- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
IAPs and dealing with connecting to wireless clients
IAPs and dealing with connecting to wireless clients
11-13-2017 01:07 PM
Hi,
We recently switched to IAPs at the recommendation of our Aruba rep who said that IAPs could do basically everything a controller can do. One big thing though I am struggling with is connecting to clients that are connected to an IAP.
Things like accessing admin share (C$), Computer Management, our software management agent, are all having issues because all inbound traffic is denied by default.
I have tried playing around with the pre-defined network and applications, but that is only taking me so far.
I am just curious if anyone else has switched from a controller based environment to an IAP environment and run into these issues?
Did I make a mistake switching?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: IAPs and dealing with connecting to wireless clients
Re: IAPs and dealing with connecting to wireless clients
11-13-2017 02:04 PM
If you have an SSID setup with a Virtual Controller Assigned VLAN, client traffic is natted out of the Virtual Controller, and you would not be able to reach them from outside the the Virtual Controller. You should make sure clients are Network Assigned and your VLAN is 1. That would give them ip addresses on the same VLAN as the IAPs for now.
Colin Joseph
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: IAPs and dealing with connecting to wireless clients
Re: IAPs and dealing with connecting to wireless clients
11-13-2017 05:00 PM
I am currently using "Unrestricted" and have our ClearPass pass back user roles and user vlans.
We are not doing any NAT from the Virtual Controller.
Communication issues still exist.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: IAPs and dealing with connecting to wireless clients
Re: IAPs and dealing with connecting to wireless clients
11-13-2017 06:53 PM
What is the default gateway of your clients?
Colin Joseph
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: IAPs and dealing with connecting to wireless clients
Re: IAPs and dealing with connecting to wireless clients
11-14-2017 04:39 AM
Default gateway of our clients is the default gateway of whatever vlan they fall into. Each VLAN has it's own DHCP being provided by our AD.
Clients are able to receive IP addresses without an issue depending upon the VLAN. They can communicate with our servers as long as they are initiating the request. As soon as I need to initiate a request to a client, I run into problems.
As I understand, the IAP firewall when applied in a user-role is one direction. The only exception to this appears to be if you use any of the predefined network (ports) or applications rules. But these will only carry you so far since not every application is accounted for.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: IAPs and dealing with connecting to wireless clients
Re: IAPs and dealing with connecting to wireless clients
11-14-2017 06:34 AM
What specific device is the default gateway of your clients? That device could be blocking the traffic.
Colin Joseph
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: IAPs and dealing with connecting to wireless clients
Re: IAPs and dealing with connecting to wireless clients
11-14-2017 06:42 AM
The specific device is a layer 3 Cisco switch.
It has no ACLs or any kind.
I should mention that we still have our controller environment as our primary production environment and communication with our clients is completely fine.
As soon as my test client connects to our IAP cluster, the communications issues start.
When I do a show datapath session on the IAP cluster, I can see inbound traffic destined for my test client being dropped.
Am I missing something on the IAP configuration? Or is am I correct in assuming that all inboud traffic is blocked regardless of how the user-role is configured?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: IAPs and dealing with connecting to wireless clients
Re: IAPs and dealing with connecting to wireless clients
11-14-2017 07:00 AM
If the role is "unrestricted" traffic should flow freely and is not subject to the firewall.
If a client is in the "unrestricted role", the "show datapath session table" should not show traffic for that client.
Colin Joseph
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: IAPs and dealing with connecting to wireless clients
Re: IAPs and dealing with connecting to wireless clients
11-14-2017 07:17 AM
th_son wrote:
I am currently using "Unrestricted" and have our ClearPass pass back user roles and user vlans.
We are not doing any NAT from the Virtual Controller.
Communication issues still exist.
If you have Unrestricted and ClearPass is sending a role back, that role overrides the unrestricted designation. Either create a role that matches the ClearPass role allowing everything or remove ClearPass from the equation.
Colin Joseph
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: IAPs and dealing with connecting to wireless clients
Re: IAPs and dealing with connecting to wireless clients
11-14-2017 07:29 AM
When configuring the SSID, the Access tab, I have it set to "Unrestricted".
I am passing roles back from the ClearPass that match roles that are defined in my IAP cluster. I have essentially mimiced our controller environment to the IAP.
I don't want to freely allow all traffic to flow to our wireless clients. I want to take advantage of the firewall on the IAP. The issue that I am running into though is that the rules only appear to work in one direction.
If the client initates the communication, there isn't a problem. As soon as an outside source (a server, an admin) attempts to the client, traffic is getting dropped.
Lets say for example that I want our server subnet to be able to freely communicate with a client connected to our IAP cluster. Whether the client initiates the communication, or the server does. Currently, the client can freely initiate the connection with the server. If the server attempts to reach out to the client, then traffic is dropped by the IAP.
Please correct me if I am wrong, but the firewall rules are no bi-directional.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator