Wireless Access

Reply
MVP
Posts: 562
Registered: ‎11-28-2011

VIA

Just hit an interesting issue on 6.3.1.2 using VIA. Anybody else seen this?

 

A user connects as normal...

 

Users
-----
    IP               MAC            Name      Role               Age(d:h:m)  Auth     VPN link        AP name        Roaming   Essid/Bssid/Phy                    Profile                 Forward mode  Type     Host Name
----------      ------------       ------     ----               ----------  ----     --------        -------        -------   ---------------                    -------                 ------------  ----     ---------
1.0.0.10        00:00:00:00:00:00  jcornford  default-via-role   00:00:24    VIA-VPN  194.74.186.235  N/A                                                                                 tunnel        Windows
194.74.186.235  00:00:00:00:00:00             logon              00:00:24                             N/A                                                                                 tunnel

 

User Entries: 4/4

 

Here's some info about the role...

 

user-role default-via-role
 via "demo-via"
 access-list session src-nat-private-dest-to-inside
 access-list session src-nat-to-outside
 access-list session v6-allowall
 access-list session allowall
!

 

ip access-list session src-nat-private-dest-to-inside
  user   alias private-nets any  src-nat pool aruba-vlan-1920-ip
!

 

ip access-list session src-nat-to-outside
  user any any  src-nat pool aruba-vlan-82-ip
!

 

The VLAN 82 ip pool is public. The VLAN 1920 ip is private obviously.

 

I initiate a connection to a public IP, destination port 34032. I have sensible reasons for this, and it used to work on 6.3.1.1 I'm sure. The session doesn't connect (and note that yes, this session normally connects from anywhere else).

 

So here's the weird thing. Bearing in mind I have a deny and log rule at the end of my logon role, when this session doesn't connect, I get this in the log...

 

Feb  6 09:33:15  authmgr[2269]: <124006> <WARN> |authmgr|  {546} TCP srcip=1.0.0.10 srcport=49297 dstip=X.X.X.X(PUBLIC) dstport=34032, action=deny, role=logon, policy=deny-and-log

 

And this in the table...

 

1.0.0.10        X.X.X.X(PUBLIC)  6    49297 34032  0/0     0 0   0   tunnel 9    2    0         0          FSDYC

 

What's really weird about this, is that the log suggests it's matching the "logon" role, rather than the "default-via-role". Especially as the source IP is matching a user table entry which is in the "default-via-role" role!?!?

 

Am I missing something here?

Kudos appreciated, but I'm not hunting! (ACMX 104)
Guru Elite
Posts: 20,990
Registered: ‎03-29-2007

Re: VIA

Question:  Did it ever work?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 562
Registered: ‎11-28-2011

Re: VIA

Yeah, like I say, I'm pretty sure it worked on 6.3.1.1. I'm tempted to boot back into it to prove. Still in the other partition.

 

Kudos appreciated, but I'm not hunting! (ACMX 104)
Search Airheads
Showing results for 
Search instead for 
Did you mean: