Wireless Access

Reply
Occasional Contributor II
Posts: 16
Registered: ‎01-31-2017

No ACL Hits Seen

[ Edited ]

Howdy all - I am seeing an opposite problem from what you are describing - I don't see any hits at all on my acl to deny traffic from captive portal users to internal nets.  I'll be upfront that this is my first crack at this, so I'm sure I'm missing something.  I attached what I think are the relevant config parts, please let me know if you have any thoughts. thnx!

 

 

aaa bandwidth-contract BPS-Guest mbits 500
!
ip access-list session apprf-BPS-Guest-Role-sacl

ip access-list session global-sacl

ip access-list session dhcp-acl
  any any svc-dhcp  permit
ip access-list session dns-acl
  any any svc-dns  permit

ip access-list session BPS-Guest-ACL
  user host 10.7.208.1 any  permit
  user network 172.29.0.0 255.255.0.0 any  deny
  user network 172.28.0.0 255.255.0.0 any  deny log
  user network 172.27.0.0 255.255.0.0 any  deny
  user network 10.0.0.0 255.0.0.0 any  deny
  user any any  permit
 
user-role BPS-Guest-Role
 bw-contract BPS-Guest  upstream
 bw-contract BPS-Guest  downstream
 access-list session global-sacl
 access-list session apprf-BPS-Guest-Role-sacl
 access-list session dhcp-acl
 access-list session dns-acl
 access-list session BPS-Guest-ACL
!
aaa profile "BPS-Guest-aaa-prof"
   initial-role "BPS-Guest-guest-logon"
   authentication-mac "default"
   mac-default-role "BPS-Guest-Role"
   mac-server-group "ClearpassCluster"
   dot1x-default-role "BPS-Guest-Role"
   dot1x-server-group "ClearpassCluster"
   radius-accounting "ClearpassCluster"
   rfc-3576-server "172.27.92.132"
   rfc-3576-server "172.27.94.132"
   

aaa authentication captive-portal "BPS-Guest-cp_prof"
   default-role "authenticated"
   default-guest-role "guest-logon"
   server-group "Clearpasscluster"
   redirect-pause 1
   no logout-popup-window
   login-page "https://clearpass.bps.buffalo.k12.ny.us/guest/guest_register.php?_browser=1"  
   welcome-page "http://www.buffaloschools.org"
   no enable-welcome-page
   apple-cna-bypass
 
user-role guest-logon
 captive-portal "default"
 access-list session ra-guard
 access-list session logon-control
 access-list session captiveportal
 access-list session v6-logon-control
 access-list session captiveportal6  
   !
ip access-list session captiveportal
 captive-portal "default"
 access-list session captiveportal
 access-list session captiveportal6
 captive-portal "BPS-Guest-cp_prof"
 access-list session captiveportal
aaa authentication captive-portal "BPS-Guest-cp_prof"

Guru Elite
Posts: 21,280
Registered: ‎03-29-2007

Re: No ACL Hits Seen

aaa authentication captive-portal "BPS-Guest-cp_prof"
   default-role "authenticated"
   default-guest-role "guest-logon"

 

Please check what role your users get when they authenticate.  The "default role" is authenticated for users that enter a username and password.  the "default-guest-role" is the role that users get if they just put in an email address.

 

Look at the user table to see what users receive as their role.  If what your config above says is true, guest users with a username and password end up in the "authenticated" role, which has an "allowall" acl by default.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 109
Registered: ‎01-05-2015

Re: No ACL Hits Seen

What is the exact problem? Can't seem to find it here. For troubleshooting captive portals you can use this little shortlist: Captive portal visible? No => client IP, DNS resolving for captive portal, FW settings? Client authentication? No => security logs/access tracker, credentials? Internet access? No => firewall, routing?
Occasional Contributor II
Posts: 16
Registered: ‎01-31-2017

Re: No ACL Hits Seen

Hi Thanks for the reply - I thought the default-role of authenticated was needed to allow access to the CP page? Anyway I tried changing the role from "authenticated" to the role I want, and I was not able to login successfully with the creds passed to me.


aaa authentication captive-portal "BPS-Guest-cp_prof"
default-role "authenticated" --->> Changed to default-role "BPS-Guest-Role" - did not work



I then changed it back, and looked at user roles as I was logging in. Output below, I can see that the authenticated user role is "authenticated", but am a bit perplexed as to where to change that since it didnt work in the CP profile??





(PS-94_Aruba_7240-1) # JUST CLICKED ON BPS-GUEST SSID
^
% Invalid input detected at '^' marker.

(PS-94_Aruba_7240-1) #show user-table ip 10.6.121.36


Name: , IP: 10.6.121.36, MAC: a0:d7:95:5e:2a:5d, Role: BPS-Guest-guest-logon, ACL: 70/0, Age: 00:00:05
Authentication: No, status: not started, method: , protocol: , server:
Role Derivation: AAA profile default role
VLAN Derivation: Default VLAN
Idle timeout (global): 300 seconds, Age: 00:00:00
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=0, mba=1, vpnflags=0, u_stm_ageout=1
Flags: innerip=0, outerip=0, vpn_outer_ind:0, download=1, wispr=0
IP User termcause: 26
phy_type: a-VHT-40, l3 reauth: 0, BW Contract: up:0 down:0, user-how: 14
Vlan default: 199, Assigned: 199, Current: 199 vlan-how: 1 DP assigned vlan:0
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, Flags=0x0
SlotPort=0x20c5, Port=0x11dae (tunnel 7598)
Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role: n/a
Current Role name: BPS-Guest-guest-logon, role-how: 10, L2-role: BPS-Guest-guest-logon, L3-role: BPS-Guest-guest-logon
Essid: BPS-Guest, Bssid: 18:64:72:4a:e9:d2 AP name/group: PS187-BOCES-Rm24/PS187 Phy-type: a-VHT-40
RadAcct sessionID:n/a
RadAcct Traffic In 466/57747 Out 366/261999 (0:466/0:0:0:57747,0:366/0:0:3:65391)
Timers: L3 reauth 0, mac reauth 0 (Reason: ), dot1x reauth 0 (Reason: )
Profiles AAA:BPS-Guest-aaa-prof, dot1x:, mac:default CP:BPS-Guest-cp_prof def-role:'BPS-Guest-guest-logon' sip-role:'' via-auth-profile:''
ncfg flags udr 0, mac 1, dot1x 0, RADIUS interim accounting 0
IP Born: 1487876842 (Thu Feb 23 14:07:22 2017)
Core User Born: 1487876842 (Thu Feb 23 14:07:22 2017)
Upstream AP ID: 0, Downstream AP ID: 0
User Agent String: iPhone8,4/10.2.1 (14D27)
HTTP based device-id info - Index: 4, Device: iPhone
Overall device-id info - Index: 6, Device: iPhone
L3-Auth Session Timeout from Radius: 0
Mac-Auth Session Timeout Value from Radius: 0
Dot1x Session Timeout Value from Radius: 0
CoA Session Timeout Value from Radius: 0
Dot1x Session Term-Action Value from Radius: Default
Reauth-interval from role: 0
Number of reauthentication attempts: mac reauth 0, dot1x reauth 0
mac auth server: Clearpass-1, dot1x auth server: N/A
Address is from DHCP: yes
Per-user-log pointer 0x1130844 (id 21305), num logs 6

(PS-94_Aruba_7240-1) # ENTERED USER AND PASS
^
% Invalid input detected at '^' marker.

