Wireless Access

That is because your interface that is physically connected to the firewall is "untrusted".   Having a wired interface being untrusted means any traffic that tries to enter that wired interface from the outside becomes a "user". 

You should instead have a session ACL on that port, instead of making it untrusted:

You should have something like this:

interface vlan 4000 
    ip address dhcp-client 
    ip nat outside 

ip access-list session Uplink 
    any any svc-dhcp permit 
    any any any deny 

interface gigabitethernet 0/0/3 
    description "GE0/0/3" 
    trusted 
    trusted vlan 4000 
    no poe 
    ip access-group session "Uplink" 
    switchport mode access 
    switchport access vlan 4000 
   

It will allow your controller to get a dhcp ip address, but block everything else.  VLAN 4000 is the VLAN that I use to obtain the WAN ip address that the router assigns to me.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
------------------------------

Original Message:
Sent: Nov 30, 2023 02:08 PM
From: JT
Subject: Public IP address entries populating user table.

Hello,

 

noticed on a Aruba 7008 controller (8.10.0.7) that public IP addresses appear to be populating the user table under "wired" alongside the wireless users and consuming user table entries.

 

Consequently, the 1024 user limit on the controller keeps breaching and alongside the error messages, users on the site experience issues with connectivity.

 

The setup is pretty straight forward:

 

wireless user -> AP -> 7008 controller -> wired connection -> ISP firewall.

- the wired connection is a direct Cat6 cable from the controller to the ISP firewall port.

 

 

I've found an article suggesting that modifying the "validuser" acl, it might fix the issue but having tried this by defining only the internal subnet,  whilst the public IP addresses disappeared, unfortunately so did the internet connectivity.

 

Has anyone had a similar experience and if so, what was the fix for it?

 

Is there any documentation someone can point me towards to explain the use of roles and profiles as I suspect there is a misconfiguration somewhere.

 

Apologies if this is a noob question and there is an obvious answer but that answer is eluding me..

 

Many thanks in advance..

Hello,

thanks very much - setting the interface and the VLAN as "trusted" fixed the issue in the end.

Original Message:
Sent: Dec 03, 2023 08:02 PM
From: cjoseph
Subject: Public IP address entries populating user table.

That is because your interface that is physically connected to the firewall is "untrusted".   Having a wired interface being untrusted means any traffic that tries to enter that wired interface from the outside becomes a "user". 

You should instead have a session ACL on that port, instead of making it untrusted:

You should have something like this:

interface vlan 4000 
    ip address dhcp-client 
    ip nat outside 

ip access-list session Uplink 
    any any svc-dhcp permit 
    any any any deny 

interface gigabitethernet 0/0/3 
    description "GE0/0/3" 
    trusted 
    trusted vlan 4000 
    no poe 
    ip access-group session "Uplink" 
    switchport mode access 
    switchport access vlan 4000 
   

It will allow your controller to get a dhcp ip address, but block everything else.  VLAN 4000 is the VLAN that I use to obtain the WAN ip address that the router assigns to me.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: Nov 30, 2023 02:08 PM
From: JT
Subject: Public IP address entries populating user table.

Hello,

 

noticed on a Aruba 7008 controller (8.10.0.7) that public IP addresses appear to be populating the user table under "wired" alongside the wireless users and consuming user table entries.

 

Consequently, the 1024 user limit on the controller keeps breaching and alongside the error messages, users on the site experience issues with connectivity.

 

The setup is pretty straight forward:

 

wireless user -> AP -> 7008 controller -> wired connection -> ISP firewall.

- the wired connection is a direct Cat6 cable from the controller to the ISP firewall port.

 

 

I've found an article suggesting that modifying the "validuser" acl, it might fix the issue but having tried this by defining only the internal subnet,  whilst the public IP addresses disappeared, unfortunately so did the internet connectivity.

 

Has anyone had a similar experience and if so, what was the fix for it?

 

Is there any documentation someone can point me towards to explain the use of roles and profiles as I suspect there is a misconfiguration somewhere.

 

Apologies if this is a noob question and there is an obvious answer but that answer is eluding me..

 

Many thanks in advance..