Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Understanding "wlan ssid-profile" and "wlan access-rule" in Instant APs

This thread has been viewed 4 times

  • 1.  Understanding "wlan ssid-profile" and "wlan access-rule" in Instant APs

    Posted Jul 12, 2018 11:17 AM
      |   view attached

    Hi guys,

     

    I want to change some access rules in my cluster of Instant APs, but I don't understand the configuration. Most of the configuration is the default, but for my test SSID I see the following:

     

    wlan ssid-profile test
    enable
    index 2
    type employee
    essid test

    .

    .

    .

     

    Index is index 2, but I see this index is related to another SSID:

     

    wlan access-rule "SUPRA - Oficina"
    index 2
    rule any any match any any any permit

     

    The same applies for anothers SSIDs, there is no relation between the index under "wlan ssid-profile" and the index under "wlan access-rule". What am I missing? Attached the full configuration.

     

    Regards,

    Julián

    Attachment(s)

    txt
    instant_config.txt   5 KB 1 version


  • 2.  RE: Understanding "wlan ssid-profile" and "wlan access-rule" in Instant APs

    EMPLOYEE
    Posted Jul 12, 2018 01:20 PM

    The wlan ssid-profile defines the SSID parameters, ESSID, authentication method, bands used, etc. The wlan access-rule is the firewall policy that's applied.

     

    The index numbers are unique to each type of profile. You could have three ssid-profiles but ten access-rules ... the index number is not shared between the two profiles.

     

    If you are testing with ssid-profile test, then the default access-rule profile is also called test.



  • 3.  RE: Understanding "wlan ssid-profile" and "wlan access-rule" in Instant APs

    Posted Jul 12, 2018 04:19 PM

    Hi Charlie,

     

    Ok, I understand. One more question. I want to create in my IAP a user role which has an external captive portal, but also the client should be able to access network 192.168.200.0/24 before the captive portal page, for example. I think that's possible in an Aruba Controller, if we take as an example the default guest-logon role:

    role_controller.PNG

    I think I can achive that just creating one firewall policy with a "user 192.168.200.0/24 any permit" rule and placing that firewall policy above the "captiveportal" one.

     

    However, in my Instant AP I have this guestSURA role:

    role_iap.PNG

    In this way, I have to log in the captive portal page, and then I will be able to access network 192.168.200.0/24. But I want to access that network before the captive portal page. But I can't move the rule which allow traffic to network 192.168.200.0/24 to the first position, before the captive portal rule, I am not allowed to do so in the GUI. I don't know if that's possible with the CLI, therefore my question about "wlan access-rule" and so on. Do you think that's possible in Instant?

     

    Regards,

    Julián



  • 4.  RE: Understanding "wlan ssid-profile" and "wlan access-rule" in Instant APs

    EMPLOYEE
    Posted Jul 13, 2018 10:17 AM

    I dont have access to my Intant cluster, but there is a Walled Garden configuration for allowing access to destinations without the captive portal taking effect.



  • 5.  RE: Understanding "wlan ssid-profile" and "wlan access-rule" in Instant APs

    Posted Jul 13, 2018 11:05 AM

    Hi,

     

    Yes, you are right, but that's valid for only HTTP traffic and websites, no other ports.

     

    Regards,

    Julián