Product and Software: This article applies to ArubaOS 3.x and later.
In this article, an active client, currently authenticated, user role named Vocera-Badge will be changed to a new user role named Vocera-Badge-Mirror. The Vocera-Badge-Mirror user role will "mirror" all the client data, in unencrypted form, to a wired sniffer device based on a specific IP address.
Equipment Needed
- Wireshark or equivalent wired sniffer with IP connectivity to the specific Aruba controller that the client we are tracing is authenticated to. This controller would terminate the access point (AP) that the client is currently associated to, thus capturing the client traffic when it is unencrypted at the controller.
- Access with enable rights to the master Aruba controller, to modify user roles and access lists.
- Access with enable rights to the local controller that terminates the client, to configure the firewall mirror destination IP address.
Limitations
A client reauthenticates as it roams from AP to AP. In this example, after the client is pushed into this new user role Vocera-Badge-Mirror, the client reverts back to the old user role Vocera-Badge upon a successful roam to another AP. This method of "session mirroring" the client data should be done when the client is not actively roaming during your tests.
An alternative method is to modify the access control list (ACL) named allow-all used by the user role Vocera-Badge so that the flag for "mirror" is enabled. This method collects the data from all the clients that are authenticated into this user role by the device defined as the session-mirrored-destination. Other variations could be to mirror a specific user IP address or protocol port in the ACL.
Procedure
To capture unencrypted client data at the controller with session-destination mirroring, follow these steps:
1) On the existing user role Vocera-Badge, make these changes using the CLI or the webUI.
Using the CLI:
user-role Vocera-Badge
session-acl allow-all
ip access-list session allow-all
any any any permit
Using the WebUI:
2) On the new user role Vocera-Badge-Mirror, make these changes using the CLI or the WebUI.
Using the CLI:
user-role Vocera-Badge-Mirror
session-acl allow-all-mirror
ip access-list session allow-all-mirror
any any any permit mirror >>>>>note the additional "mirror" field
Using the WebUI:
3) Add the session mirrored destination ip-address using the CLI or the WebUI.
Using the CLI:
#config_t
#firewall session-mirror-destination ip-address 192.168.15.15
Using the WebUI:
4) Open the Wireshark application on the computer designated as the session-mirror-destination. This computer must be able to reach the Aruba controller that the client is authenticated to.
5) Identify the client to be placed into the user role Vocera-Badge-Mirror using things like the IP address, name, and MAC address. Issue the CLI command from the Aruba controller that the user is authenticated on.
6) Move the client from the current user role Vocera-Badge to user role Vocera-Badge-Mirror by issuing the following command:
#aaa user add <A.B.C.D> role <rolename>
Example
#aaa user add 192.168.1.12 role Vocera-Badge-Mirror
Result
All client traffic is captured using the Wireshark application. (Packets are sent to the capture PC encapsulated in GRE frames.)