What kind of clients are those exactly? Are those tunneled wireless clients?
Policy domain is an AOS 8 feature that is not applicable here. It was designed to share role information between separate clusters and/or standalone controllers, in order to enforce Role-to-Role (R2R) policies. As such this doesn't exist in AOS 10.
Within the same AOS 10 cluster, this information is synced implicitly. R2R should work for clients tunneled to the same gateway cluster except for a few corner scenarios depending on the traffic flow.
I don't think this has anything to do with AOS 10 per-se as whatever is preventing the R2R to work as expected would be the same in an AOS 8 implementation.
Hope the engineering ticket will provide you some deeper analysis on your setup.
------------------------------
I work for Aruba. Any opinions expressed here are solely my own and not do not represent that of Hewlett Packard Enterprise or Aruba.
------------------------------
Original Message:
Sent: Jan 08, 2024 09:28 AM
From: Mflowers@beta.team
Subject: AOS10 Controllers - Role-Based ACL doesn't work with two controllers
Hello,
This is more a warning for anyone that is using AOS10 and multiple controllers.
If you have two controllers in HA (active-active) then user ACLs will not work correct if the users are on different controllers.
Example:
src: ROLE-A| dst: ROLE-B| action: Deny
src: any | dst: any | action: allow
If ROLE-A and ROLE-B users are on the same controller then this will work correctly. If the users in ROLE-A and ROLE-B are on different controllers then this will fail to block the traffic. From my testing it looks like the role information for a user is lost when traffic flows between different controllers - even if both controllers are in the same HA group.
BTW - this took over 1 month for TAC to raise as an issue/bug. I created a ticket about this on 11/6/2023 as a sev 2. It wasn't until 12/14/2023 that I finally got this response back:
"I have reported this issue to Our Engineering team with ref Bug#AOS-250024 and currently they are looking into this issue.
I will keep you posted with further updates as I get an update.
Please standby!"
I am assuming it is related to this but I have no way to change/edit the config of the controllers manually and there is no option to set this in Aruba Central:
policy-domain
| Arubanetworks |
remove preview |
|
| policy-domain |
| policy-domain group-profile clone controller controller-v6 no This command configures a policy domain profile to apply role-based ACL for users present in different controllers. Only one domain group profile is supported in this release. The command should be executed in the /md node and the policy domain group profile supports IPv4 and IPv6 addresses but a combination of both is not supported. |
| View this on Arubanetworks > |
|
|