Wireless Access

last person joined: 23 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

No ACL Hits Seen

This thread has been viewed 6 times

  • 1.  No ACL Hits Seen

    Posted Feb 23, 2017 01:15 PM

    Howdy all - I am seeing an opposite problem from what you are describing - I don't see any hits at all on my acl to deny traffic from captive portal users to internal nets.  I'll be upfront that this is my first crack at this, so I'm sure I'm missing something.  I attached what I think are the relevant config parts, please let me know if you have any thoughts. thnx!

     

     

    aaa bandwidth-contract BPS-Guest mbits 500
    !
    ip access-list session apprf-BPS-Guest-Role-sacl

    ip access-list session global-sacl

    ip access-list session dhcp-acl
      any any svc-dhcp  permit
    ip access-list session dns-acl
      any any svc-dns  permit

    ip access-list session BPS-Guest-ACL
      user host 10.7.208.1 any  permit
      user network 172.29.0.0 255.255.0.0 any  deny
      user network 172.28.0.0 255.255.0.0 any  deny log
      user network 172.27.0.0 255.255.0.0 any  deny
      user network 10.0.0.0 255.0.0.0 any  deny
      user any any  permit
     
    user-role BPS-Guest-Role
     bw-contract BPS-Guest  upstream
     bw-contract BPS-Guest  downstream
     access-list session global-sacl
     access-list session apprf-BPS-Guest-Role-sacl
     access-list session dhcp-acl
     access-list session dns-acl
     access-list session BPS-Guest-ACL
    !
    aaa profile "BPS-Guest-aaa-prof"
       initial-role "BPS-Guest-guest-logon"
       authentication-mac "default"
       mac-default-role "BPS-Guest-Role"
       mac-server-group "ClearpassCluster"
       dot1x-default-role "BPS-Guest-Role"
       dot1x-server-group "ClearpassCluster"
       radius-accounting "ClearpassCluster"
       rfc-3576-server "172.27.92.132"
       rfc-3576-server "172.27.94.132"
       

    aaa authentication captive-portal "BPS-Guest-cp_prof"
       default-role "authenticated"
       default-guest-role "guest-logon"
       server-group "Clearpasscluster"
       redirect-pause 1
       no logout-popup-window
       login-page "https://clearpass.bps.buffalo.k12.ny.us/guest/guest_register.php?_browser=1"  
       welcome-page "http://www.buffaloschools.org"
       no enable-welcome-page
       apple-cna-bypass
     
    user-role guest-logon
     captive-portal "default"
     access-list session ra-guard
     access-list session logon-control
     access-list session captiveportal
     access-list session v6-logon-control
     access-list session captiveportal6  
       !
    ip access-list session captiveportal
     captive-portal "default"
     access-list session captiveportal
     access-list session captiveportal6
     captive-portal "BPS-Guest-cp_prof"
     access-list session captiveportal
    aaa authentication captive-portal "BPS-Guest-cp_prof"



  • 2.  RE: No ACL Hits Seen

    EMPLOYEE
    Posted Feb 23, 2017 01:22 PM

    aaa authentication captive-portal "BPS-Guest-cp_prof"
       default-role "authenticated"
       default-guest-role "guest-logon"

     

    Please check what role your users get when they authenticate.  The "default role" is authenticated for users that enter a username and password.  the "default-guest-role" is the role that users get if they just put in an email address.

     

    Look at the user table to see what users receive as their role.  If what your config above says is true, guest users with a username and password end up in the "authenticated" role, which has an "allowall" acl by default.



  • 3.  RE: No ACL Hits Seen

    Posted Feb 23, 2017 02:18 PM
    What is the exact problem? Can't seem to find it here. For troubleshooting captive portals you can use this little shortlist: Captive portal visible? No => client IP, DNS resolving for captive portal, FW settings? Client authentication? No => security logs/access tracker, credentials? Internet access? No => firewall, routing?


  • 4.  RE: No ACL Hits Seen

    Posted Feb 23, 2017 02:34 PM

    @jcellis - my problem is that an ACL I wrote to deny internal access is not firing.

     

    And my apologies for the confusion - I originally wrote this to reply to another thread, but started a new one and forgot to edit. Long week....

     

    thx!



