Wireless Access

Reply
Super Contributor II

IAPs and dealing with connecting to wireless clients

Hi,

 

We recently switched to IAPs at the recommendation of our Aruba rep who said that IAPs could do basically everything a controller can do. One big thing though I am struggling with is connecting to clients that are connected to an IAP.

 

Things like accessing admin share (C$), Computer Management, our software management agent, are all having issues because all inbound traffic is denied by default.

 

I have tried playing around with the pre-defined network and applications, but that is only taking me so far.

 

I am just curious if anyone else has switched from a controller based environment to an IAP environment and run into these issues?

 

Did I make a mistake switching?

Guru Elite

Re: IAPs and dealing with connecting to wireless clients

If you have an SSID setup with a Virtual Controller Assigned VLAN, client traffic is natted out of the Virtual Controller, and you would not be able to reach them from outside the the Virtual Controller.  You should make sure clients are Network Assigned and your VLAN is 1.  That would give them ip addresses on the same VLAN as the IAPs for now.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Super Contributor II

Re: IAPs and dealing with connecting to wireless clients

I am currently using "Unrestricted" and have our ClearPass pass back user roles and user vlans.

 

We are not doing any NAT from the Virtual Controller.

 

Communication issues still exist.

Guru Elite

Re: IAPs and dealing with connecting to wireless clients

 What is the default gateway of your clients?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Super Contributor II

Re: IAPs and dealing with connecting to wireless clients

Default gateway of our clients is the default gateway of whatever vlan they fall into. Each VLAN has it's own DHCP being provided by our AD.

 

Clients are able to receive IP addresses without an issue depending upon the VLAN. They can communicate with our servers as long as they are initiating the request. As soon as I need to initiate a request to a client, I run into problems. 

 

As I understand, the IAP firewall when applied in a user-role is one direction. The only exception to this appears to be if you use any of the predefined network (ports) or applications rules. But these will only carry you so far since not every application is accounted for.

Highlighted
Guru Elite

Re: IAPs and dealing with connecting to wireless clients

What specific device is the default gateway of your clients?  That device could be blocking the traffic.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Super Contributor II

Re: IAPs and dealing with connecting to wireless clients

The specific device is a layer 3 Cisco switch.

It has no ACLs or any kind.

 

I should mention that we still have our controller environment as our primary production environment and communication with our clients is completely fine.

 

As soon as my test client connects to our IAP cluster, the communications issues start.

 

When I do a show datapath session on the IAP cluster, I can see inbound traffic destined for my test client being dropped.

 

Am I missing something on the IAP configuration? Or is am I correct in assuming that all inboud traffic is blocked regardless of how the user-role is configured?

Guru Elite

Re: IAPs and dealing with connecting to wireless clients

If the role is "unrestricted" traffic should flow freely and is not subject to the firewall.

 

If a client is in the "unrestricted role", the "show datapath session table" should not show traffic for that client.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite

Re: IAPs and dealing with connecting to wireless clients


th_son wrote:

I am currently using "Unrestricted" and have our ClearPass pass back user roles and user vlans.

 

We are not doing any NAT from the Virtual Controller.

 

Communication issues still exist.


If you have Unrestricted and ClearPass is sending a role back, that role overrides the unrestricted designation.  Either create a role that matches the ClearPass role allowing everything or remove ClearPass from the equation.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Super Contributor II

Re: IAPs and dealing with connecting to wireless clients

When configuring the SSID, the Access tab, I have it set to "Unrestricted".2017-11-14_10h25_10.png

I am passing roles back from the ClearPass that match roles that are defined in my IAP cluster. I have essentially mimiced our controller environment to the IAP.

 

I don't want to freely allow all traffic to flow to our wireless clients. I want to take advantage of the firewall on the IAP. The issue that I am running into though is that the rules only appear to work in one direction.

 

If the client initates the communication, there isn't a problem. As soon as an outside source (a server, an admin) attempts to the client, traffic is getting dropped.

 

Lets say for example that I want our server subnet to be able to freely communicate with a client connected to our IAP cluster. Whether the client initiates the communication, or the server does. Currently, the client can freely initiate the connection with the server. If the server attempts to reach out to the client, then traffic is dropped by the IAP.

 

Please correct me if I am wrong, but the firewall rules are no bi-directional.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: