Wireless Access

last person joined: 3 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

ACLs behaving badly

This thread has been viewed 1 times
  • 1.  ACLs behaving badly

    Posted Mar 06, 2014 03:06 AM

    got a weird situation were it seems traffic is denied by an ACL when it shouldnt be.

     

    it is a normal guest setup (controller based, ArubaOS 6.0) and the logon role has three policies: captive portal, modified logon control (only one DNS server) and deny internal networks.

     

    but when the user tries to get the captive portal to open i see that DNS traffic to the server which should be allowed in denied, both via the GUI and CLI. is there somewhere else an ACL might have kick in to cause this?



  • 2.  RE: ACLs behaving badly

    Posted Mar 06, 2014 03:17 AM

    can you show us the show rights for your guest pre-auth role please?



  • 3.  RE: ACLs behaving badly

    Posted Mar 06, 2014 03:24 AM

    Is the user traffic crossing another untrusted interface, like an untrusted VLAN or physical interface?  If you have a problem, the best thing to do is to look at your audit trail to see how you got there in the first place...



  • 4.  RE: ACLs behaving badly

    Posted Mar 06, 2014 03:50 AM

    @Michael_Clarke

     

    Derived Role = 'guest-prelogon'
     Up BW:No Limit   Down BW:No Limit
     L2TP Pool = default-l2tp-pool
     PPTP Pool = default-pptp-pool
     Periodic reauthentication: Disabled
     ACL Number = 57/0
     Max Sessions = 65535

     Captive Portal profile = default

    access-list List
    ----------------
    Position  Name           Type     Location
    --------  ----           ----     --------
    1         captiveportal  session
    2         logon-ctrl     session
    3         deny-internal  session

    captiveportal
    -------------
    Priority  Source  Destination  Service          Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
    --------  ------  -----------  -------          ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
    1         user    controller   svc-https        dst-nat 8081                           Low                                                           4
    2         user    any          svc-http         dst-nat 8080                           Low                                                           4
    3         user    any          svc-https        dst-nat 8081                           Low                                                           4
    4         user    any          svc-http-proxy1  dst-nat 8088                           Low                                                           4
    5         user    any          svc-http-proxy2  dst-nat 8088                           Low                                                           4
    6         user    any          svc-http-proxy3  dst-nat 8088                           Low                                                           4
    logon-ctrl
    ----------
    Priority  Source  Destination  Service   Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
    --------  ------  -----------  -------   ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
    1         any     any          svc-dhcp  permit                           Low                                                           4
    2         any     theDNS       svc-dns   permit                           Low                                                           4
    deny-internal
    -------------
    Priority  Source  Destination  Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
    --------  ------  -----------  -------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
    1         any     localNets    any      deny                             Low                                                           4

    Expired Policies (due to time constraints) = 0


    @cjoseph

     

    you mean putting the logging level higher for the user and follow the log? the audit trail is for changes made on the config right?



  • 5.  RE: ACLs behaving badly

    Posted Mar 06, 2014 03:51 AM

    Yes.  Type "show audit-trail all" to see how you got into your current situation.



  • 6.  RE: ACLs behaving badly

    Posted Mar 06, 2014 05:20 AM

    Try putting the logon-control acl above the captiveportal acl.



  • 7.  RE: ACLs behaving badly

    Posted Mar 06, 2014 05:29 AM

    a good thing to check:

    if your captive portal - controller /dns server is in the internal network...and u blocking traffic to it - it may be effecting your clients.

     

    try to disable the ACL of the deny internal - and let's us know if it's working for u.



  • 8.  RE: ACLs behaving badly

    Posted Mar 06, 2014 01:47 PM

    @Michael_Clarke any reason for that?

     

    @kdisc98, ACLs are processed in order right? so even if the DNS server and captive portal are within the internal net (which they are) that should matter right?

     

    shamefully the system was rebooted and the issue went away, configwise nothing changed. still a bit in doubt what the cause could have been, but will use these tips for the next time.



  • 9.  RE: ACLs behaving badly

    Posted Mar 06, 2014 01:55 PM

    @kdisc98, ACLs are processed in order right? so even if the DNS server and captive portal are within the internal net (which they are) that should matter right?

     In order for the user to see captive portal - the controller must be able to resolve the client request.(and it's better first to do the logon-control and then after the captive-portal (the logon-control got all the needed basic services like DNS/DHCP/NAT...)

     

    shamefully the system was rebooted and the issue went away, configwise nothing changed. still a bit in doubt what the cause could have been, but will use these tips for the next time.

    Ok... :( :(  i dont like not now to know what causing issues :)

    Are u sure that the client u tested with didnt got other ACL while u tried to log in? it sound like your user-db had a record of your device....

     



  • 10.  RE: ACLs behaving badly

    Posted Mar 06, 2014 02:02 PM

    @kdisc98 wrote:
    Ok... :( :(  i dont like now to know what causing issues :)

    Are u sure that the client u tested with didnt got other ACL while u tried to log in? it sound like your user-db had a record of your device....

     


    me neither, but the issue seemed so weird that it was choice between reboot or spend another hour staring at the issue.

     

    im quite sure the role and ACLs were correct, i removed the client once via the CLI (aaa user delete) so it would come back fresh. the counters for the ACL also went up in the GUI.

     

    anyhow, lets put it away a incident and move to a newer ArubaOS version.