ArubaOS and Controllers

Upcoming community maintenance Oct. 27th through Oct. 29th
For more info click here
Reply
Highlighted
New Contributor

User role with multiple firewall policies

Let me first start with the problem I am trying to address. We have the need to permanently (or at least semi-permanently) block specific hosts that associate to our wifi network as they are untrusted devices. My thought on how to accomplish this was to implement a second firewall policy on the user role that gets applied to authenticated clients. The policy would deny host mac addresses. So my user policy has the following firewall policies:

mac-acl that basically looks like:
deny (mac-address)
permit any

session-acl
permits traffic that we trust on the network.

However, after applying the new mac acl, when testing I found that it basically is not doing much. I have added the mac of my wifi nic as a deny to the mac acl, and am not really seeing hits. I saw 9 hits once, and my client stopped functioning for a bit. However, when I disconnected, and then reconnected to the SSID, I was able to forward traffic without issue. In fact, I am composing this post while authenticated to the SSID that has the deny mac entry. I have verified that I have been assigned the appropriate user role with these firewall policies, and that is the case.

When looking at the configuration, I see the user-role with the mac acl applied:
user-role pre-employee
access-list mac Mac_filter
session-acl allowall
!
However, when I do a show acl hits role pre-employee, I don't see the acl listed:
User Role ACL Hits
------------------
Role Policy Src Dst Service Action Dest/Opcode New Hits Total Hits Index
---- ------ --- --- ------- ------ ----------- -------- ---------- -----
pre-employee allowall any any any permit 1933 16363 4357

If I just do a show acl hits, I do see the acl listed under the pre-employee user role, with just a few hits (sorry for the poor formating):

pre-employee Mac_filter 00:27:10:11:fb:f4 00:00:00:00:00:00 deny 0 9
4359
pre-employee Mac_filter any permit 105 122
4360

Any ideas as to why this mac filter is not behaving as I would expect it to?
Highlighted
Guru Elite

Re: User role with multiple firewall policies

If you want to block specific hosts, you should add those devices to the blacklist:

(host) #stm add-blacklist-client ?
client to add to DoS list

MAC acls have a different purpose that would not accomplish what you desire.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: