Hi,
I have been trying to get the dynamic access list working again as described in various documents but it looks like things have changed in either CPPM 6.7.5 or ArubaOS switch WC16.06
first of all, 192.168.x.x/x doesn't work anymore. When you use this format in Radius:IETF NAS-Filter-Rule, both the vlan enforcement and the dACL enforcement are not enforced on the switch. You have to use the format 192.168.x.x 255.255.x.x
You can use Radius:HPE HPE-NAS-Filter-Rule with 192.168.x.x/x but the rule order is changed. This rule ends up at the bottom below de permit in ip from any to any rule.
I'm trying to do something simple: blocking the user from accessing the private network but allowing internet with a simple enforcement profile, similar as I would use in a aruba wireless guest role
Radius:IETF NAS-Filter-Rule permit in udp from any to any 53,67
Radius:IETF NAS-Filter-Rule deny ip from any to 192.168.0.0 255.255.0.0
Radius:IETF NAS-Filter-Rule permit in from any to any
but I can still access my clearpass GUI (which is in a different subnet in 192.168.0.0)
When I delete RADIUS:IETF NAS-Filter-Rule permit in from any to any I cannot access Clearpass but as expected I cannot the internet either.
I know this was working in CPPM 6.6 and WC16.01 because I attended a workshop doing exactly this. I downgraded my lab 2930F to WC16.02 (secondary image) but the behaviour is exactly the same. So I downgraded reloaded the secondary image of my CPPM and I got the behaviour I expected.
What has changed in CPPM 6.7 regarding dynamic ACL's? Is above expected or unexpected behaviour.
I have a customer expecting to get dynamic ACL in his wired network. He is on CPPM 6.7.5 and we went live without the dACL last week. I wasn't able to do these tests before but I urgently need dACL working on 6.7.5 so does anyonbe have a workaround?
thanks
Erik