Security

Hi,

I have been trying to get the dynamic access list working again as described in various documents but it looks like things have changed in either CPPM 6.7.5 or ArubaOS switch WC16.06

first of all, 192.168.x.x/x doesn't work anymore. When you use this format in Radius:IETF NAS-Filter-Rule, both the vlan enforcement and the dACL enforcement are not enforced on the switch. You have to use the format 192.168.x.x 255.255.x.x

You can use Radius:HPE HPE-NAS-Filter-Rule with 192.168.x.x/x but the rule order is changed. This rule ends up at the bottom below de permit in ip from any to any rule.

I'm trying to do something simple: blocking the user from accessing the private network but allowing internet with a simple enforcement profile, similar as I would use in a aruba wireless guest role

Radius:IETF NAS-Filter-Rule permit in udp from any to any 53,67

Radius:IETF NAS-Filter-Rule deny ip from any to 192.168.0.0 255.255.0.0

Radius:IETF NAS-Filter-Rule permit in from any to any

but I can still access my clearpass GUI (which is in a different subnet in 192.168.0.0)

When I delete RADIUS:IETF NAS-Filter-Rule permit in from any to any I cannot access Clearpass but as expected I cannot the internet either.

I know this was working in CPPM 6.6 and WC16.01 because I attended a workshop doing exactly this. I downgraded my lab 2930F to WC16.02 (secondary image) but the behaviour is exactly the same. So I downgraded reloaded the secondary image of my CPPM and I got the behaviour I expected. 

What has changed in CPPM 6.7 regarding dynamic ACL's? Is above expected or unexpected behaviour.

I have a customer expecting to get dynamic ACL in his wired network. He is on CPPM 6.7.5 and we went live without the dACL last week. I wasn't able to do these tests before but I urgently need dACL working on 6.7.5 so does anyonbe have a workaround?

thanks

Erik

Erik,

Dynamic Access Lists are quite picky and must match exactly. From your config, it looks like you are missing the 'in' in the line deny in ip from any to 192.168.0.0 255.255.0.0.

What I try to do before putting the ACL in a dynamic access list, is putting it in the switch and testing it there first. Then you know the syntax is correct.

Check out this video on dACL troubleshooting.

Hi Herman,

thanks for the advise on testing on the switch itself first. TAC suggested the same. Unfortunetely not all expressions excepted on the switch are also excepted as dACL (keyword established for instance)?

The missing "in" keyword was a typo of me in the thread, it was entered in the enforment profile.

Is there a list with NAS-Filter-Rule allowed expressions available or can you tell me how you can add a port range (for example range 6800 to 6900?) in a NAS-filter-rule expression?

Video's are great but take a lot of time to watch. I know it's the current way of doing things but I prefer a technote or something similar so I can save time searching for what I need. You can't quickwatch a youtube video. I will save watching that when time is not that limited. 

thanks,

Erik

Differtent project. New switch f/w and new Clearpass version. Still the same issue though.

It's specically radius[ietf] nas-filter-rule permit in ip from any to any that's not accepted by the switch.

Is there a new format for this nas-filter-rule? All documentation I can find states the rule above.

FYI, deny in ip from any to any is working fine.

thanks,

Erik