(PS-94_Aruba_7240-1) #show user-table ip 10.6.121.36


Name: thom2544@gmail.com, IP: 10.6.121.36, MAC: a0:d7:95:5e:2a:5d, Role: authenticated, ACL: 71/0, Age: 00:00:06
Authentication: Yes, status: started, method: Web, protocol: PAP, server: Clearpass-1
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: default for authentication type Web
VLAN Derivation: Default VLAN
Idle timeout (global): 300 seconds, Age: 00:00:00
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=1, mba=1, vpnflags=0, u_stm_ageout=1
Flags: innerip=0, outerip=0, vpn_outer_ind:0, download=1, wispr=0
IP User termcause: 26
phy_type: a-VHT-40, l3 reauth: 0, BW Contract: up:0 down:0, user-how: 14
Vlan default: 199, Assigned: 199, Current: 199 vlan-how: 1 DP assigned vlan:0
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, Flags=0x0
SlotPort=0x20c5, Port=0x11dae (tunnel 7598)
Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role: n/a
Current Role name: authenticated, role-how: 1, L2-role: BPS-Guest-guest-logon, L3-role: authenticated
Essid: BPS-Guest, Bssid: 18:64:72:4a:e9:d2 AP name/group: PS187-BOCES-Rm24/PS187 Phy-type: a-VHT-40
RadAcct sessionID:thom2544A0D7955E2A5D-58AF346D
RadAcct Traffic In 20/3186 Out 16/7064 (0:20/0:0:0:3186,0:16/0:0:0:7064)
Timers: L3 reauth 0, mac reauth 0 (Reason: ), dot1x reauth 0 (Reason: )
Profiles AAA:BPS-Guest-aaa-prof, dot1x:, mac:default CP: def-role:'BPS-Guest-guest-logon' sip-role:'' via-auth-profile:''
ncfg flags udr 0, mac 1, dot1x 0, RADIUS interim accounting 0
IP Born: 1487876842 (Thu Feb 23 14:07:22 2017)
Core User Born: 1487876842 (Thu Feb 23 14:07:22 2017)
Upstream AP ID: 0, Downstream AP ID: 0
User Agent String: iPhone8,4/10.2.1 (14D27)
HTTP based device-id info - Index: 4, Device: iPhone
Overall device-id info - Index: 6, Device: iPhone
L3-Auth Session Timeout from Radius: 0
Mac-Auth Session Timeout Value from Radius: 0
Dot1x Session Timeout Value from Radius: 0
CoA Session Timeout Value from Radius: 0
Dot1x Session Term-Action Value from Radius: Default
Reauth-interval from role: 0
Number of reauthentication attempts: mac reauth 0, dot1x reauth 0
mac auth server: Clearpass-1, dot1x auth server: N/A
Address is from DHCP: yes
Per-user-log pointer 0x1130844 (id 21305), num logs 7


Tom Robinson
trobinson@aisbuffalo.com
Alternative Information Systems
716-831-9929
716-491-9581
Occasional Contributor II
Posts: 16
Registered: ‎01-31-2017

Re: No ACL Hits Seen

Hi Thanks for the reply - I thought the default-role of authenticated was needed to allow access to the CP page? Anyway I tried changing the role from "authenticated" to the role I want, and I was not able to login successfully with the creds passed to me.


aaa authentication captive-portal "BPS-Guest-cp_prof"
default-role "authenticated" --->> Changed to default-role "BPS-Guest-Role" - did not work



I then changed it back, and looked at user roles as I was logging in. Output below, I can see that the authenticated user role is "authenticated", but am a bit perplexed as to where to change that since it didnt work in the CP profile??





(PS-94_Aruba_7240-1) # JUST CLICKED ON BPS-GUEST SSID
^
% Invalid input detected at '^' marker.

