Wireless Access

 View Only
last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Which AAA profile is use by HQ Aruba controller for S2S VPN tunnel interface (L3 GRE) that is set to untrusted??

This thread has been viewed 7 times

  • 1.  Which AAA profile is use by HQ Aruba controller for S2S VPN tunnel interface (L3 GRE) that is set to untrusted??

    Posted Jul 09, 2021 10:30 PM
    hi Guys, Need some help..
    We got two 7010 controllers configured as gateways for a Site to Site VPN (over internet) purpose between them, i.e. branch to HQ.
    Using GRE tunnel interface (L3 GRE mode) , underlay mapped to ipsec crypto-local map. interface tunnel config set to "untrusted" as below;

    interface tunnel 102
    description "L3 GRE 102"
    tunnel mode gre ip
    ip address 1.1.1.12 255.255.255.255
    tunnel source vlan 154
    tunnel destination 10.1.0.6
    tunnel keepalive
    tunnel keepalive 5 2

    When a inbound user traffic (e,g. from client 13.1.1.254) behind the the branch end 7010 controller , transverse the Site to Site VPN tunnel (GRE over IPSec tunnel) and enter the HQ controller via (logically) the tunnel interface (tunnel 102).

    Which AAA profile is use by HQ Aruba controller for tunnel interface (L3 GRE) set to untrusted??
    I can modify the policy (e.g. source NAT the traffic) on "logon" role accordingly but what to know how this "logon" role get assigned from which AAA profile ?


    Checking (below) the client user ip 13.1.1.254, it got assign "logon" role with ROLE_DERIVATION_NONE..

    .. *[mynode] (config) #show user ip 13.1.1.254
    .....

    Source IP or MAC Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags CPU ID
    ----------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------- ---------- --------------- -------
    13.1.1.254 14.1.1.254 1 16 2048 0/0 0 0 1 tunnel 13 c 1 84 FSCI 5
    13.1.1.254 14.1.1.254 1 15 2048 0/0 0 0 1 tunnel 13 c 1 84 FSCI 5
    ..
    ..
    Name: , IP: 13.1.1.254, MAC: 00:00:00:00:00:00, Age: 00:00:00
    Role: logon (how: ROLE_DERIVATION_NONE), ACL: 2/0
    Authentication: No, status: not started, method: , protocol: , server:
    Role Derivation: ROLE_DERIVATION_NONE
    VLAN Derivation: Unknown
    Idle timeout (global): 300 seconds, Age: 00:00:00
    Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0

    ------------------------------
    Yong Aik Seah
    ------------------------------


  • 2.  RE: Which AAA profile is use by HQ Aruba controller for S2S VPN tunnel interface (L3 GRE) that is set to untrusted??

    EMPLOYEE
    Posted Jul 10, 2021 09:13 AM
    Configuration> System> Profiles> All Profiles> Wireless LAN> Wired Authentication> AAA


    On the commandline:

    config t
    aaa authentication wired
     profile <name of aaa profile>

    All traffic would be subject to the ACL attached to the "initial role" in the AAA profile you have configured here.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------

    Original Message