doest matter that they have no mpls or vpn... they will still stablish a tunnel with his own ipsec tunnel.

So this mean that they are on remote AP which will make an ipsec tunnel which will do a GRE tunnel  which means you can use tunnel mode as forward method if you want

Putting it on Split tunneling or tunnel mode will result in the same case...

When you are doing split tunneling and you got for example this rules  something like this

1         any               any               svc-dhcp  permit                                  Low                                                           4
2         user              Internal_Network  any       permit                                  Low                                                           4
3         Internal_Network  user              any       permit                                  Low                                                           4
4         user              any               any       route src-nat                           Low                                                           4

 Put attention the numbers int he begginig

rule 1 2 3 those are tunneled to the corporate

just rule number 4 will be not tunneled

Thats why its called split tunneling becasue some rules are tunneled back and some others are not...

In your case in which you just want them to access the internal website but through the external ip addresses  eve if you use split tunneling they are been tunneled back... so the results its the same...

Now if you put them on tunneled mode but still you are providing those remote users with external DNS..

1-The user will request the external DNS server to translate that page

2-The external DNS server will respond with the external ip address

3-They will access the page through the external address.

Now you on your HQ will need to  permit DNS query to those remote users...

Now if you put them with split tunneling and also use it as collin advised which it works.... as i tested it with 2 pages of whatsmy ip.... the one i wanted was being send through the tunnel and the other was send though the remote site which was my home with this test....

Now if you want you could try this...

Priority  Source            Destination       Service   Action         TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------            -----------       -------   ------         ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         any               any               svc-dhcp  permit                                  Low                                                           4
2         user              any               svc-dns   route src-nat                           Low         
3         user              corportewebsite   any       route src-nat                           Low                                                     

 This way you will be sending the traffic of them and just permiting it tot he corporate website IPS

This means on the rule one you permitting them to get the DHCP

On rule 2 you are permiting them to do DNS queryes to the internet on the remote site

On the rule 3 youare permitting them just the list of corporate websites ips....

Now i havent tested it but i bealvie it will work...

When they do this

www.corporatewebsite.com

DNs will tranform that to the IP address for example 200.200.31.2

As you permitted 20.200.31.2 he will let him pass thorugh, and he will be going through the internet of the remote Site

Here you wont be using any webfiltering or anything... you are staticallly telling him that he just can go to those IPS, rather than using webfilter...

For now thats the option i have though for now.. i dont know if Collin got better ideas. 

Hi NightShade and Collins,

I have tried using IP filtering as Collins suggestion, and my setup is just the same as NightShade suggestion here :

1         any               any               svc-dhcp  permit                                  Low   
2         user              any               svc-dns   route src-nat                           Low 
3         user              ip-alias-web   any       route src-nat                           Low 

But it didn't work as I expected. Remote user still can access all website.

The strange thing is, when I accidentally delete the "route-src nat" rules and just leave only these : 

1         any               any               svc-dhcp  permit                       Low                                                           
2         user              any               svc-dns   any                           Low

The remote client still can browse and access any internet site.

I have double check the role applied to client when they authenticated and its the same role that I edit/change.

Hmm.. is it bug-related or something else. I dont know.

Today I also open ticket to aruba support, I hope they can give me solution on these, will update here as soon i get the answer.

Thanks

-Slickers

Slickers,

Are you sure that the user is being assigned the role with the ACL?

To see what traffic the user is attempting to pass, type:

"show datapath ap-name <name of remote ap> Session table <ip address of user>" 

..while the user is trying to pass traffic..

Im agree with Collin

After the user authenticate look that user on the client table.... and look what role it has... i think you are appying another role....

Cheers

Carlos

Silly me.. No I dont assigned the right role for the user. :smileyembarrassed:

Its confirmed that RAP with split tunel mode can be filtered with IP based.

Thanks Collins and NightShade

Nice to know its fixed :)