Wireless Access

last person joined: 4 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

policy and firewall settings / initial config

This thread has been viewed 0 times
  • 1.  policy and firewall settings / initial config

    Posted Feb 24, 2012 10:00 AM

    I wanting want to deploy a RAP5 and use split tunneling, but to do so, I need firewall and policy settings.  The last time I applied a PEFNG license it took down our wireless network because the firewall policy for the the user role that our devices get assigned to is "Not Configured".  When I applied the licenses it enatced a firewall rule of Deny All since it was "Not Configured.

     

    However I cannot figure out how to add a Firewall policy to this user role.  Do I need to create a new user role and apply the firewall policy to it and then change the user role for our auth'd users to the new user role?

     

    Sorry if this is confusing.

     

    Josh



  • 2.  RE: policy and firewall settings / initial config

    Posted Feb 24, 2012 10:24 AM

    Josh,

     

    Yes, you will need to create firewall policies, create a user role with the associated firewall policies and then apply the new user role to the auth'd users.

     

    -Mike



  • 3.  RE: policy and firewall settings / initial config

    Posted Feb 24, 2012 11:20 AM

    I have created a firewall policy, and I am attempting to create a User Role.  When I hit new for the user role I do not have an "add" button to pick a firewall policy.



  • 4.  RE: policy and firewall settings / initial config

    Posted Feb 24, 2012 11:34 AM

    Can you post a screen shot of this? I just want to make sure you are in the right place.



  • 5.  RE: policy and firewall settings / initial config

    Posted Feb 24, 2012 11:40 AM
      |   view attached

    Here you go.



  • 6.  RE: policy and firewall settings / initial config

    Posted Feb 24, 2012 11:43 AM

    I have seen that happen before after an AOS upgrade. My recommendation is to clear your cache and try it again. Also, try it in Chrome as well.



  • 7.  RE: policy and firewall settings / initial config

    Posted Feb 24, 2012 11:45 AM

    It is happening in Chrome too.  We did upgrade to 5.0.4.4 last week.  I will flush browser cache and see what happens.



  • 8.  RE: policy and firewall settings / initial config

    Posted Feb 24, 2012 11:48 AM

    just for my own sanity, how do you add a user-role in the terminal session?  I see in documentation that it should be #user-role "UserRole"

     

    but it is not accepting it as a valid command.



  • 9.  RE: policy and firewall settings / initial config

    Posted Feb 24, 2012 11:51 AM

    Make sure you are in config t mode first:

     

    (Aruba3200) #configure t
    Enter Configuration commands, one per line. End with CNTL/Z

    (Aruba3200) (config) #user-role ?
    STRING Name of user role



  • 10.  RE: policy and firewall settings / initial config

    Posted Feb 24, 2012 11:56 AM

    I am in config t

    this is the output i get

     

    (jhsscmc3600) (config) #user-role ?

    (jhsscmc3600) (config) #user-role



  • 11.  RE: policy and firewall settings / initial config

    Posted Feb 24, 2012 12:03 PM

    I would open a case with TAC. That is odd.

     

    The only time I've seen that is when the controller doesn't have any licenses on it. But you said you installed the PEFNG license. So that should work.



  • 12.  RE: policy and firewall settings / initial config

    Posted Feb 24, 2012 12:26 PM

    I did install the licesnes but removed them because all of my profiles that are used have firewall policies of "Not Configured".  So when the licesnes were applied it applied a deny rule to all my users.

     

    I think I am in a catch22 if you will.  To change the firewall policy I need to apply the Lic, but if I apply the Lic, the users get a Deny policy until it is configed.

     

    Make sense?



  • 13.  RE: policy and firewall settings / initial config

    Posted Feb 24, 2012 12:45 PM
      |   view attached

    Yes, we understand the issue.

     

    1. Without license, you cannot create or edit the user role.

    2. when the liceses are added and after reload, it should create the respective roles and polices. 

     

    Please use the below steps. 

     

    1. List out all the roles where the users are falling into. ( most likely logon or guest role)

    1.  upload the license. 

    2.  save the config and reload the controller.

    3.  try "show right". you should be able to see the default polices and roles. 

    4. If not copy and paste the commands on the attached file and you should be able to get the default roles and policies. 

     

     

    Attachment(s)

    docx
    default-acl.docx   14 KB 1 version


  • 14.  RE: policy and firewall settings / initial config

    Posted Feb 24, 2012 12:56 PM

    Since I did apply the licesnes at one time, I did a "show right" and got the following:

     

    (jhsscmc3600) #show right

    RoleTable --------- Name               ACL  Bandwidth                  ACL List                  Type ----               ---  ---------                  --------                  ---- ap-role            4    Up: No Limit,Dn: No Limit                            System cpbase             14   Up: No Limit,Dn: No Limit  cpbase/                   User denyall            12   Up: No Limit,Dn: No Limit  denyall/                  User guest              3    Up: No Limit,Dn: No Limit                            User guest-logon        6    Up: No Limit,Dn: No Limit                            User jmh-guest-cp_prof  39   Up: No Limit,Dn: No Limit  jmh-guest-cp_prof/        User logon              1    Up: No Limit,Dn: No Limit                            User stateful-dot1x     5    Up: No Limit,Dn: No Limit                            System sys-ap-role        7    Up: No Limit,Dn: No Limit  sys-control/,sys-ap-acl/  System (not editable)

     

    There is a profile called "jmh-guest-cp_prof" that does have a firewall policy applied to it.  This user-role is not referenced anywhere so it is not in use.  If I change the firewall policy on this user role to a policy of "allowall", then apply my licesens will this allow my users to work?



  • 15.  RE: policy and firewall settings / initial config

    Posted Feb 24, 2012 01:03 PM

    Thanks for the reply. 

     

    I suspect  "jmh-guest-cp_prof"  role was created by the controller, when you created a captive portal profile called "jmh-guest-cp_prof". (without PEF)

     

    To answer your second question. 

     

    You cannot apply any ACL to any role without applying license. You can do this after applying license and reloading the controller. 



  • 16.  RE: policy and firewall settings / initial config

    Posted Feb 24, 2012 04:19 PM

    thanks for the help.  applied all applicable licesens.  all is well.



  • 17.  RE: policy and firewall settings / initial config

    Posted Feb 24, 2012 12:09 PM

    Can you provide the output of "show license"?

     

    -Mike



  • 18.  RE: policy and firewall settings / initial config

    Posted Feb 24, 2012 12:21 PM

    Also share the show keys all output. 



  • 19.  RE: policy and firewall settings / initial config

    Posted Feb 24, 2012 11:52 AM

    Here is what the configure looks like:

     

    !
    user-role test-role
     access-list session allow-ports
    !

     To do the above, assuming you have the "allow-ports" policy define, you would do the following:

     

    From the # prompt:
    - configure terminal
    - user-role test-role
    - access-list session allow-ports
    - exit

     

    Run "show rights test-role" to verify the configuration.

     

    -Mike



  • 20.  RE: policy and firewall settings / initial config

    Posted Feb 24, 2012 10:33 AM

    @joshb wrote:

    I wanting want to deploy a RAP5 and use split tunneling, but to do so, I need firewall and policy settings.  The last time I applied a PEFNG license it took down our wireless network because the firewall policy for the the user role that our devices get assigned to is "Not Configured".  When I applied the licenses it enatced a firewall rule of Deny All since it was "Not Configured.

     

    However I cannot figure out how to add a Firewall policy to this user role.  Do I need to create a new user role and apply the firewall policy to it and then change the user role for our auth'd users to the new user role?

     

    Sorry if this is confusing.

     

    Josh


    Under the "Remote Access Points" chapter in the ArubaOS user guide, there is a subchapter called "Split Tunneling" that details how.