  • 5.  RE: No ACL Hits Seen

    Posted Feb 23, 2017 03:56 PM

    OK, so i think I have this figured out. Thanks for pointing me in the right direction.

     

    In the new role I created (BPS-Guest-Role)  I didn't have that assiged to a captive-portal profile. I changed the L3 auth default role to that role, and now when testing, my traffic internal appears to be blocked.   Does that seem correct?

     

     

    (PS-94_Aruba_7240-1) #show acl hits role BPS-Guest-Role

    User Role ACL Hits
    ------------------
    Role            Policy          Src   Dst                     Service/Application  Action  Dest/Opcode  New Hits  Total Hits  Index  Ipv4/Ipv6
    ----            ------          ---   ---                     -------------------  ------  -----------  --------  ----------  -----  ---------
    BPS-Guest-Role  dns-acl         any   any                     svc-dns              permit               7         89          1084   ipv4
    BPS-Guest-Role  ClearpassAllow  any   172.27.94.132           svc-https            permit               0         3           1086   ipv4
    BPS-Guest-Role  BPS-Guest-ACL   user  172.28.0.0 255.255.0.0  any                  deny                 0         13          1091   ipv4
    BPS-Guest-Role  BPS-Guest-ACL   user  172.27.0.0 255.255.0.0  any                  deny                 0         3           1092   ipv4
    BPS-Guest-Role  BPS-Guest-ACL   user  any                     any                  permit               12        127         1094   ipv4
    BPS-Guest-Role                  any   any                     0                    deny                 0         1           1095   ipv4/ipv6

    Port Based Session ACL
    ----------------------
    Policy  Src  Dst  Service/Application  Action  Dest/Opcode  New Hits  Total Hits  Index  Ipv4/Ipv6
    --More-- (q) quit (u) pageup (/) search (n) repeat



  • 6.  RE: No ACL Hits Seen
    Best Answer

    EMPLOYEE
    Posted Feb 23, 2017 04:14 PM
    @thom2544 wrote:

    @jcellis - my problem is that an ACL I wrote to deny internal access is not firing.

     

    And my apologies for the confusion - I originally wrote this to reply to another thread, but started a new one and forgot to edit. Long week....

     

    thx!

    I created a new thread, because the other thread was 3 years old and likely probably had little to do with yours.  Creating a new thread gives you an opportunity to clearly state your issue and others to clearly understand what you are saying.

     

    I think you have things corrected now.  Please click on Accept As Solution to close this.



  • 7.  RE: No ACL Hits Seen

    Posted Feb 23, 2017 02:30 PM
    Hi Thanks for the reply - I thought the default-role of authenticated was needed to allow access to the CP page? Anyway I tried changing the role from "authenticated" to the role I want, and I was not able to login successfully with the creds passed to me.


    aaa authentication captive-portal "BPS-Guest-cp_prof"
    default-role "authenticated" --->> Changed to default-role "BPS-Guest-Role" - did not work



    I then changed it back, and looked at user roles as I was logging in. Output below, I can see that the authenticated user role is "authenticated", but am a bit perplexed as to where to change that since it didnt work in the CP profile??





    (PS-94_Aruba_7240-1) # JUST CLICKED ON BPS-GUEST SSID
    ^
    % Invalid input detected at '^' marker.

