Wireless Access

If you have an SSID setup with a Virtual Controller Assigned VLAN, client traffic is natted out of the Virtual Controller, and you would not be able to reach them from outside the the Virtual Controller.  You should make sure clients are Network Assigned and your VLAN is 1.  That would give them ip addresses on the same VLAN as the IAPs for now.

I am currently using "Unrestricted" and have our ClearPass pass back user roles and user vlans.

We are not doing any NAT from the Virtual Controller.

Communication issues still exist.

 What is the default gateway of your clients?

Default gateway of our clients is the default gateway of whatever vlan they fall into. Each VLAN has it's own DHCP being provided by our AD.

Clients are able to receive IP addresses without an issue depending upon the VLAN. They can communicate with our servers as long as they are initiating the request. As soon as I need to initiate a request to a client, I run into problems. 

As I understand, the IAP firewall when applied in a user-role is one direction. The only exception to this appears to be if you use any of the predefined network (ports) or applications rules. But these will only carry you so far since not every application is accounted for.

What specific device is the default gateway of your clients?  That device could be blocking the traffic.

The specific device is a layer 3 Cisco switch.

It has no ACLs or any kind.

I should mention that we still have our controller environment as our primary production environment and communication with our clients is completely fine.

As soon as my test client connects to our IAP cluster, the communications issues start.

When I do a show datapath session on the IAP cluster, I can see inbound traffic destined for my test client being dropped.

Am I missing something on the IAP configuration? Or is am I correct in assuming that all inboud traffic is blocked regardless of how the user-role is configured?

If the role is "unrestricted" traffic should flow freely and is not subject to the firewall.

If a client is in the "unrestricted role", the "show datapath session table" should not show traffic for that client.

---

th_son wrote:

I am currently using "Unrestricted" and have our ClearPass pass back user roles and user vlans.

 

We are not doing any NAT from the Virtual Controller.

 

Communication issues still exist.

---

If you have Unrestricted and ClearPass is sending a role back, that role overrides the unrestricted designation.  Either create a role that matches the ClearPass role allowing everything or remove ClearPass from the equation.

When configuring the SSID, the Access tab, I have it set to "Unrestricted".

I am passing roles back from the ClearPass that match roles that are defined in my IAP cluster. I have essentially mimiced our controller environment to the IAP.

I don't want to freely allow all traffic to flow to our wireless clients. I want to take advantage of the firewall on the IAP. The issue that I am running into though is that the rules only appear to work in one direction.

If the client initates the communication, there isn't a problem. As soon as an outside source (a server, an admin) attempts to the client, traffic is getting dropped.

Lets say for example that I want our server subnet to be able to freely communicate with a client connected to our IAP cluster. Whether the client initiates the communication, or the server does. Currently, the client can freely initiate the connection with the server. If the server attempts to reach out to the client, then traffic is dropped by the IAP.

Please correct me if I am wrong, but the firewall rules are no bi-directional.