Wireless Access

last person joined: 7 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

VPN problems

Jump to Best Answer
  • 1.  VPN problems

    Posted Jan 10, 2012 01:02 PM

    I have a few clients that need to connect to their corporate networks via various VPN client software and they're complaining that they can't connect and the connection times out. I've added the vpnlogon policy in the captive portal profile for the auth-guest user-role as shown below. Since the controller itself is not terminating any VPN sessions, is there anything else I need to do? Shouldn't this user-role allow for all vpn traffic to/from the controller?

     

    user-role auth-guest
     session-acl cplogout
     session-acl logon-control
     session-acl auth-guest-access
     session-acl vpnlogon
     ipv6 session-acl v6-logon-control
     session-acl drop-and-log

     

     

    Update:

     

    Ok, I've looked into the problem a little more. After configuring the auth-guest role to remove all policies except the cplogout and logon-control and adding the allowall policy as well, I still have the same issue. The current authenticated user role looks like this:

     

    user-role auth-guest
     session-acl cplogout
     session-acl logon-control
     session-acl allowall

     


    Doing a show datapath session table for the particular user trying to use his VPN client, I see that only traffic to/from UDP 500 to the VPN servers is being blocked:

     

    Datapath Session Table Entries
    ------------------------------

    Flags: F - fast age, S - src NAT, N - dest NAT
           D - deny, R - redirect, Y - no syn
           H - high prio, P - set prio, T - set ToS
           C - client, M - mirror, V - VOIP
           I - Deep inspect, U - Locally destined

      Source IP     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination TAge Flags
    --------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- ---- -----
    x.x.x.x            y.y.y.y             17   500   500    0/0     0 96  0   tunnel 71   6    FDC

     

     

    Does anyone have any ideas as to what could be causing this traffic to be blocked? I should add that the controller is not the default gateway for this traffic but a firewall instead. But would I see traffic being blocked by the firewall as being "denied" here at the controller as I'm seeing above?



  • 2.  RE: VPN problems

    Posted Jan 10, 2012 01:49 PM

    The vpnlogon policy looks like this:

     


    1 user any svc-ike permit Low 4
    2 user any svc-esp permit Low 4
    3 any any svc-l2tp permit Low 4
    4 any any svc-pptp permit Low 4
    5 any any svc-gre permit Low 4

     

    Does the vpn client use something other than these protocols?

     

    Kevin



  • 3.  RE: VPN problems

    Posted Jan 10, 2012 02:36 PM

    I would suggest adding UDP 10000 to the vpnlogon policy since some VPN clients use that.  Add svc-natt (UDP/4500) as well, and make sure SSL (TCP/443) is allowed somewhere.

     

    Regards, 


    Austin



  • 4.  RE: VPN problems

    Posted Jan 10, 2012 03:57 PM

    The logon-control policy already allows for svc-natt. The auth-guest-access allows for https.



  • 5.  RE: VPN problems

    Posted Jan 11, 2012 04:15 AM

    I believe it's cjoseph that has a post listing this as recommended update for the vpn-policy:

     

    Step #1 - The policy, apply from the command line of the controller,
    under the config t mode
    
    !
    ip access-list session VPN-Clients
    user any svc-l2tp permit
    user any svc-esp permit
    user any svc-ike permit
    user any tcp 17 permit
    user any udp 51 permit
    user any udp 4500 permit
    user any tcp 10000 10001 permit
    user any udp 10000 10001 permit
    user any svc-pptp permit
    user any svc-gre permit
    !
    
    Step #2 -- Associate the new policy with the guest account as follows
    (also from command line)
    
    !
    user-role guest
    access-list session VPN-Clients
    !

     

    This might not completely solve your issue tho.

    In a scenario where the Controller is the default gateway and doing NAT we've found that some VPN clients (especially microsoft vpn) doesn't work for our guest user. This is supposedly fixed in the recent 6.1.2.6 release, but we've not been able to test this yet.



  • 6.  RE: VPN problems

    Posted Jan 26, 2012 01:08 PM

    Ok, I've looked into the problem a little more. After configuring the auth-guest role to remove all policies except the cplogout and logon-control and adding the allowall policy as well, I still have the same issue. The current authenticated user role looks like this:

     

    user-role auth-guest
     session-acl cplogout
     session-acl logon-control
     session-acl allowall

     


    Doing a show datapath session table for the particular user trying to use his VPN client, I see that only traffic to/from UDP 500 to the VPN servers is being blocked:

     

    Datapath Session Table Entries
    ------------------------------

    Flags: F - fast age, S - src NAT, N - dest NAT
           D - deny, R - redirect, Y - no syn
           H - high prio, P - set prio, T - set ToS
           C - client, M - mirror, V - VOIP
           I - Deep inspect, U - Locally destined

      Source IP     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination TAge Flags
    --------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- ---- -----
    x.x.x.x            y.y.y.y             17   500   500    0/0     0 96  0   tunnel 71   6    FDC

     

     

     

    Does anyone have any ideas as to what could be causing this traffic to be blocked? I should add that the controller is not the default gateway for this traffic but a firewall instead. But would I see traffic being blocked by the firewall as being "denied" here at the controller as I'm seeing above?

     



  • 7.  RE: VPN problems

    Posted Jan 26, 2012 03:30 PM

    Wait a minute! Am I making all the changes to the wrong user-role? The captive portal authentication profile assigns a role of auth-guest to users that authenticate via the captive portal but their role shows up as guest after they authenticate, instead of auth-guest. I always thought that was a GUI thing. Do I need to apply these rules to the guest user-role, i.e. the VPN policies?



  • 8.  RE: VPN problems

    Posted Jan 26, 2012 03:39 PM

    @arubamonkey wrote:

    Wait a minute! Am I making all the changes to the wrong user-role? The captive portal authentication profile assigns a role of auth-guest to users that authenticate via the captive portal but their role shows up as guest after they authenticate, instead of auth-guest. I always thought that was a GUI thing. Do I need to apply these rules to the guest user-role, i.e. the VPN policies?


    When a user authenticates, type "show user" to see what role he gets AFTER he authenticates.

     

    That is the role you are concerned about.



  • 9.  RE: VPN problems

    Posted Jan 26, 2012 03:46 PM

    The role after CP authentication is guest.



  • 10.  RE: VPN problems
    Best Answer

    Posted Jan 26, 2012 03:47 PM

    So that is the role that you change.

     



  • 11.  RE: VPN problems

    Posted Jan 26, 2012 03:52 PM

    I'm confused though because I assigned the auth-guest role to the CP profile for the "Default Role" but I see that there's a "Default Guest Role" there as well with "guest" as the default setting. It seems that this role is what is being applied to the users. What's the difference between the two?



  • 12.  RE: VPN problems

    Posted Jan 26, 2012 03:56 PM

    @arubamonkey wrote:

    I'm confused though. I assigned the auth-guest role to the Captive Portal default role but there's also a "default guest role" there with "guest" as the default setting. What's the difference between the two?



    The Captive Portal default role is the role users get when they authenticate with a username and password, UNLESS the server group attached to the captive portal authentication profile has the server derivation rule has "set role condition Role value-of" which means "take the role that the user is assigned in the local database and override the Captive Portal default role.  The default guest role is what the user is assigned if the captive portal authentication is "email address only".

     

    In recap:

     

    - Captive Portal users who authenticate with username and password get the Captive Portal default role, unless that user derviation rule in the server group, which would mean they get the role assigned in the local database instead.

     



  • 13.  RE: VPN problems

    Posted Jan 26, 2012 04:08 PM

    Well, the users I have are using accounts created using the guest provisioning page, so yes, they have to login with a username and password. This means that they should get the auth-guest role as that's what I have assigned under "Default Role" in the CP profile no the guest role under the "Default Guest Role". I don't know where this "email address only" option is.



  • 14.  RE: VPN problems

    Posted Jan 26, 2012 04:10 PM

    But, in the local user database, the user has a role of guest, so combined with that "set role condition Role value-of" server derivation rule (In the Default Server Group), the role becomes guest.



  • 15.  RE: VPN problems

    Posted Jan 26, 2012 04:16 PM

    Where's this local user database where the role is guest?



  • 16.  RE: VPN problems

    Posted Jan 26, 2012 04:21 PM

    Type "show local-userdb" and you will see it.  Please also consult our guest Validated Reference Design for many more details on guest access here:  http://www.arubanetworks.com/pdf/technology/AOS_GuestAcccess-AppNote.pdf 



  • 17.  RE: VPN problems

    Posted Jan 26, 2012 04:25 PM

    Ah! So you're telling me that when a guest account is created using the guest provisioning page, it is assigned an automatic role of "guest"? Is there a way to change this?



  • 18.  RE: VPN problems

    Posted Jan 26, 2012 05:24 PM

    @arubamonkey wrote:

    Ah! So you're telling me that when a guest account is created using the guest provisioning page, it is assigned an automatic role of "guest"? Is there a way to change this?


    Yes, it is.  It cannot be changed.

     



  • 19.  RE: VPN problems

    Posted Sep 11, 2012 09:49 AM

    Was your VPN prolem resolved?????

     

    I am having same Issue, My controll running on IOS 5.0.3.3.

     

    Guest user can not able to Loging to thier outside VPN.

     

    Please provide me detail information, if anybody resolve this issue....

     

     



  • 20.  RE: VPN problems

    Posted Sep 11, 2012 09:56 AM

    jnlimbachia,

     

    What VPN are your guests using?  What is your perimeter firewall?  Are you allowing VPN traffic in your guest role?

     



  • 21.  RE: VPN problems

    Posted Sep 11, 2012 10:12 AM

    Hi ,

     

    My Guest users using Cisco and Microsoft VPN clients.

     

    Yes i have allowed VPN trafic to my guest role...

     

    See below "show rights guest " output

     

    show rights guest

    Derived Role = 'guest'
    Up BW:No Limit Down BW:No Limit
    L2TP Pool = default-l2tp-pool
    PPTP Pool = default-pptp-pool
    Periodic reauthentication: Enabled, Interval = 4096 minutes
    ACL Number = 3/0
    Max Sessions = 65535


    access-list List
    ----------------
    Position Name Location
    -------- ---- --------
    1 allowall
    2 http-acl
    3 https-acl
    4 dhcp-acl
    5 icmp-acl
    6 dns-acl
    7 v6-http-acl
    8 v6-https-acl
    9 v6-dhcp-acl
    10 v6-icmp-acl
    11 v6-dns-acl
    12 VPN-Clients

    allowall
    --------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
    1 any any any permit Low
    http-acl
    --------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
    1 any any svc-http permit Low
    https-acl
    ---------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
    1 any any svc-https permit Low
    dhcp-acl
    --------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
    1 any any svc-dhcp permit Low
    icmp-acl
    --------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
    1 any any svc-icmp permit Low
    dns-acl
    -------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
    1 any any svc-dns permit Low
    v6-http-acl
    -----------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
    1 any any svc-http permit Low
    v6-https-acl
    ------------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
    1 any any svc-https permit Low
    v6-dhcp-acl
    -----------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
    1 any any svc-v6-dhcp permit Low
    v6-icmp-acl
    -----------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
    1 any any svc-v6-icmp permit Low
    v6-dns-acl
    ----------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
    1 any any svc-dns permit Low
    VPN-Clients
    -----------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
    1 user any svc-l2tp permit Low
    2 user any svc-esp permit Low
    3 user any svc-ike permit Low
    4 user any tcp 17 permit Low
    5 user any udp 51 permit Low
    6 user any udp 4500 permit Low
    7 user any tcp 10000-10001 permit Low
    8 user any udp 10000-10001 permit Low
    9 user any svc-pptp permit Low
    10 user any svc-gre permit Low
    11 any user svc-natt permit Low

    Expired Policies (due to time constraints) = 0



  • 22.  RE: VPN problems

    Posted Jun 24, 2015 11:18 AM

    Proper solution is defined below:

     

    1.  Connect user to guest wireless

    2.  Perform lookup  on user to determine role

    -SSH to controller, under enable mode type - "show user"

    3.  Login to the Wireless Controller - go to Configuration tab.  

    4.  Select "Access Control" under SECURITY on the left.

    5.  If the role the user is in is "Guest" for example, then click "edit" to the right of that role.

    6.  Under "Firewall Policies", click Add - then select "Choose From Configured Policies - Select "vpnlogon".

    7.  After is shows under the list of polices, click on it to add an additional rule.  

    8.  Click Add - IPv4, Any source, Any Destination, Service - then select "svc-natt", action permit, log uncheck, mirror uncheck, queue low.  All other options in the row need to be left alone.  

    9.  Click Add.

    10.  Click Apply - Be sure to save at the top.  

     

    Services that should now be allowed are:

    svc-ike

    svc-esp

    svc-l2tp

    svc-pptp

    svc-gre

    svc-natt



  • 23.  RE: VPN problems

    Posted Sep 11, 2012 10:14 AM
    What is natting your guest traffic out to the internet?


  • 24.  RE: VPN problems

    Posted Sep 11, 2012 10:14 AM
    What is natting your guest traffic out to the internet?


  • 25.  RE: VPN problems

    Posted Sep 11, 2012 10:19 AM

    Guest Network using Vlan 2 and source nating enable on this vlan



  • 26.  RE: VPN problems

    Posted Sep 11, 2012 10:23 AM
    Okay. What does the nat after that? You might want to make your guest clan fully routable to avoid the double Nat.


  • 27.  RE: VPN problems

    Posted Sep 11, 2012 10:27 AM

    Could you please more specify.. how to check this???

     

    I really apreciate your promt reply on this...



  • 28.  RE: VPN problems

    Posted Sep 12, 2012 07:37 AM

    I am asking, do you have a firewall that protects all of your users from the internet?  What kind is it?

     



  • 29.  RE: VPN problems

    Posted Sep 12, 2012 08:28 AM

    We don't have any firewall in our environment.

     

    We using ELFIQ as load balancer, and Aruba directly connected to ElFIQ.

     

    There is no Firewall between ELFIQ and Aruba.



  • 30.  RE: VPN problems

    Posted Sep 12, 2012 11:04 AM

    What translates your private internal addresses into a public internet address for internet access?

     



  • 31.  RE: VPN problems

    Posted Sep 12, 2012 11:52 AM

    I guess ElFIQ translate private address to public address..