Security

Hello,

I am trying to create a pre-authenticated role that only allows DHCP and blocks everything else (for the time being). This role is applied to a wired port on a RAP but is still allowing SIP and RTP traffic even though the intended configuration should be to block this traffic. All other traffic is being blocked correctly but the SIP and RTP traffic is getting through and confirmed with show datapath session table <ip>.

Am I missing something?

Thanks,

Lorn

(TPA-ARUBA-MC1) #show user
This operation can take a while depending on number of users. Please be patient ....

Users
-----
    IP             MAC            Name     Role                              Age(d:h:m)  Auth  VPN link  AP name            Roaming  Essid/Bssid/Phy  Profile                       Forward mode  Type  Host Name  User Type
----------    ------------       ------    ----                              ----------  ----  --------  -------            -------  ---------------  -------                       ------------  ----  ---------  ---------
10.90.212.10  e0:89:9d:fb:81:f2            ml-remote-employee-phone-preauth  00:00:19                    20:4c:03:11:b9:6d  Wired    10.80.9.15:0/1   ml-remote-employee-phone-aaa  tunnel
              WIRED
 

(TPA-ARUBA-MC1) #show rights ml-remote-employee-phone-preauth

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'ml-remote-employee-phone-preauth'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Number of users referencing it = 2
 Periodic reauthentication: Disabled
 DPI Classification: Enabled
 Youtube education: Disabled
 Web Content Classification: Enabled
 IP-Classification Enforcement: Enabled
 ACL Number = 83/0
 Openflow: Disabled
 Max Sessions = 65535

 Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name  Type
----  ----

Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------
Position  Name                                         Type     Location
--------  ----                                         ----     --------
1         global-sacl                                  session
2         apprf-ml-remote-employee-phone-preauth-sacl  session
3         ml-dhcp-clients-only                         session
4         denyall                                      session

global-sacl
-----------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  ------  --------
apprf-ml-remote-employee-phone-preauth-sacl
-------------------------------------------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  ------  --------
ml-dhcp-clients-only
--------------------
Priority  Source  Destination  Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  IPv4/6  Contract
--------  ------  -----------  -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  ------  --------
1         user    any          udp 68                 deny                             Low                                            4
2         any     any          svc-dhcp               permit                           Low                                            4
denyall
-------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  ------  --------
1         any     any          any                   deny                             Low                                            4

Expired Policies (due to time constraints) = 0                                              

(TPA-ARUBA-MC1) #show datapath session table 10.90.212.10

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       u - Upstream Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       r - Route Nexthop, h - High Value
       A - Application Firewall Inspect
       B - Permanent, O - Openflow
       L - Log

Source IP       Destination IP  Prot SPort DPort Cntr     Prio ToS Age Destination TAge Packets    Bytes      Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- ---------------
10.90.212.10    10.184.5.14     6    52486 5060   0/0     6    24  4   tunnel 16   6b8  0          0          MCIO
10.90.212.10    10.84.5.14      6    52360 5060   0/0     6    24  7   tunnel 16   6b8  0          0          MCIO
10.184.5.14     10.90.212.10    6    5060  52486  0/0     6    24  4   tunnel 16   6b8  0          0          MIO
10.84.5.14      10.90.212.10    6    5060  52360  0/0     6    24  8   tunnel 16   6b8  0          0          MIO           

6b8 hex is 1720 seconds, which means the session was started 28 minutes ago.  Existing sessions continue, but new sessions are blocked.  I would do a "aaa user delete 10.90.212.10" on the commandline of the controller to remove that user and try again.

Thanks for the reply Colin. I performed that command but the issue persists. Let me know if you have any other thoughts/suggestions.

Lorn

(TPA-ARUBA-MC1) #aaa user delete 10.90.212.10
1 users deleted
(TPA-ARUBA-MC1) #show user
This operation can take a while depending on number of users. Please be patient ....

Users
-----
    IP             MAC            Name     Role                              Age(d:h:m)  Auth  VPN link  AP name            Roaming  Essid/Bssid/Phy  Profile                       Forward mode  Type  Host Name  User Type
----------    ------------       ------    ----                              ----------  ----  --------  -------            -------  ---------------  -------                       ------------  ----  ---------  ---------
10.90.212.10  e0:89:9d:fb:81:f2            ml-remote-employee-phone-preauth  00:00:00                    20:4c:03:11:b9:6d  Wired    10.80.9.15:0/1   ml-remote-employee-phone-aaa  tunnel                         WIRED

User Entries: 1/1
 Curr/**bleep** Alloc:3/25 Free:7/22 Dyn:10 AllocErr:0 FreeErr:0
(TPA-ARUBA-MC1) #show datapath session table 10.90.212.10

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       u - Upstream Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       r - Route Nexthop, h - High Value
       A - Application Firewall Inspect
       B - Permanent, O - Openflow
       L - Log

Source IP       Destination IP  Prot SPort DPort Cntr     Prio ToS Age Destination TAge Packets    Bytes      Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- ---------------
10.90.212.10    10.184.5.14     6    52486 5060   0/0     6    24  0   tunnel 16   9    2          977        MCIO
10.90.212.10    10.84.5.14      6    52360 5060   0/0     6    24  0   tunnel 16   0    3          1050       MCIO
10.184.5.14     10.90.212.10    6    5060  52486  0/0     6    24  1   tunnel 16   9    2          1064       MIO
10.84.5.14      10.90.212.10    6    5060  52360  0/0     6    24  0   tunnel 16   0    2          749        MIO
(TPA-ARUBA-MC1) #                                                                                                           

no new flows will be allowed.  Is the phone connected directly to the RAP?  If yes, bounce the wired interface.

Hi cjoseph,

After working on a case with HP support, they were finally able to figure out a fix which was that we had to disable openflow on the MDs which is enabled by default. To disable it, we did the following from the MM:

cd md
conf t
openflow-profile
no openflow-enable
wr mem

While I understand how openflow works at a high level, i'm not familiar with Aruba's application of it and how it pertains to the MM and MDs. I asked for additional explanation from support but am still unclear why it would allow these flows to be inserted and bypass the ACLs. Here was the explanation I received:

"UCC running on Mobility Master uses Open Flow to receive signaling packets from SIP enabled device. When the SIP enabled device sends a traffic, the Mobility Master will listen to the traffic and it will pass it to the server as the Open flow is enabled on the controller, If the traffic has to flow according to the user-role or acls, Open Flow should be disabled on the controller. Even there is an option to disable the OpenFlow in the user-role as well."

If anyone has any more information or can point me to some documentation to understand this further, I would appreciate it.

Thanks,

Lorn