Security

Hi

trying to solve some little challenge and hopefully thought that User-rules would/could help here, im using one SSID for corporate access and everyone's getting "authenticated" role. 

 

so far so good, worked for years fine. now i want to separate few clients on this VAP to be in another VLAN where another subnet is used so i can proper separate on the gateway firewall regarding policies/rules etc. i have PEFNG but im not using the firewall stuff on the Controller , we handle this on a central firewall before it hits the internet.

 

while DHCP reservation is not possible on controller i had the idea to use the "user rules" tab in the authentication area to just have approx 15clients be put into another separate VLAN where controller does DHCP for a subnet .

 

i wonder why the priority list of the user rules only accepts 11 entries on the webui ,. when trying to add a 12th entry it overwrittes the 11th entry ? 

 

why is there a limit of 11 , doesnt make sense. perhaps this shouldnt be mis-used for my challenge? after reading userguide ArubaOS 6.3 (currently run 6.3.1.14 on that MC3200 cause we have lots of old AP's not supported in AOS 6.4) the guide says :

 

Working with User-Derived VLANs
Attributes derived from the client’s association with an AP can be used to assign the client to a specific role or
VLAN, as user-derivation rules are executed before the client is authenticated.
You configure the user role or VLAN to be assigned to the client by specifying condition rules; when a condition is
met, the specified user role or VLAN is assigned to the client. You can specify more than one condition rule; the order
of rules is important as the first matching condition is applied. You can optionally add a description of the user rule.

so my CLI config is like this , not sure if it's a mis-usage what im trying to solve, perhaps it would make more sense to try it with a MAC_authentication role. but i would like to set a vlan based on the mac-adress thats why i tried with user-rules .

 

(Aruba3400) #show aaa derivation-rules user Auth-MAC-VLAN

User Rule Table
---------------
Priority  Attribute  Operation  Operand/Group      Action    Value  Total Hits  New Hits  Description
--------  ---------  ---------  -------------      ------    -----  ----------  --------  -----------
1         macaddr    equals     00:21:6a:xx:xx:xx  set vlan  2103   0           0         
2         macaddr    equals     28:B2:BD:xx:xx:xx  set vlan  2103   0           0         
3         macaddr    equals     00:19:D2:xx:xx:xx  set vlan  2103   0           0         
4         macaddr    equals     00:21:6a:xx:xx:xx  set vlan  2103   0           0         
5         macaddr    equals     A4:4E:31:xx:xx:xx  set vlan  2103   0           0         
6         macaddr    equals     5C:C5:D4:xx:xx:xx  set vlan  2103   0           0         
7         macaddr    equals     A4:4E:31:xx:xx:xx  set vlan  2103   0           0         
8         macaddr    equals     6C:88:14:xx:xx:xx  set vlan  2103   0           0         
9         macaddr    equals     A4:4E:31:xx:xx:xx  set vlan  2103   0           0         
10        macaddr    equals     50:1A:C5:xx:xx:xx  set vlan  2103   0           0         
11        macaddr    equals     00:19:D2:xx:xx:xx  set vlan  2103   0           0         

as told before, when trying to add a 12th entry, entry 11 is overwritten,

 

any ideas ?

 

btw. before you ask yourself "why does he do this" -> all clients use the same SSID , if a mac-adress is not listed in the user-rules list and connects to the SSID it gets an IP-adress of the default VLAN assigned to the VAP , only when having specific mac-adress the client is put into this 2nd vlan . 

 

perhaps i have to solve it another way or ? 

 

thanks

ben

 

This is really a function of a RADIUS server / policy engine. The UDR was
designed to allow for some quick overrides for devices that share the same
attributes (DHCP fingerprints, MAC OUI, etc).

Thanks, that makes sense so it's not intended to put a lot of entries into that kind of list. 

 

perhaps it works with server-group and then i make internal_db entries with that macadresses and server-rules, that should work or better said i remember we had this once for putting mac-adresses into different vlan's in our trainings-lab area.

 

i will give it a shot, thanks for the godspeed reply! ;-)

Silly question : if i try it via server-groups, is it working if i only add my wished mac-adresses as user-entries in the userDB or do i have to add "all" macadress to seperate e.g. 20 mac-adresses into that VLAN and other 15 mac-adresses into another vlan ? 

 

i think i have to clear the VAP vlan field or ? 

 

or is it ok to keep a default vlan on the VAP added and only when hitting a server-rule the mac-adress is put into another vlan ? im not sure at all... lets test. ;-)

 

 

I take it you're not doing 802.1x authentication?

 

Cheers

James

No, just a corporate SSID with WPA2-PSK , 

 

the background is just that most of the clients should fall into the VLAN defined in the VAP , and only approx 12 clients should be put into another VLAN .

 

the firewall rules are applied on central gateway firewall , regarding security it's not the best decision cause the client could change his ip adress and then another firewall policy would hit, it's just a quick separation of clients. 

 

e.g. the first clients dont have any authentication on the firewall, and the ones which should be put into another vlan via mac-adress then get authentication on the central firewall .

 

i think i tweak the whole config by add additioinal mac-auth so only allowed mac-adresses are overall able to use that kind of ssid, that tweak can be applied later on