    (PS-94_Aruba_7240-1) #show user-table ip 10.6.121.36


    Name: , IP: 10.6.121.36, MAC: a0:d7:95:5e:2a:5d, Role: BPS-Guest-guest-logon, ACL: 70/0, Age: 00:00:05
    Authentication: No, status: not started, method: , protocol: , server:
    Role Derivation: AAA profile default role
    VLAN Derivation: Default VLAN
    Idle timeout (global): 300 seconds, Age: 00:00:00
    Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
    Flags: internal=0, trusted_ap=0, l3auth=0, mba=1, vpnflags=0, u_stm_ageout=1
    Flags: innerip=0, outerip=0, vpn_outer_ind:0, download=1, wispr=0
    IP User termcause: 26
    phy_type: a-VHT-40, l3 reauth: 0, BW Contract: up:0 down:0, user-how: 14
    Vlan default: 199, Assigned: 199, Current: 199 vlan-how: 1 DP assigned vlan:0
    Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, Flags=0x0
    SlotPort=0x20c5, Port=0x11dae (tunnel 7598)
    Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role: n/a
    Current Role name: BPS-Guest-guest-logon, role-how: 10, L2-role: BPS-Guest-guest-logon, L3-role: BPS-Guest-guest-logon
    Essid: BPS-Guest, Bssid: 18:64:72:4a:e9:d2 AP name/group: PS187-BOCES-Rm24/PS187 Phy-type: a-VHT-40
    RadAcct sessionID:n/a
    RadAcct Traffic In 466/57747 Out 366/261999 (0:466/0:0:0:57747,0:366/0:0:3:65391)
    Timers: L3 reauth 0, mac reauth 0 (Reason: ), dot1x reauth 0 (Reason: )
    Profiles AAA:BPS-Guest-aaa-prof, dot1x:, mac:default CP:BPS-Guest-cp_prof def-role:'BPS-Guest-guest-logon' sip-role:'' via-auth-profile:''
    ncfg flags udr 0, mac 1, dot1x 0, RADIUS interim accounting 0
    IP Born: 1487876842 (Thu Feb 23 14:07:22 2017)
    Core User Born: 1487876842 (Thu Feb 23 14:07:22 2017)
    Upstream AP ID: 0, Downstream AP ID: 0
    User Agent String: iPhone8,4/10.2.1 (14D27)
    HTTP based device-id info - Index: 4, Device: iPhone
    Overall device-id info - Index: 6, Device: iPhone
    L3-Auth Session Timeout from Radius: 0
    Mac-Auth Session Timeout Value from Radius: 0
    Dot1x Session Timeout Value from Radius: 0
    CoA Session Timeout Value from Radius: 0
    Dot1x Session Term-Action Value from Radius: Default
    Reauth-interval from role: 0
    Number of reauthentication attempts: mac reauth 0, dot1x reauth 0
    mac auth server: Clearpass-1, dot1x auth server: N/A
    Address is from DHCP: yes
    Per-user-log pointer 0x1130844 (id 21305), num logs 6

    (PS-94_Aruba_7240-1) # ENTERED USER AND PASS
    ^
    % Invalid input detected at '^' marker.

    (PS-94_Aruba_7240-1) #show user-table ip 10.6.121.36


    Name: thom2544@gmail.com, IP: 10.6.121.36, MAC: a0:d7:95:5e:2a:5d, Role: authenticated, ACL: 71/0, Age: 00:00:06
    Authentication: Yes, status: started, method: Web, protocol: PAP, server: Clearpass-1
    Bandwidth = No Limit
    Bandwidth = No Limit
    Role Derivation: default for authentication type Web
    VLAN Derivation: Default VLAN
    Idle timeout (global): 300 seconds, Age: 00:00:00
    Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
    Flags: internal=0, trusted_ap=0, l3auth=1, mba=1, vpnflags=0, u_stm_ageout=1
    Flags: innerip=0, outerip=0, vpn_outer_ind:0, download=1, wispr=0
    IP User termcause: 26
    phy_type: a-VHT-40, l3 reauth: 0, BW Contract: up:0 down:0, user-how: 14
    Vlan default: 199, Assigned: 199, Current: 199 vlan-how: 1 DP assigned vlan:0
    Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, Flags=0x0
    SlotPort=0x20c5, Port=0x11dae (tunnel 7598)
    Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role: n/a
    Current Role name: authenticated, role-how: 1, L2-role: BPS-Guest-guest-logon, L3-role: authenticated
    Essid: BPS-Guest, Bssid: 18:64:72:4a:e9:d2 AP name/group: PS187-BOCES-Rm24/PS187 Phy-type: a-VHT-40
    RadAcct sessionID:thom2544A0D7955E2A5D-58AF346D
    RadAcct Traffic In 20/3186 Out 16/7064 (0:20/0:0:0:3186,0:16/0:0:0:7064)
    Timers: L3 reauth 0, mac reauth 0 (Reason: ), dot1x reauth 0 (Reason: )
    Profiles AAA:BPS-Guest-aaa-prof, dot1x:, mac:default CP: def-role:'BPS-Guest-guest-logon' sip-role:'' via-auth-profile:''
    ncfg flags udr 0, mac 1, dot1x 0, RADIUS interim accounting 0
    IP Born: 1487876842 (Thu Feb 23 14:07:22 2017)
    Core User Born: 1487876842 (Thu Feb 23 14:07:22 2017)
    Upstream AP ID: 0, Downstream AP ID: 0
    User Agent String: iPhone8,4/10.2.1 (14D27)
    HTTP based device-id info - Index: 4, Device: iPhone
    Overall device-id info - Index: 6, Device: iPhone
    L3-Auth Session Timeout from Radius: 0
    Mac-Auth Session Timeout Value from Radius: 0
    Dot1x Session Timeout Value from Radius: 0
    CoA Session Timeout Value from Radius: 0
    Dot1x Session Term-Action Value from Radius: Default
    Reauth-interval from role: 0
    Number of reauthentication attempts: mac reauth 0, dot1x reauth 0
    mac auth server: Clearpass-1, dot1x auth server: N/A
    Address is from DHCP: yes
    Per-user-log pointer 0x1130844 (id 21305), num logs 7


