Occasional Contributor II

User role with "allowall" immediately reconnects, removing "allowall" causes 48/68 second pause

Hello all, we're having an odd issue and after a 4 hour call with support, we're waiting to hear if they can figure it out. Maybe someone here has dealt with it before.


We have a guest SSID with a captive portal. Config'd so that the portal just has an "I accept" button. Upon accepting, the guest users have access to internet sites, but not internal sites. The issue is that if a device sleeps/restarts or otherwise loses connectivity, it will switch to "No IP address" or a 169 address for 48 or 68 seconds once it tries to reconnect, at which time it will get its former IP address. If we add "allowall" as the final rule in our user-role, this stops happening and they immediately reconnect. Support recommended leaving "allowall" enabled to fix the problem, but from a security side we'd like to avoid that and find the specific "thing" that it's allowing that we need to explicitely define.


Our current role created during the support call, and it is:

1. cplogout

2. Guest-Internet-Only

    a. Allow dns

    b. Allow internal subnet for webpages

    c. Allow multicast/airplay/Clearpass 

    d. Deny internal subnets 

    e. Allow web traffic

    f. Deny ICMP for internal, allow ICMP for external

3. allowall



Guru Elite

Re: User role with "allowall" immediately reconnects, removing "allowall" causes

You need to have an "any any service svc-dhcp” in your ACL rules.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
MVP Guru

Re: User role with "allowall" immediately reconnects, removing "allowall" causes

Not sure if you forgot to include it but do you have allow DHCP in the ACL rules ?

Thank you

Victor Fabian
Lead Mobility Architect @WEI
Occasional Contributor II

Re: User role with "allowall" immediately reconnects, removing "allowall" causes

Thank you cjoseph and victorfabian! Looks like we overlooked the super simple when we remade the role. Must've been too focused on getting the captive portal and clearpass to play nicely

Search Airheads
Showing results for 
Search instead for 
Did you mean: