Security

 View Only
Expand all | Collapse all

User Roles and policy not applied

This thread has been viewed 30 times
  • 1.  User Roles and policy not applied

    Posted Sep 03, 2020 07:00 AM

    Hello 

     

    I am having a troubling issue at work , configuring local user roles on virtual controller running evaluation license (valid not expired) with PEF installed and webcc

    all licenses are active / valid and covering APs

    But whatever user role i configure in the Roles and Policies section it seems like it has zero effect , the WLAN the role applied to is all open no restrictions applied 

    I created WLAN and applied the role to it 

    i see users getting the role name in the dash board traffic analysis section

    the role i made is to allow onlu https and http , along with dns and dhcp , i do not want any other apps/services , but users connect to ssid and everything is accessible 

    tried tunnel and bridge for vlan/ssid traffic

    tried using external router or use the controller as NAT/Router , same , as if the rule is not active

    setting any default pre made roles like "logon" or anything has zero effect , as if they are not applied

    enabled firewall deep inspection , enabled PEF in license section and did couple of reloads , same

    can i know what am i missing cause this is causing trouble at my work



  • 2.  RE: User Roles and policy not applied

    Posted Sep 03, 2020 07:09 AM

    Hi KarimIT,

     

    • What AAA profile is used in your Virtual AP Profile.
    • What is the default role in this AAA profile.
    • Be sure you have your PEF license enabled.
    • Please stick to "tunneled" as forwarding mode because client traffic in bridge mode will never hit your firewall in the controller.

    Hope this helps you!

     



  • 3.  RE: User Roles and policy not applied

    Posted Sep 03, 2020 07:37 AM

    The default role in the Authentication/AAA profile section is initial role logon , even so it is not applied , i believe logon profile redirects to portal or something , but the SSID is all open all apps are working

     

    The profile under profile , AP / AP Authorization is NoAuthAPgroup

     

    using Tunnel

     

    License is vlaid and active , can share a snapshot



  • 4.  RE: User Roles and policy not applied

    Posted Sep 03, 2020 07:45 AM
      |   view attached
    • The default role "logon" is a role with very less rights and contains not a captiveportal re-direction. It's the default value in a unconfigured aaa profile.
    • To apply your created role to users, change the default role in your aaa profile to the wanted role, for example the user role "authenticated" contains a permit any acl.

    If you like to see the ACL policy of the "logon" role, see attached. 

     

    Attachment(s)

    txt
    show rights logon.txt   7 KB 1 version


  • 5.  RE: User Roles and policy not applied

    Posted Sep 03, 2020 08:04 AM

    Changed the default role under default aaa profile , no effect ,

    changed the default role under my aaa/ssid profile as seen in attachement , no effect , i can connect to the SSID (Aruba) and access all internet no restrictions ,

    attached my policy for the role OnlyHTTP , which is applied to the WLAN/SSID

     

    the SSID is in VLAN 110 , controller is acting as router with NAT inside through another VLAN (300) on the controller , in VLAN 300 there is a gateway added as default gateway on controller 

    Internet is working fine , users get IPs from controller DHCP in VLAN 110 , the problem is in the Role , policies whether Access control or application has no effect ,

    Is there a way to tell if the firewall engine is working ok ? how to check role policy ACL hits?



  • 6.  RE: User Roles and policy not applied

    Posted Sep 03, 2020 08:14 AM

    Hi KarimIT,

     

    Your SSID contains (basically) on the follow profiles:

     

    AP Group

    • Virual AP Profile
      • SSID Profile
      • AAA Profile
        • Default User-Role

    If you change anything, kill first the user on the CLI to see the effect.

    # aaa user delete mac ##:##:##:##:##:##

    or simply use "aaa user delete all" if you don't care to kick anybody ;).

     

    After that look at the user-table for the derived user-role

    # show user-table

     

    If you see the user you see the role, if you like to more specific details of the user connection and how it's derived is user-role use the command.

    # show user mac ##:##:##:##:##:##

     

    If you want to see the specific ACL of a user-role you can use:

    # rights "role-name"

     



  • 7.  RE: User Roles and policy not applied

    Posted Sep 03, 2020 08:14 AM

    Here is also show user from controller showing me accessing as role OnlyHTTP with aa profile of Aruba (which i aslo set to this role)

    now the OnlyHTTP ACL allows only http/https/dns/dhcp ,, but still all apps and everything is open

     

    what am i missing?



  • 8.  RE: User Roles and policy not applied

    Posted Sep 03, 2020 08:19 AM

    Edit your role with a rule "any any any deny" at the bottem.

     



  • 9.  RE: User Roles and policy not applied

    Posted Sep 03, 2020 08:52 AM

    I do not think implicit deny is needed but i added it anyway , , same no effect

    here is the only update , hopefully it means something

    when i apply the "logon" role to the SSID , i see my access tries to redirects to a portal (it fails the portal with SSL error , and when bypassed states Authentication is disabled) , but anyway atleast no internet connection , but why this profile works (redirecting) and not my profile?? my profile is straight simple , just permitting http and https (with dns and dhcp)

    what can be done here?



  • 10.  RE: User Roles and policy not applied

    Posted Sep 04, 2020 08:04 AM

    It looks as if your PEF license is installed but not enabled.

     

    Do you see in show user on the controller the expected role applied?

    Can you check on your controller the license-usage:

    (md7010) #show license-usage user
    
    User License Usage
    ------------------
    Name               Value
    ----               -----
    License Limit      2048
    License Usage      1
    License Available  2047
    License Exceeded   0

    Can you check that you enabled the PEF license?

    pef-enable.png

    I have seen most of the suggestions that I could think of, so if it still doesn't work, I would reach out to TAC and let them have a look.



  • 11.  RE: User Roles and policy not applied

    Posted Sep 03, 2020 07:09 AM

    If you are troubleshooting roles, you should disconnect users between changes to ensure that existing flows are interrupted.