Hi!
I have looked at it, but don't see any ACLs in these Policies
(attiwwctrl01) #show rights authenticated
Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'authenticated'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 2
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
ACL Number = 55/0
Max Sessions = 65535
Check CP Profile for Accounting = TRUE
Application Exception List
--------------------------
Name Type
---- ----
Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------
access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-authenticated-sacl session
3 allowall session
global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
apprf-authenticated-sacl
------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
allowall
--------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
Expired Policies (due to time constraints) = 0
If configured now a static ip address on the client.
When I look at the clients status in the Web-GUI I can see that there is a "deny" for my ICMP ping from the client to the default gateway - and: the client has the role "authenticated" but isn't authenticated (is that the problem?)
I had a quick look in my Labguide from the Mobility Boot Camp from last year - there is a very similar scenario in Lab3 - as I remember this worked without any problems.
I have changed the initial role to "logon" which also has no ACLs in it - same problem
See the denys:
(attiwwctrl01) (config) #show datapath session table 10.3.0.10
Datapath Session Table Entries
------------------------------
Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal
r - Route Nexthop
A - Application Firewall Inspect
Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- --------- --------- ---------------
10.3.0.10 10.3.0.12 1 1395 2048 0/0 0 0 0 tunnel 10 2 0 0 FDYC
10.3.0.10 239.255.255.250 17 62197 1900 0/0 0 0 0 tunnel 10 3 0 0 FDYC
(attiwwctrl01) (config) #
(attiwwctrl01) (config) #show user-table ip 10.3.0.10
Name: , IP: 10.3.0.10, MAC: 5c:51:4f:8a:36:5d, Age: 00:00:03
Role: logon (how: ROLE_DERIVATION_INITIAL_ROLE), ACL: 2/0
Authentication: No, status: not started, method: , protocol: , server:
Role Derivation: ROLE_DERIVATION_INITIAL_ROLE
VLAN Derivation: Default VLAN
Idle timeout (global): 300 seconds, Age: 00:00:00
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=0, mba=0, vpnflags=0, u_stm_ageout=1
Flags: innerip=0, outerip=0, vpn_outer_ind:0, download=1, wispr=0
IP User termcause: 27
phy_type: a-VHT-80, l3 reauth: 0, BW Contract: up:0 down:0, user-how: 1
Vlan default: 3, Assigned: 3, Current: 3 vlan-how: 1 DP assigned vlan:0
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, Flags=0x0
SlotPort=0x2100, Port=0x1000a (tunnel 10)
Essid: tiw-private, Bssid: 04:bd:88:79:e6:30 AP name/group: AP_xxx_West_Raum1/xxxxxxxx Phy-type: a-VHT-80
RadAcct sessionID:n/a
RadAcct Traffic In 107/14708 Out 0/0 (0:107/0:0:0:14708,0:0/0:0:0:0)
Timers: L3 reauth 0, mac reauth 0 (Reason: ), dot1x reauth 0 (Reason: )
Profiles AAA:tiw-private-aaa_prof, dot1x:dot1x_prof-cqi86, mac: CP:n/a def-role:'logon' sip-role:'' via-auth-profile:''
ncfg flags udr 0, mac 0, dot1x 1, RADIUS interim accounting 0
IP Born: 1457516265 (Wed Mar 9 10:37:45 2016)
Core User Born: 1457510752 (Wed Mar 9 09:05:52 2016)
Upstream AP ID: 0, Downstream AP ID: 0
User Agent String:
Max IPv4 users: 2
L3-Auth Session Timeout from Radius: 0
Mac-Auth Session Timeout Value from Radius: 0
Dot1x Session Timeout Value from Radius: 0
CoA Session Timeout Value from Radius: 0
Dot1x Session Term-Action Value from Radius: Default
Reauth-interval from role: 0
Number of reauthentication attempts: mac reauth 0, dot1x reauth 0
mac auth server: N/A, dot1x auth server: N/A
Address is from DHCP: no
Per-user-log pointer 0x13002bc (id 35), num logs 56
(attiwwctrl01) (config) #
I don't need any acls or the firewall for this scenario as there is a company firewall in place.
Maybe I will have to go back to the Aruba school...
Manfred