Security

last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Apple Mac randomly disconnect after appling ACL to block Client to Client

Jump to Best Answer
  • 1.  Apple Mac randomly disconnect after appling ACL to block Client to Client

    Posted Sep 21, 2019 01:14 AM

    Hello,

     

    My SSID is on subnet 192.168.10.0/24 and I tried to apply ACL on the role in controller to block the traffic Client-to-Client as below

     

    any 192.168.10.0/24 deny

    any any permit

     

    After applied this ACL we found that Mac user get disconnect randomly and show icon ! on wireless even they're roaming or not moving

    In the same situation I did test on Windows laptop but no see any issues and when I remove that ACL all Mac users can connect to wifi with no problem

     

    I wonder if Mac has any requirements to allow for internal traffic within the client subnet in order to connect the wifi?

     

    My controller is 7205 ver 8.3.0.6



  • 2.  RE: Apple Mac randomly disconnect after appling ACL to block Client to Client

    Posted Sep 21, 2019 02:14 AM

    If the intended purpose of the ACLs is to deny inter user traffic, have you tried enabling the deny inter-user traffic knob in the VAP profile without mapping the ACLs.

     

    Please refer AOS 8.3 CLI reference guide (Page. 2414) for more detials on this knob.

     

    --Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
    --Problem Solved? Click "Accepted Solution" in a post.



  • 3.  RE: Apple Mac randomly disconnect after appling ACL to block Client to Client

    Posted Sep 21, 2019 02:33 AM

    Hi A_Rak,

     

    Enable "deny inter user traffic" is working fine but I decided to not enable it because I have another role for vip usesr who need to get allow for client-to-client traffic

    so I've created 2 roles, one with that ACL to block client-to-client for normal users and another role with ACL to allow-all for vip users



  • 4.  RE: Apple Mac randomly disconnect after appling ACL to block Client to Client

    Posted Sep 21, 2019 03:18 AM

    Do the VIP user fall into the same subnet after authentication as the normal users or are they falling into the a different subnet?

     

    Have you applied these ACLs to the pre-auth role or the post-auth role?

     

    The ACLs posted here need some fine tuning specific to your requirement.

     

    If they are falling into different subnets, then

     

    Create an Alias and map the VIP user's subnet to that Alias

     

    Use the " netdestination " command to configure the Alias.

     

    Call it " VIP_Users " for example.

     

    Create another Alias for normal users and map the normal user's subnet

     

    Call it " Normal_Users"

     

    to deny traffic between these two types of users create the access lists as follows

     

    // denies all traffic from the VIP to normal users

    VIP_Users Normal_Users any deny          

     

    // denies all traffic from the normal users to the VIP

    Normal_Users VIP_Users any deny

     

     

    --Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
    --Problem Solved? Click "Accepted Solution" in a post.



  • 5.  RE: Apple Mac randomly disconnect after appling ACL to block Client to Client

    Posted Sep 21, 2019 06:27 AM

    Hi A_Rak,

     

    I put ACL into post-auth role (I use 802.1X with Clearpass)

    both normal users and vip users are on the same subnet

    I split them with the group on AD and assign role to them after authen with clearpass

     

    My purpose is that normal users can't talk to any clients

    but vip users can talk to everyone (for test and dev some app)



  • 6.  RE: Apple Mac randomly disconnect after appling ACL to block Client to Client

    Posted Sep 21, 2019 07:24 AM

    How many users are we talking about here?

     

    If the VIP users are less in number, then try creating a netdestination with host IP addresses of VIP users and mapping that netdestination as an alias to the ACLs.

     

     

    --Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
    --Problem Solved? Click "Accepted Solution" in a post.



  • 7.  RE: Apple Mac randomly disconnect after appling ACL to block Client to Client

    Posted Sep 22, 2019 07:11 AM

    Hi A_Rak,

     

    We're now starting with about 100 normal users and 40-50 vip users

    I have a plan on next week to test again by applying ACL one by one to see what is rule that Mac need to get allow



  • 8.  RE: Apple Mac randomly disconnect after appling ACL to block Client to Client
    Best Answer

    Posted Sep 22, 2019 01:21 PM

    @fuyunohoshi wrote:

    Hello,

     

    My SSID is on subnet 192.168.10.0/24 and I tried to apply ACL on the role in controller to block the traffic Client-to-Client as below

     

    any 192.168.10.0/24 deny

    any any permit

     

    After applied this ACL we found that Mac user get disconnect randomly and show icon ! on wireless even they're roaming or not moving

    In the same situation I did test on Windows laptop but no see any issues and when I remove that ACL all Mac users can connect to wifi with no problem

     

    I wonder if Mac has any requirements to allow for internal traffic within the client subnet in order to connect the wifi?

     

    My controller is 7205 ver 8.3.0.6


    First things first....Is your dhcp server on 192.168.10.0/24 subnet?  If yes, you need to put a rule on top that allows “any any service dhcp” which allows dhcp.  It is quite possible that your macs are doing dhcp on every roam, and on a roam, dhcp is typically unicast, so your deny rule is breaking that.  For your second question, it is very impractical to block traffic between all users and then allow traffic for specific users.  I would put your VIPs in a separate “bastion” subnet, block traffic for the user subnet, but allow all traffic to/from the “bastion” subnet.



  • 9.  RE: Apple Mac randomly disconnect after appling ACL to block Client to Client

    Posted Sep 22, 2019 01:24 PM

    To be clear, in general you would put your VIP users in a separate subnet using a radius attribute returned from your radius server.



  • 10.  RE: Apple Mac randomly disconnect after appling ACL to block Client to Client

    Posted Sep 23, 2019 09:07 AM

    Hi Cjoseph

     

    Set rule to allow dhcp made it work!

    My dhcp is on another subnet however there is ip-helper setting in the gateway of client subnet

     

    I wonder that Mac requires this to be allowed