Cloud Managed Networks

Hi, we have a situation where some users are bringing VPN wireless routers, such as the GL.iNet CRETA.

We can identify these devices in Aruba Central since they all use the OpenWRT OS.

Is there a way to block them either by OS or MAC address at the switch level using Aruba Central?

Hi.

Yes you can. Tag those devices with your tag and then create policy to set the role for those devices.

Create Tag with this client signature or update already existing signature for those devices.

Create required role on switch and assign it to this tag.

Best, Gorazd

Hi Gorazd,

Thank you for your assistance.

Could you please provide information on how to add a Client Role in the switch? Currently, the roles I have configured on the Wireless Access Points are visible, but there are no rules for the switch.

I have configured a role on the switch as shown below, but it does not appear:

Hi Asim.

How to configure role on switches depend on the switch model.

For AOS-S for example: block access to subnets 192.168.0.0 and allow all others

class ipv4 "BLOCKED_NETWORK"
  10 match ip 0.0.0.0 255.255.255.255 192.168.0.0 0.0.255.255 

class ipv4 "IP-ANY-ANY"
  10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 

policy user "BLOCK_INTERNAL"
  10 class ipv4 "BLOCKED_NETWORK" action deny
  20 class ipv4 "IP-ANY-ANY" action permit

aaa authorization user-role name BLOCKED_DEVICE
   policy BLOCK_INTERNAL
   vlan-name QUARANTINE

For AOS-CX the same example can look like:

class ip BLOCKED_NETWORK
  match any any 192.168.0.0/255.255.0.0

class ip ANY-ANY
  match any any any

port-access policy BLOCK_INTERNAL
  class BLOCKED_NETWORK action drop
  class ip ANY-ANY

port-access role BLOCKED_DEVICE
  associate policy BLOCK_INTERNAL
  vlan access name QUARANTINE

 For details and caveats please look into documentation of respected switch platform. Here are just examples without any details.

Best, Gorazd