(PS-94_Aruba_7240-1) #show user-table ip 10.6.121.36


Name: , IP: 10.6.121.36, MAC: a0:d7:95:5e:2a:5d, Role: BPS-Guest-guest-logon, ACL: 70/0, Age: 00:00:05
Authentication: No, status: not started, method: , protocol: , server:
Role Derivation: AAA profile default role
VLAN Derivation: Default VLAN
Idle timeout (global): 300 seconds, Age: 00:00:00
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=0, mba=1, vpnflags=0, u_stm_ageout=1
Flags: innerip=0, outerip=0, vpn_outer_ind:0, download=1, wispr=0
IP User termcause: 26
phy_type: a-VHT-40, l3 reauth: 0, BW Contract: up:0 down:0, user-how: 14
Vlan default: 199, Assigned: 199, Current: 199 vlan-how: 1 DP assigned vlan:0
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, Flags=0x0
SlotPort=0x20c5, Port=0x11dae (tunnel 7598)
Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role: n/a
Current Role name: BPS-Guest-guest-logon, role-how: 10, L2-role: BPS-Guest-guest-logon, L3-role: BPS-Guest-guest-logon
Essid: BPS-Guest, Bssid: 18:64:72:4a:e9:d2 AP name/group: PS187-BOCES-Rm24/PS187 Phy-type: a-VHT-40
RadAcct sessionID:n/a
RadAcct Traffic In 466/57747 Out 366/261999 (0:466/0:0:0:57747,0:366/0:0:3:65391)
Timers: L3 reauth 0, mac reauth 0 (Reason: ), dot1x reauth 0 (Reason: )
Profiles AAA:BPS-Guest-aaa-prof, dot1x:, mac:default CP:BPS-Guest-cp_prof def-role:'BPS-Guest-guest-logon' sip-role:'' via-auth-profile:''
ncfg flags udr 0, mac 1, dot1x 0, RADIUS interim accounting 0
IP Born: 1487876842 (Thu Feb 23 14:07:22 2017)
Core User Born: 1487876842 (Thu Feb 23 14:07:22 2017)
Upstream AP ID: 0, Downstream AP ID: 0
User Agent String: iPhone8,4/10.2.1 (14D27)
HTTP based device-id info - Index: 4, Device: iPhone
Overall device-id info - Index: 6, Device: iPhone
L3-Auth Session Timeout from Radius: 0
Mac-Auth Session Timeout Value from Radius: 0
Dot1x Session Timeout Value from Radius: 0
CoA Session Timeout Value from Radius: 0
Dot1x Session Term-Action Value from Radius: Default
Reauth-interval from role: 0
Number of reauthentication attempts: mac reauth 0, dot1x reauth 0
mac auth server: Clearpass-1, dot1x auth server: N/A
Address is from DHCP: yes
Per-user-log pointer 0x1130844 (id 21305), num logs 6

(PS-94_Aruba_7240-1) # ENTERED USER AND PASS
^
% Invalid input detected at '^' marker.

(PS-94_Aruba_7240-1) #show user-table ip 10.6.121.36


Name: thom2544@gmail.com, IP: 10.6.121.36, MAC: a0:d7:95:5e:2a:5d, Role: authenticated, ACL: 71/0, Age: 00:00:06
Authentication: Yes, status: started, method: Web, protocol: PAP, server: Clearpass-1
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: default for authentication type Web
VLAN Derivation: Default VLAN
Idle timeout (global): 300 seconds, Age: 00:00:00
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=1, mba=1, vpnflags=0, u_stm_ageout=1
Flags: innerip=0, outerip=0, vpn_outer_ind:0, download=1, wispr=0
IP User termcause: 26
phy_type: a-VHT-40, l3 reauth: 0, BW Contract: up:0 down:0, user-how: 14
Vlan default: 199, Assigned: 199, Current: 199 vlan-how: 1 DP assigned vlan:0
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, Flags=0x0
SlotPort=0x20c5, Port=0x11dae (tunnel 7598)
Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role: n/a
Current Role name: authenticated, role-how: 1, L2-role: BPS-Guest-guest-logon, L3-role: authenticated
Essid: BPS-Guest, Bssid: 18:64:72:4a:e9:d2 AP name/group: PS187-BOCES-Rm24/PS187 Phy-type: a-VHT-40
RadAcct sessionID:thom2544A0D7955E2A5D-58AF346D
RadAcct Traffic In 20/3186 Out 16/7064 (0:20/0:0:0:3186,0:16/0:0:0:7064)
Timers: L3 reauth 0, mac reauth 0 (Reason: ), dot1x reauth 0 (Reason: )
Profiles AAA:BPS-Guest-aaa-prof, dot1x:, mac:default CP: def-role:'BPS-Guest-guest-logon' sip-role:'' via-auth-profile:''
ncfg flags udr 0, mac 1, dot1x 0, RADIUS interim accounting 0
IP Born: 1487876842 (Thu Feb 23 14:07:22 2017)
Core User Born: 1487876842 (Thu Feb 23 14:07:22 2017)
Upstream AP ID: 0, Downstream AP ID: 0
User Agent String: iPhone8,4/10.2.1 (14D27)
HTTP based device-id info - Index: 4, Device: iPhone
Overall device-id info - Index: 6, Device: iPhone
L3-Auth Session Timeout from Radius: 0
Mac-Auth Session Timeout Value from Radius: 0
Dot1x Session Timeout Value from Radius: 0
CoA Session Timeout Value from Radius: 0
Dot1x Session Term-Action Value from Radius: Default
Reauth-interval from role: 0
Number of reauthentication attempts: mac reauth 0, dot1x reauth 0
mac auth server: Clearpass-1, dot1x auth server: N/A
Address is from DHCP: yes
Per-user-log pointer 0x1130844 (id 21305), num logs 7


Tom Robinson
trobinson@aisbuffalo.com
Alternative Information Systems
716-831-9929
716-491-9581
Occasional Contributor II
Posts: 16
Registered: ‎01-31-2017

Re: No ACL Hits Seen

@jcellis - my problem is that an ACL I wrote to deny internal access is not firing.

 

And my apologies for the confusion - I originally wrote this to reply to another thread, but started a new one and forgot to edit. Long week....

 

thx!

Occasional Contributor II
Posts: 16
Registered: ‎01-31-2017

Re: No ACL Hits Seen

OK, so i think I have this figured out. Thanks for pointing me in the right direction.

 

In the new role I created (BPS-Guest-Role)  I didn't have that assiged to a captive-portal profile. I changed the L3 auth default role to that role, and now when testing, my traffic internal appears to be blocked.   Does that seem correct?

 

 

(PS-94_Aruba_7240-1) #show acl hits role BPS-Guest-Role

User Role ACL Hits
------------------
Role            Policy          Src   Dst                     Service/Application  Action  Dest/Opcode  New Hits  Total Hits  Index  Ipv4/Ipv6
----            ------          ---   ---                     -------------------  ------  -----------  --------  ----------  -----  ---------
BPS-Guest-Role  dns-acl         any   any                     svc-dns              permit               7         89          1084   ipv4
BPS-Guest-Role  ClearpassAllow  any   172.27.94.132           svc-https            permit               0         3           1086   ipv4
BPS-Guest-Role  BPS-Guest-ACL   user  172.28.0.0 255.255.0.0  any                  deny                 0         13          1091   ipv4
BPS-Guest-Role  BPS-Guest-ACL   user  172.27.0.0 255.255.0.0  any                  deny                 0         3           1092   ipv4
BPS-Guest-Role  BPS-Guest-ACL   user  any                     any                  permit               12        127         1094   ipv4
BPS-Guest-Role                  any   any                     0                    deny                 0         1           1095   ipv4/ipv6

Port Based Session ACL
----------------------
Policy  Src  Dst  Service/Application  Action  Dest/Opcode  New Hits  Total Hits  Index  Ipv4/Ipv6
--More-- (q) quit (u) pageup (/) search (n) repeat

Guru Elite
Posts: 21,280
Registered: ‎03-29-2007

Re: No ACL Hits Seen


thom2544 wrote:

@jcellis - my problem is that an ACL I wrote to deny internal access is not firing.

 

And my apologies for the confusion - I originally wrote this to reply to another thread, but started a new one and forgot to edit. Long week....

 

thx!


I created a new thread, because the other thread was 3 years old and likely probably had little to do with yours.  Creating a new thread gives you an opportunity to clearly state your issue and others to clearly understand what you are saying.

 

I think you have things corrected now.  Please click on Accept As Solution to close this.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: