Gorazd,
I double checked the NetDestinations to be sure 10.2.0.0 subnet wasn't included and verified the correct role is being assigned. I've opened a ticket with TAC so we'll see what they are able to find. I'll update this discussion with what TAC is able to find, and hopefully fix.
-- Sincerely,
Matt Dillion
Assistant Director of Infrastructure Services
Christopher Newport University
1 Avenue for the Arts
Newport News, VA 23606
O: (757) 594-8628
C: (757) 897-8802
E:
matthew.dillion@cnu.edu
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Please do not forward or include additional people when replying. If you believe that someone not included as a recipient needs to be aware of the information, please send the name of that person to the sender. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
Original Message:
Sent: 5/14/2025 8:55:00 AM
From: GorazdKikelj
Subject: RE: Denied wireless user traffic to domain controller
Hi Mat.
Just an idea. Can it be, that 10.2.0.0 subnet is embedded in one of the deny aliases?
Other reason can be that client get a wrong role.
Try to see what is returned for client role with "show rights <role>". This should show all active rules for the role.
Best, Gorazd
------------------------------
Gorazd Kikelj
MVP Guru 2025
------------------------------
Original Message:
Sent: May 13, 2025 01:19 PM
From: Matt Dillion
Subject: Denied wireless user traffic to domain controller
Brad,
Yes sir, I've checked and rechecked. Attached are a pics of the policies in use and their order.
------------------------------
[Matt]
[Director of Infrastructure Services]
Original Message:
Sent: May 13, 2025 12:37 PM
From: Brad
Subject: Denied wireless user traffic to domain controller
Matt,
Did you double check the order of your ACL(s)? Maybe a simple mis-ordering of the ACE (single rule) entries?
Thanks,
Brad
Original Message:
Sent: 5/13/2025 12:35:00 PM
From: Matt Dillion
Subject: Denied wireless user traffic to domain controller
Good afternoon all,
We're dealing with an University owned computer that has authenticated successfully and thus been successfully assigned an Aruba role within our AOS8.10 Controller environment. The role has been configured to deny traffic to a couple of subnets and then allow all. All of that said, I'm seeing traffic from this client to our domain controller getting denied (see datapath output below). Since the role should allow this traffic I'm at a loss as to why it would still get denied.
Client IP = 10.124.35.58
Domain Contoller IP = 10.2.0.63
Second DC IP = 10.2.0.62
---------------------------------------------------------------------------------------------------------------------------------------------------
(MC1) [MDC] *#show datapath session table 10.124.35.58 | include 10.2.0.6
10.124.35.58 10.2.0.63 17 63905 389 0/0 0 0 0 tunnel 6209 9 3 756 FDC 20
10.2.0.63 10.124.35.58 17 389 63905 0/0 0 0 1 tunnel 6209 9 0 0 FDY 20
10.124.35.58 10.2.0.62 6 50458 445 0/0 0 0 1 tunnel 6209 221 68 17214 Ci 20
10.2.0.62 10.124.35.58 6 445 50458 0/0 0 0 1 tunnel 6209 221 64 9636 i 28
10.2.0.62 10.124.35.58 17 389 63907 0/0 0 0 0 tunnel 6209 8 0 0 FDY 20
10.124.35.58 10.2.0.62 17 63907 389 0/0 0 0 0 tunnel 6209 8 3 756 FDC 20
------------------------------
[Matt]
[Director of Infrastructure Services]
------------------------------