    Tom Robinson
    trobinson@aisbuffalo.com
    Alternative Information Systems
    716-831-9929
    716-491-9581


  • 8.  RE: No ACL Hits Seen

    Posted Feb 23, 2017 02:30 PM
    Hi Thanks for the reply - I thought the default-role of authenticated was needed to allow access to the CP page? Anyway I tried changing the role from "authenticated" to the role I want, and I was not able to login successfully with the creds passed to me.


    aaa authentication captive-portal "BPS-Guest-cp_prof"
    default-role "authenticated" --->> Changed to default-role "BPS-Guest-Role" - did not work



    I then changed it back, and looked at user roles as I was logging in. Output below, I can see that the authenticated user role is "authenticated", but am a bit perplexed as to where to change that since it didnt work in the CP profile??





    (PS-94_Aruba_7240-1) # JUST CLICKED ON BPS-GUEST SSID
    ^
    % Invalid input detected at '^' marker.

    (PS-94_Aruba_7240-1) #show user-table ip 10.6.121.36


    Name: , IP: 10.6.121.36, MAC: a0:d7:95:5e:2a:5d, Role: BPS-Guest-guest-logon, ACL: 70/0, Age: 00:00:05
    Authentication: No, status: not started, method: , protocol: , server:
    Role Derivation: AAA profile default role
    VLAN Derivation: Default VLAN
    Idle timeout (global): 300 seconds, Age: 00:00:00
    Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
    Flags: internal=0, trusted_ap=0, l3auth=0, mba=1, vpnflags=0, u_stm_ageout=1
    Flags: innerip=0, outerip=0, vpn_outer_ind:0, download=1, wispr=0
    IP User termcause: 26
    phy_type: a-VHT-40, l3 reauth: 0, BW Contract: up:0 down:0, user-how: 14
    Vlan default: 199, Assigned: 199, Current: 199 vlan-how: 1 DP assigned vlan:0
    Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, Flags=0x0
    SlotPort=0x20c5, Port=0x11dae (tunnel 7598)
    Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role: n/a
    Current Role name: BPS-Guest-guest-logon, role-how: 10, L2-role: BPS-Guest-guest-logon, L3-role: BPS-Guest-guest-logon
    Essid: BPS-Guest, Bssid: 18:64:72:4a:e9:d2 AP name/group: PS187-BOCES-Rm24/PS187 Phy-type: a-VHT-40
    RadAcct sessionID:n/a
    RadAcct Traffic In 466/57747 Out 366/261999 (0:466/0:0:0:57747,0:366/0:0:3:65391)
    Timers: L3 reauth 0, mac reauth 0 (Reason: ), dot1x reauth 0 (Reason: )
    Profiles AAA:BPS-Guest-aaa-prof, dot1x:, mac:default CP:BPS-Guest-cp_prof def-role:'BPS-Guest-guest-logon' sip-role:'' via-auth-profile:''
    ncfg flags udr 0, mac 1, dot1x 0, RADIUS interim accounting 0
    IP Born: 1487876842 (Thu Feb 23 14:07:22 2017)
    Core User Born: 1487876842 (Thu Feb 23 14:07:22 2017)
    Upstream AP ID: 0, Downstream AP ID: 0
    User Agent String: iPhone8,4/10.2.1 (14D27)
    HTTP based device-id info - Index: 4, Device: iPhone
    Overall device-id info - Index: 6, Device: iPhone
    L3-Auth Session Timeout from Radius: 0
    Mac-Auth Session Timeout Value from Radius: 0
    Dot1x Session Timeout Value from Radius: 0
    CoA Session Timeout Value from Radius: 0
    Dot1x Session Term-Action Value from Radius: Default
    Reauth-interval from role: 0
    Number of reauthentication attempts: mac reauth 0, dot1x reauth 0
    mac auth server: Clearpass-1, dot1x auth server: N/A
    Address is from DHCP: yes
    Per-user-log pointer 0x1130844 (id 21305), num logs 6

