Wireless Access

last person joined: 7 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

ASSIGN A PROFILE TO WIRED PORTS

Jump to Best Answer
  • 1.  ASSIGN A PROFILE TO WIRED PORTS

    Posted Jan 20, 2020 07:52 AM

    Hello.

     

    I have associated a web category (adults) control to the user “authenticated”, so users connected via WLAN with that role cannot access such URLs. That WLAN has the profile “my-wlan_aaa_prof”, that include as initial-role “authenticated”.

     

    I want to use the same filter to wired ports.

     

    How can I configure that function? I have read that the ports must be in untrusted mode and the command to assign the profile “my-wlan_aaa_prof”, that include the initial-role “authenticated”, to the wired ports is “aaa authentication wired”.

     

    I have some doubts:

     

    1. Is it possible to assign that profile to specific ports?

    2. Is it possible to assign that profile to some ports and another profile to other ports?

    3. Should I configure the previous question configuring differents VLANs?

     

    What are the commands or how can I do those things via GUI?

     

    Thanks you very much.



  • 2.  RE: ASSIGN A PROFILE TO WIRED PORTS

    Posted Jan 20, 2020 12:46 PM

    I don't have a 8.6 MM active currently for screen shots, but you are correct that the wired port needs to be untrusted and have a aaa policy applied in order to apply a role. 

     

    Are you wanting to apply policy to the controllers wired ports, or the wired ports on an AP like the 303h?



  • 3.  RE: ASSIGN A PROFILE TO WIRED PORTS

    Posted Jan 20, 2020 04:42 PM

    Thanks for your intereset.

     

    I know how to apply a policie to a port, but I would like to apply all the policies related with a role, in my case the role authenticated, that includes a policie global-sacl, with restritions to some URLs; and the policie allowall.

     

    I have read that I have to make a port untrusted and apply mywlan-aaa_prof, which includes the role authenticated.

     

    I have configured the next:

     

    aaa authentication wired

       profile mywlan-aaa_prof

     

    but all URL are blocked, not only the included in global-sacl.

     

    What am I doing badly?

     

    On other side, is it possible to apply different profiles to different port?

     

    Regards.



  • 4.  RE: ASSIGN A PROFILE TO WIRED PORTS

    Posted Jan 21, 2020 03:59 PM

    You would use different roles to apply different policies. If all users end up in the "authenticated" role, they will share the same set of policies.

     

    For wired users, what authentication method are you using to authenticate your users?



  • 5.  RE: ASSIGN A PROFILE TO WIRED PORTS

    Posted Jan 21, 2020 04:33 PM

    I use WPA2-personal with a passphrase to connect the WLAN, for example, my-wlan. When user connect to this wlan, they get the role "authenticated", with all the policies it implies.

     

    I intended that when you connected a computer to a particular wired port, it had the same policies as the role "authenticated", but no need to authenticate. Perhaps it is not possible.

     

    Is it possible to configure what I want?

     

    Thanks.



  • 6.  RE: ASSIGN A PROFILE TO WIRED PORTS
    Best Answer

    Posted Jan 21, 2020 04:46 PM

    Once the user is authenticated with WPA2 and put in the correct user role, they are essentially trusted.

     

    With the wired users, you would want to do wired 802.1X or mac-auth to accomplish the same. The other option would be to trust the port, but then apply the specific firewall policy to the port ... but this would apply a specific policy rather than a user role (combination of policies) to the specific port.



  • 7.  RE: ASSIGN A PROFILE TO WIRED PORTS

    Posted Jan 21, 2020 05:05 PM

    Hello Charlie.

     

    Thanks for your responses, I understand the process.I thought that assigning a profile to a port would mean that the users in that port would have the same role, without the need for authentication. Now, I see that it is necessary any kind of authentication to the user or to the computer.

     

    As I do not want to use any kind of authentication, because it would complicate the use of the network, I will attach a policy specifically created for that purpose. I configured it some days ago and it worked adequately.

     

    Thanks again.