Wireless Access

Reply
Occasional Contributor II
Posts: 51
Registered: ‎12-16-2014

Why is NATT UDP 4500 Allowed to "any" in the "logon-control" role?

[ Edited ]

In the controller "logon-control" user role I understand the reasoning for all the firewall rules listed below except the one circled in red.  Why is this natt allowed anywhere by default?  I'm just curious.  I would think this might allow someone to get/go places they should not prior to going through the captive portal...hope that makes sense, thanks.

 

Capture.PNG

Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Why is NATT UDP 4500 Allowed to "any" in the "logon" role?

You can create a new logon-control and remove it. It's not required for end
user devices.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 51
Registered: ‎12-16-2014

Re: Why is NATT UDP 4500 Allowed to "any" in the "logon" role?

Thank you.  Yeah I'll remove it but I was just curious why it came from the factory that way...I didn't know if there was some necessary reason to leave it that I didn't know about, thanks.

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: Why is NATT UDP 4500 Allowed to "any" in the "logon" role?

When in doubt, check the user guide for default configurations and their purposes:

 

http://www.arubanetworks.com/techdocs/ArubaOS_64x_WebHelp/Web_Help_Index.htm?_ga=1.25739901.1709261467.1439923703#ArubaFrameStyles/Defaults/Defaults.htm

 

For the logon-control policy, it actually mentions removing svc-natt if not needed.

 aos-defaults-logon-control.png

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Search Airheads
Showing results for 
Search instead for 
Did you mean: