Wireless Access

For those who are using AirGroup, do you have any ACLs you could share?

According to an Aruba engineer, he says that for AirPlay to work, you need to allow incoming access from all Airgroup servers to Airgroup users on the UDP & TCP ephemeral ports!

For example,

netservice AirPlay-TCP-List tcp list "5000 7000 7001 7100 8612"

netservice AirPlay-UDP-List udp list "7010 7011 8612"

netservice AirPlay-UDP-Range udp 49152 65535

netservice AirPlay-TCP-Range tcp 49152 65535

!

netdestination Client-Net

  network <ip subnet of clients>

!

netdestination AppleTV

  host <ip address of AppleTV>

!

ip access-list session user-control

  user any udp 68  deny

  any any svc-icmp  permit

  any any svc-dhcp  permit

  any any svc-dns  permit

!

ip access-list session bcmc-control

  any any udp 5353  permit

  any host 224.0.0.251 any  permit

  any network 224.0.0.0 224.0.0.0 any  deny

!

ip access-list session AirPlay-acl

  alias Client-Net   alias AppleTV AirPlay-TCP-List  permit queue high

  alias Client-Net   alias AppleTV AirPlay-TCP-Range  permit queue high

  alias Client-Net   alias AppleTV AirPlay-UDP-List  permit queue high

  alias Client-Net   alias AppleTV AirPlay-UDP-Range  permit queue high

  alias AppleTV   alias Client-Net AirPlay-TCP-List  permit queue high

  alias AppleTV   alias Client-Net AirPlay-TCP-Range  permit queue high

  alias AppleTV   alias Client-Net AirPlay-UDP-List  permit queue high

  alias AppleTV   alias Client-Net AirPlay-UDP-Range  permit queue high

!

That appears to be a rather large security hole!

How are other AirGroup users handling this?

not sure if it is true (consider this also an im interested bump) but if it is, is that really such a huge security issue, there should be nothing going on on those high ports right?