Wireless Access

Reply
Frequent Contributor I
Posts: 75
Registered: ‎07-03-2013

Why the ACL is not working at this stage ????

I want to configure the mac base authentication and want that no other user will be able to connect to the mac ssid. According to the one technical member on air heads community he informed me to create a customized role with policie (any any any deny) except those whom mac addresses are entered in the internal database. i do the same but still other users are able to connect to the mac ssid but with limited connectivity i.e; getting no ip address unable to browse whatever nothing. but i want no user will be able to connect to the mac ssid. 

 

According to the customized role, if it is ( any any any deny) then why the user is able to connect to the ssid according to this rule?

 

One more thing if i configured ( any any any deny with blacklist "one time authen failure") then no will be able to connect except mac users.

 

Customized role (DenyAll) Why the acl not working properly without the blacklist option ? Here are the snapshots.

 

1.jpg

 

2.jpg

 

3.jpg

 

 

Guru Elite
Posts: 21,556
Registered: ‎03-29-2007

Re: Why the ACL is not working at this stage ????

You need to ensure that "Station Blacklisting" is enabled in the Virtual AP profile.  That is the master switch that says whether or not blacklisting will occur at all for that Virtual AP.

 

Also, everytime you test, do a "aaa user delete" to kick that user out of the user table, to reset everything.  If the user is still in the user table after disconnecting (5 minutes or so) he will be able to reattach.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 75
Registered: ‎07-03-2013

Re: Why the ACL is not working at this stage ????

[ Edited ]

Sorry i didnt understand...

 

Can you explain it once again in simple words. You mean blacklist feature have to be enabled ?

Guru Elite
Posts: 21,556
Registered: ‎03-29-2007

Re: Why the ACL is not working at this stage ????

Yes.  In the Virtual AP profile. 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 75
Registered: ‎07-03-2013

Re: Why the ACL is not working at this stage ????

[ Edited ]

Really shocked...

 

ACL is not independly working in order to block the unauthorized users.

 

you mean ACL is not able to block the unauthorized users ? ACL is dependent on the station blacklisitng ? 

Guru Elite
Posts: 21,556
Registered: ‎03-29-2007

Re: Why the ACL is not working at this stage ????

ACL should work regardless.  The question is, what role do your users end up in?  A user is required to have an ip address to get into the user table, so if you are blocking everything, they will not end up there.

 

I would type "show acl hits" to see if any users are hitting your ACL.

 

Also, confirm the role that users get when they associate.  If they are in the user table, they got the wrong role.  Also, do a "aaa user delete" to kick users off to start from scratch when you are testing.

 

Also turn on user debugging (config t logging level debugging user), then type "show log user 50" to understand what your users are doing...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 75
Registered: ‎07-03-2013

Re: Why the ACL is not working at this stage ????

[ Edited ]

(I have created initial role itself)

 

MAC-SSID-AAA-Profile using these roles

 

Initial role:   "denyall" containing rules (any any any deny) Station blacklisting is enabled on vap profile. 

 

MAC Authentication Default Role: Autheniticated

 

802.1x authentication is not configured.

 

3.jpg

 

1.jpg

 

2.jpg

 

 

According to above snapshots, When a user get associated with the mac-ssid it gets the Denyall role with rules (any any any deny) then why unauthorized users are also able to connect to the ssid, why acl is no able to denying them if blacklist is not enabled?  why this rule is not working properly

 

skype ID: ruhail_maqsood

 

 

Can you take a session ?

Search Airheads
Showing results for 
Search instead for 
Did you mean: