Security

Reply
Occasional Contributor I

Apple Mac randomly disconnect after appling ACL to block Client to Client

Hello,

 

My SSID is on subnet 192.168.10.0/24 and I tried to apply ACL on the role in controller to block the traffic Client-to-Client as below

 

any 192.168.10.0/24 deny

any any permit

 

After applied this ACL we found that Mac user get disconnect randomly and show icon ! on wireless even they're roaming or not moving

In the same situation I did test on Windows laptop but no see any issues and when I remove that ACL all Mac users can connect to wifi with no problem

 

I wonder if Mac has any requirements to allow for internal traffic within the client subnet in order to connect the wifi?

 

My controller is 7205 ver 8.3.0.6

Regular Contributor I

Re: Apple Mac randomly disconnect after appling ACL to block Client to Client

If the intended purpose of the ACLs is to deny inter user traffic, have you tried enabling the deny inter-user traffic knob in the VAP profile without mapping the ACLs.

 

Please refer AOS 8.3 CLI reference guide (Page. 2414) for more detials on this knob.

 

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.

Ajay Kumar Ravipati
ACMA (V8) | ACMP (V8) | CCENT | CCNA (R&S) | PAN-OS 8.0 ACE
Occasional Contributor I

Re: Apple Mac randomly disconnect after appling ACL to block Client to Client

Hi A_Rak,

 

Enable "deny inter user traffic" is working fine but I decided to not enable it because I have another role for vip usesr who need to get allow for client-to-client traffic

so I've created 2 roles, one with that ACL to block client-to-client for normal users and another role with ACL to allow-all for vip users

Regular Contributor I

Re: Apple Mac randomly disconnect after appling ACL to block Client to Client

Do the VIP user fall into the same subnet after authentication as the normal users or are they falling into the a different subnet?

 

Have you applied these ACLs to the pre-auth role or the post-auth role?

 

The ACLs posted here need some fine tuning specific to your requirement.

 

If they are falling into different subnets, then

 

Create an Alias and map the VIP user's subnet to that Alias

 

Use the " netdestination " command to configure the Alias.

 

Call it " VIP_Users " for example.

 

Create another Alias for normal users and map the normal user's subnet

 

Call it " Normal_Users"

 

to deny traffic between these two types of users create the access lists as follows

 

// denies all traffic from the VIP to normal users

VIP_Users Normal_Users any deny          

 

// denies all traffic from the normal users to the VIP

Normal_Users VIP_Users any deny

 

 

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.

Ajay Kumar Ravipati
ACMA (V8) | ACMP (V8) | CCENT | CCNA (R&S) | PAN-OS 8.0 ACE
Occasional Contributor I

Re: Apple Mac randomly disconnect after appling ACL to block Client to Client

Hi A_Rak,

 

I put ACL into post-auth role (I use 802.1X with Clearpass)

both normal users and vip users are on the same subnet

I split them with the group on AD and assign role to them after authen with clearpass

 

My purpose is that normal users can't talk to any clients

but vip users can talk to everyone (for test and dev some app)

Highlighted
Regular Contributor I

Re: Apple Mac randomly disconnect after appling ACL to block Client to Client

How many users are we talking about here?

 

If the VIP users are less in number, then try creating a netdestination with host IP addresses of VIP users and mapping that netdestination as an alias to the ACLs.

 

 

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.

Ajay Kumar Ravipati
ACMA (V8) | ACMP (V8) | CCENT | CCNA (R&S) | PAN-OS 8.0 ACE
Occasional Contributor I

Re: Apple Mac randomly disconnect after appling ACL to block Client to Client

Hi A_Rak,

 

We're now starting with about 100 normal users and 40-50 vip users

I have a plan on next week to test again by applying ACL one by one to see what is rule that Mac need to get allow

Guru Elite

Re: Apple Mac randomly disconnect after appling ACL to block Client to Client


@fuyunohoshi wrote:

Hello,

 

My SSID is on subnet 192.168.10.0/24 and I tried to apply ACL on the role in controller to block the traffic Client-to-Client as below

 

any 192.168.10.0/24 deny

any any permit

 

After applied this ACL we found that Mac user get disconnect randomly and show icon ! on wireless even they're roaming or not moving

In the same situation I did test on Windows laptop but no see any issues and when I remove that ACL all Mac users can connect to wifi with no problem

 

I wonder if Mac has any requirements to allow for internal traffic within the client subnet in order to connect the wifi?

 

My controller is 7205 ver 8.3.0.6


First things first....Is your dhcp server on 192.168.10.0/24 subnet?  If yes, you need to put a rule on top that allows “any any service dhcp” which allows dhcp.  It is quite possible that your macs are doing dhcp on every roam, and on a roam, dhcp is typically unicast, so your deny rule is breaking that.  For your second question, it is very impractical to block traffic between all users and then allow traffic for specific users.  I would put your VIPs in a separate “bastion” subnet, block traffic for the user subnet, but allow all traffic to/from the “bastion” subnet.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Guru Elite

Re: Apple Mac randomly disconnect after appling ACL to block Client to Client

To be clear, in general you would put your VIP users in a separate subnet using a radius attribute returned from your radius server.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor I

Re: Apple Mac randomly disconnect after appling ACL to block Client to Client

Hi Cjoseph

 

Set rule to allow dhcp made it work!

My dhcp is on another subnet however there is ip-helper setting in the gateway of client subnet

 

I wonder that Mac requires this to be allowed

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: