Security

Hi,

My infrastructure consists of aruba 315 access points and we have a guest network with authentication.

We have a dedicated vlan for this network and the rules created block access to all private networks.

We found that when we are connected to the guest network prior to authentication, we have access to public ips from the command line, but when we go through the browser it doesn't work as expected.

Is there any configuration we can do to block all access until authentication is done on the authentication page?

##########################################################

Scanning www.google.com (172.217.17.4) [4 ports]
Completed Ping Scan at 10:33, 2.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:33
Completed Parallel DNS resolution of 1 host. at 10:33, 5.54s elapsed
Initiating SYN Stealth Scan at 10:33

Nmap scan report for www.google.com (172.217.17.4)
Host is up (0.0032s latency).
rDNS record for 172.217.17.4: mad07s09-in-f4.1e100.net
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http mini_httpd
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: <empty>
|_http-title: Did not follow redirect to https://securelogin.hpe.com/swarm.cgi?opcode=cp_generate&orig_url=687474703a2f2f7777772e676f6f676c652e636f6d2f
443/tcp open ssl/https?
|_ssl-date: TLS randomness does not represent time
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|storage-misc
Running (JUST GUESSING): Crestron 2-Series (87%), HP embedded (85%)
OS CPE: cpe:/o:crestron:2_series cpe:/h:hp:p2000_g3
Aggressive OS guesses: Crestron XPanel control system (87%), HP P2000 G3 NAS device (85%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 12.225 days (since Sat Aug 31 05:10:34 2019)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 ...
2 2.00 ms mad07s09-in-f4.1e100.net (172.217.17.4)

NSE: Script Post-scanning.
Initiating NSE at 10:34
Completed NSE at 10:34, 0.00s elapsed
Initiating NSE at 10:34
Completed NSE at 10:34, 0.00s elapsed
Read data files from: C:\Program Files (x86)\Nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.88 seconds
Raw packets sent: 2096 (97.232KB) | Rcvd: 73 (3.977KB)

You should create 2 roles, 1 pre-logon-guest and 1 authenticated-guest.

When a client connects it will be assigned the pre-logon-guest role, in this role an acl deny's all traffic.

After authentication, you assign the role authenticated-guest, this rol has an acl that blocks internal subnets but allows internet.

Hi Fabien,

Thank you for your feedback.

I create another wireless network to test, with 2 rules, one pre_authentication and other after authentication, but still have the same behavior, I can get to public ips from internet by command line.

What I have to do more?

Thanks

Connect the user to the Guest network, but don't logon. From the controller, issue the command "show user-table" to list the connected users. Find the user and then look at the Role. After you confirm the role that is assigned to the user, issue the command "show rights <rolename>". 

Post the output here so people can see what firewall permissions are being allowed/denied for the user.

Hi David,

Thank you for your feedback.

SSID: Test

ASSIGN PRE-AUTHENTICATION ROLE: Rule_pre_authentication

I don't have the command "show rights <rolename>",

I sen the info on the attach file.

Thanks

Attachment(s)

commands.txt   8 KB 1 version

From the CLI of the controller you should be able to type

show rights

which will display all of the roles. From there you can type the command again, with the name of the role, such as

show rights rolename

Do this for the role that is being assigned as the initial role of the user.

---

@woodman wrote:

 

I don't have the command "show rights <rolename>"

 

---

From the output you provided it seems like you are running the commands from Airwave's command dropdown menu. Not all commands are available from there. You might need to actually SSH to the device to run that command.

Hi,

I run the commands from the aruba central and ssh and the command don't exist.

Is this an Instant based network?

Hi,

No, is "role based".

Sorry, I am not versed with Central. Hopefully someone else can help.

If you have an Aruba Central subscription then this includes technical support. I suggest you give them a call and they can assist you.