Product and Software: This article applies to all Aruba controllers with ArubaOS 3.3.2 and later.
The validuser session ACL is used to protect the user table. This ACL helps prevent a misbehaving user from filling up the user table with bogus addresses or even addresses of trusted machines. When the user table is full, no other users can access the system and gain connectivity. If a trusted machine is in the table, connectivity to that machine is impacted.
Unfortunately, it is difficult to maintain the ACL in large, geographically-diverse networks. When user subnets and server subnets are added routinely, this ACL must be updated constantly.
If the 'firewall local-valid-users' command is enabled, the controller will permit the address, even if the validuser ACL denies the IP address, as long as the address is a member of a directly connected subnet. Specifically, if the controller has an IP interface in the subnet of which the IP address is a member, the IP address is added to the user table if this second lookup is enabled.
With RAPs present, the validuser ACL should be configured to permit L2TP (UDP 1701) to the RAP controller.
To enable this feature, issue this command:
(Aruba) (config) #firewall local-valid-users
To verify that this is enabled, issue this command:
(Aruba) (config) #show firewall
Global firewall policies
--------------------------
Policy Action Rate Slot/Port
------ ------ ---- ---------
Enforce TCP handshake before allowing data Disabled
Prohibit RST replay attack Disabled
Deny all IP fragments Disabled
Prohibit IP Spoofing Enabled
Monitor ping attack Disabled
Monitor TCP SYN attack Disabled
Monitor IP sessions attack Disabled
Deny inter user bridging Disabled
Log all received ICMP errors Disabled
Per-packet logging Disabled
Session mirror destination Disabled
Disable Stateful SIP Processing Disabled
Allow tri-session with DNAT Disabled
Disable FTP server No
GRE call id processing Disabled
Session Idle Timeout Disabled
VOIP proxy arp Disabled
WMM content enforcement Disabled
Session VOIP Timeout Disabled
Disable Stateful H.323 Processing Disabled
Only allow local subnets in user table Enabled
Monitor/police CP attacks Enabled 100/sec
Rate limit CP untrusted ucast traffic Disabled
Rate limit CP untrusted mcast traffic Disabled
Rate limit CP trusted ucast traffic Disabled
Rate limit CP trusted mcast traffic Disabled
Rate limit CP route traffic Disabled
Rate limit CP session mirror traffic Disabled
Rate limit CP auth process traffic Enabled 2 Mbps
Session mirror IPSEC Disabled