Wireless Access

last person joined: 23 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

No Web Access SSID Legacy devices

This thread has been viewed 1 times

  • 1.  No Web Access SSID Legacy devices

    Posted Mar 30, 2017 10:18 PM

    I am in the process of creating a what I call is a service SSID.  The purpose of this network is to allow staff to enroll chromebooks into the google console and Apple devices into the DEP program, and connect window machines to the domain, also to allow legacy and non dotx devices on to the network with a password.  The key to this is that there is no web access. 

     

    I have gotten the list of ports need to enroll devices, allow printing, and other network functions (tftp, ftp, telnet, and so on).  Should the last policy in the list be (user any svc-web [80,8080] deny )?

     

     



  • 2.  RE: No Web Access SSID Legacy devices

    Posted Mar 30, 2017 11:31 PM

    As i undesrtandyou want to allow x,y,z ports and then deny all the other ports?

    If that so

    Just build a role which has a policy in which you allow access to the ports you need and thats it.   There is a implicit deny all at the end, the 80 port will be denied by this implicit policy.

     

    If you only want to deny port 80 and 8080, then the first rule you deny those ports, and then permit all the other ports.. it all depends on what you want to do....

     

    Cheers

    Carlos



  • 3.  RE: No Web Access SSID Legacy devices

    Posted Mar 31, 2017 08:05 AM
    thanks. this my first attempt at doing something like this.


    #AirheadsMobile


  • 4.  RE: No Web Access SSID Legacy devices

    Posted Mar 31, 2017 08:32 AM

    i can upload some example later if you not clear

    Just llet me know.

     

    Cheers

    Carlos



  • 5.  RE: No Web Access SSID Legacy devices

    Posted Apr 01, 2017 11:16 PM

    I would love to see the examples.

     

    Thanks



  • 6.  RE: No Web Access SSID Legacy devices

    Posted Apr 03, 2017 04:08 PM

    Hello

    Okay if you want only to allow some ports for example im just allowing DHCP ports ill do thisCapture.PNGWith the implicit deny deny all, he will deny all the other ports.. so you just need to do that

     

     

    Now if you want to deny for example web ports(80,443) and allow all the other ports i would  this.Capture1.PNG

     

    You see that i did add a any any permit at the end, that will allow all ports and all destinations but since the deny web service ports is before that he will deny those ports

     

    Cheers

    Carlos



  • 7.  RE: No Web Access SSID Legacy devices
    Best Answer

    Posted Apr 20, 2017 10:58 AM

    OK,  I have found out that to enroll the device into Apple DEP the web ports need to be allowed.  The device hits Apple.com in some fashion and is recognized.  It is then sent to our internal server for enrollment.  But it does not use our internal IP (I do not think).  Somehow it is allowed for enrollment.  How do I configure this and not allow the user to surf to other sites and just connect to the production network?  (redirect to a portal)  Or can you take devices by OS that are not allowed on the production network and send them to Apple.com?