Wireless Access

Reply

Understanding "wlan ssid-profile" and "wlan access-rule" in Instant APs

Hi guys,

 

I want to change some access rules in my cluster of Instant APs, but I don't understand the configuration. Most of the configuration is the default, but for my test SSID I see the following:

 

wlan ssid-profile test
enable
index 2
type employee
essid test

.

.

.

 

Index is index 2, but I see this index is related to another SSID:

 

wlan access-rule "SUPRA - Oficina"
index 2
rule any any match any any any permit

 

The same applies for anothers SSIDs, there is no relation between the index under "wlan ssid-profile" and the index under "wlan access-rule". What am I missing? Attached the full configuration.

 

Regards,

Julián

Aruba Employee

Re: Understanding "wlan ssid-profile" and "wlan access-rule" in Instant APs

The wlan ssid-profile defines the SSID parameters, ESSID, authentication method, bands used, etc. The wlan access-rule is the firewall policy that's applied.

 

The index numbers are unique to each type of profile. You could have three ssid-profiles but ten access-rules ... the index number is not shared between the two profiles.

 

If you are testing with ssid-profile test, then the default access-rule profile is also called test.


Charlie Clemmer
Aruba Customer Engineering

Re: Understanding "wlan ssid-profile" and "wlan access-rule" in Instant APs

Hi Charlie,

 

Ok, I understand. One more question. I want to create in my IAP a user role which has an external captive portal, but also the client should be able to access network 192.168.200.0/24 before the captive portal page, for example. I think that's possible in an Aruba Controller, if we take as an example the default guest-logon role:

role_controller.PNG

I think I can achive that just creating one firewall policy with a "user 192.168.200.0/24 any permit" rule and placing that firewall policy above the "captiveportal" one.

 

However, in my Instant AP I have this guestSURA role:

role_iap.PNG

In this way, I have to log in the captive portal page, and then I will be able to access network 192.168.200.0/24. But I want to access that network before the captive portal page. But I can't move the rule which allow traffic to network 192.168.200.0/24 to the first position, before the captive portal rule, I am not allowed to do so in the GUI. I don't know if that's possible with the CLI, therefore my question about "wlan access-rule" and so on. Do you think that's possible in Instant?

 

Regards,

Julián

Aruba Employee

Re: Understanding "wlan ssid-profile" and "wlan access-rule" in Instant APs

I dont have access to my Intant cluster, but there is a Walled Garden configuration for allowing access to destinations without the captive portal taking effect.


Charlie Clemmer
Aruba Customer Engineering

Re: Understanding "wlan ssid-profile" and "wlan access-rule" in Instant APs

Hi,

 

Yes, you are right, but that's valid for only HTTP traffic and websites, no other ports.

 

Regards,

Julián

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: