Controllerless Networks

Hi all,

Using IAP 305/315 on OS 6.5.4.8 and I have a conundrum on allowing email access on our guest wifi. I'm assuming I'm jus being dumb

As per advise on setup I've got the following allowed on our guest network:

http to all

https to all

dhcp to all

dns to all

smtp to all

I was told that'd give me internet and email across the wifi and for the most part it does. Everyone's phones that have connected seem to just sync and update their existing exchange accounts or gmail accounts etc and I've done a number of tests back and forth with my own exchange/gmail/hotmail accounts on personal and work phones. 

However one user is claiming that he can't connect to any of his accounts. For one he's apparently having to put port specific settings in his phone (which I haven't seen needed in a long time) and so he's specifying any of either ports 993, 995 and 465. These are apparently all failing

I went and looked through the allow list on network services and I can see pop3 but no imap. And if I change from network to application i can see pop3/s and imap/s. I can also see in application category the mail-protocols and webmail settings (which i actually saw recommended as a fix for this in another thread here) 

So basically what I've done is added allow to all destinations on

app category mail-protocols

app category webmail

application imap

application imaps

application pop3

application pop3s

application smtp

application smtps

This still doesn't let this work at all. I've also tested trying to add my gmail account to outlook via manually setting the imap/smtp ports and it fails to connect. 

What else is there? Is it instead a case of adding the specific ports instead of adding all those application categories etc? If so is this as simple as adding the TCP ports as a custom network entry?

I don't know how to trace any of this traffic through the IAP to see if it is actually the IAP that's blocking this or not but this is too simple a problem to have kept me busy for nearly a day!

Hi alexdav1801,

From my point of view, your idea is correct, so it should work. 

As it does not work, you should check the order of your entries in the role. Only the first match is used. Maybe there is another entry which blocks it and the permit rules are not considered. If unsure, just post the whole role here in the forum. 

BR

Florian

Thanks for the reply. I think I just am not getting to grips with these entries because it all seems to contradict what I feel is right 

I've managed to get it working (I believe) by manually adding the specific ports to the allow list. It also seems to work by having the ports allowed after removing the named app access (i.e. application pop3, application imap etc)

I have no explicit deny rules on the role so my current role access looks like this (in order):

Allow dhcp to all destinations

Allow http to all destinations

Allow https to all destinations

Allow dns to all destinations

Allow smtp to all destinations

Allow TCP on port 143 to all destinations

Allow TCP on port 465 to all destinations

Allow TCP on port 993 to all destinations

Allow TCP on port 995 to all destinations

I'm just really confused as to how "Allow TCP on port 993 to all destinations" works while "Allow application imap/imaps to all destinations" doesn't. Are they not technically doing the same thing?

Hi alexdav1801,

at least from the config it looks like they are the same:

AP-305# show dpi app imap

Pre-defined Application
-----------------------
Name  App ID  App Category    Default Ports
----  ------  ------------    -------------
imap  75      mail-protocols  tcp 143  
AP-305# show dpi app imaps

Pre-defined Application
-----------------------
Name   App ID  App Category    Default Ports
----   ------  ------------    -------------
imaps  76      mail-protocols  tcp 993  

and the app category mail-protocols includes them as well:

AP-305# show dpi appcategory mail-protocols

Applications in appcategory "mail-protocols"
--------------------------------------------
                                      
                                      
activesync  imap   imaps  lotusnotes  mapi
pop3        pop3s  smtp   smtps       

Total applications in this category = 9

So I cannot tell why it was not working and from advice would be to open a TAC case, as it should work. 

BR

Florian

I don't suppose there's any way of seeing what rules have actually been applied at a certain point is there? Some kindof command that will show me what access rules have applied in what order and what (if any) have been missed off?

I'm wondering if the mail-protocols access didn't work because above that in the list was allow smtp specifically, and then because smtp has been allowed it skipped applying the mail-protocols access

1. SSH into the Instant AP that the client is associated to

2.  Attempt to access email on the client and wait until it fails

3. On the SSH session, type "show datapath session" and "show datapath session dpi" and look to see if any traffic between the client and the email server is blocked or denied:  https://www.arubanetworks.com/techdocs/Instant_83_WebHelp/Web_Help_Index.htm#Instant_CLI/showdatapath.htm?Highlight=show%20datapath%20session

So looks like I'm going to be opening a support call on this because it doesn't make sense to me

I've solved the problem by removing the allow rules for pop/smtp/imap etc and adding the ports manually, but as others have said and as I've read around I should get the same result simply by allowing the mail-protocols app through

Thanks for the help