    (PS-94_Aruba_7240-1) # ENTERED USER AND PASS
    ^
    % Invalid input detected at '^' marker.

    (PS-94_Aruba_7240-1) #show user-table ip 10.6.121.36


    Name: thom2544@gmail.com, IP: 10.6.121.36, MAC: a0:d7:95:5e:2a:5d, Role: authenticated, ACL: 71/0, Age: 00:00:06
    Authentication: Yes, status: started, method: Web, protocol: PAP, server: Clearpass-1
    Bandwidth = No Limit
    Bandwidth = No Limit
    Role Derivation: default for authentication type Web
    VLAN Derivation: Default VLAN
    Idle timeout (global): 300 seconds, Age: 00:00:00
    Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
    Flags: internal=0, trusted_ap=0, l3auth=1, mba=1, vpnflags=0, u_stm_ageout=1
    Flags: innerip=0, outerip=0, vpn_outer_ind:0, download=1, wispr=0
    IP User termcause: 26
    phy_type: a-VHT-40, l3 reauth: 0, BW Contract: up:0 down:0, user-how: 14
    Vlan default: 199, Assigned: 199, Current: 199 vlan-how: 1 DP assigned vlan:0
    Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, Flags=0x0
    SlotPort=0x20c5, Port=0x11dae (tunnel 7598)
    Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role: n/a
    Current Role name: authenticated, role-how: 1, L2-role: BPS-Guest-guest-logon, L3-role: authenticated
    Essid: BPS-Guest, Bssid: 18:64:72:4a:e9:d2 AP name/group: PS187-BOCES-Rm24/PS187 Phy-type: a-VHT-40
    RadAcct sessionID:thom2544A0D7955E2A5D-58AF346D
    RadAcct Traffic In 20/3186 Out 16/7064 (0:20/0:0:0:3186,0:16/0:0:0:7064)
    Timers: L3 reauth 0, mac reauth 0 (Reason: ), dot1x reauth 0 (Reason: )
    Profiles AAA:BPS-Guest-aaa-prof, dot1x:, mac:default CP: def-role:'BPS-Guest-guest-logon' sip-role:'' via-auth-profile:''
    ncfg flags udr 0, mac 1, dot1x 0, RADIUS interim accounting 0
    IP Born: 1487876842 (Thu Feb 23 14:07:22 2017)
    Core User Born: 1487876842 (Thu Feb 23 14:07:22 2017)
    Upstream AP ID: 0, Downstream AP ID: 0
    User Agent String: iPhone8,4/10.2.1 (14D27)
    HTTP based device-id info - Index: 4, Device: iPhone
    Overall device-id info - Index: 6, Device: iPhone
    L3-Auth Session Timeout from Radius: 0
    Mac-Auth Session Timeout Value from Radius: 0
    Dot1x Session Timeout Value from Radius: 0
    CoA Session Timeout Value from Radius: 0
    Dot1x Session Term-Action Value from Radius: Default
    Reauth-interval from role: 0
    Number of reauthentication attempts: mac reauth 0, dot1x reauth 0
    mac auth server: Clearpass-1, dot1x auth server: N/A
    Address is from DHCP: yes
    Per-user-log pointer 0x1130844 (id 21305), num logs 7


    Tom Robinson
    trobinson@aisbuffalo.com
    Alternative Information Systems
    716-831-9929
    716-491-9581