Wireless Access

I'm evaluating the Aruba controller and a RAP-3 to use for remote workers from their house. I want to be able to lock down what they can get to through the tunnel. I'm having issues understanding how the firewall policies are applied to the RAP. It seems everything is permitted and I can't figure out how to get the User role applied. 

I'm testing with wired port 2 on the RAP. It's in tunnel mode since I don't want to allow split-tunneling (per security team). I see where there is a "Bridge Role" that allows selecting a user role but since I'm not running in Bridge mode I assume that's not being used. I've attached the config after removing a few pieces I didn't think were needed. If anyone cane help me figure it out I'd appreciate it. 

Is there a good way to monitor the firewall traffic other than the "Firewall Hits" in the GUI or "show datapath session table" in the cmd? Something that will help debug whats going on and why?

thanks,
Justin

Attachment(s)

arubaconfig.txt   16 KB 1 version

You have to set the port to untrusted inorder for roles to be applied to a physical port.  Edit the ap group, go under AP, the edit the wired ap profile for that interface.

Thank you for your answer. I tried untrusting the link yesterday but I lost all connectivity so it didn't seem right. Once the link is untrusted where is the role applied? Is it in the AAA profile or the Bridge Role under the interface port conifgiruation? 

thanks,
Justin

It will use the roles in the AAA profile once you mark it as untrusted.

very cool. Again, thanks for your help.