Wireless Access

Reply
Occasional Contributor I
Posts: 8
Registered: ‎10-22-2012

RAP-3 and Controller Firewall Policies

[ Edited ]

I'm evaluating the Aruba controller and a RAP-3 to use for remote workers from their house. I want to be able to lock down what they can get to through the tunnel. I'm having issues understanding how the firewall policies are applied to the RAP. It seems everything is permitted and I can't figure out how to get the User role applied. 

 

I'm testing with wired port 2 on the RAP. It's in tunnel mode since I don't want to allow split-tunneling (per security team). I see where there is a "Bridge Role" that allows selecting a user role but since I'm not running in Bridge mode I assume that's not being used. I've attached the config after removing a few pieces I didn't think were needed. If anyone cane help me figure it out I'd appreciate it. 

 

Is there a good way to monitor the firewall traffic other than the "Firewall Hits" in the GUI or "show datapath session table" in the cmd? Something that will help debug whats going on and why?

 

thanks,
Justin

 

 

 

 

Regular Contributor I
Posts: 166
Registered: ‎04-11-2011

Re: RAP-3 and Controller Firewall Policies

You have to set the port to untrusted inorder for roles to be applied to a physical port.  Edit the ap group, go under AP, the edit the wired ap profile for that interface.

Occasional Contributor I
Posts: 8
Registered: ‎10-22-2012

Re: RAP-3 and Controller Firewall Policies

Thank you for your answer. I tried untrusting the link yesterday but I lost all connectivity so it didn't seem right. Once the link is untrusted where is the role applied? Is it in the AAA profile or the Bridge Role under the interface port conifgiruation? 

 

thanks,
Justin

Regular Contributor I
Posts: 166
Registered: ‎04-11-2011

Re: RAP-3 and Controller Firewall Policies

It will use the roles in the AAA profile once you mark it as untrusted.

Occasional Contributor I
Posts: 8
Registered: ‎10-22-2012

Re: RAP-3 and Controller Firewall Policies

very cool. Again, thanks for your help.

Search Airheads
Showing results for 
Search instead for 
Did you mean: