Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

problem aaa roles

This thread has been viewed 1 times

  • 1.  problem aaa roles

    Posted May 02, 2016 01:06 AM
      |   view attached

    Hi all, i have running aruba wireless on my clients site for over a year. but i found something wrong this week it is my wireless client could not doing http or ftp to one of their server but i can ping it. then im doing ' show datapath session table ...ip..) i found the flag is FYDCA. question is how can i now what policies is block it? because i create whole new policies, role and then ssid but still blocked. please help.



  • 2.  RE: problem aaa roles

    EMPLOYEE
    Posted May 02, 2016 03:46 AM

    I would go from your screenshot to the firewall policies in the following steps:

     

    1) Get the IP for which you have this issue; look it up in the user-table and find the corresponding role:

    (Aruba7005) #show user

Users
-----
    IP                          MAC            Name          Role           Age(d:h:m)  Auth    VPN link  AP name              Roaming   Essid/Bssid/Phy                    Profile             Forward mode  Type     Host Name
----------                 ------------       ------         ----           ----------  ----    --------  -------              -------   ---------------                    -------             ------------  ----     ---------
fe80::10c5:ccab:a65a:a360  5c:f5:xx:xx:x:xx  userid        BYOD           00:01:29    802.1x            AP215-BG-8f:1e       Wireless  WLAN_WPA2/ac:a3:1e:d8:xx:xx/a-HT   WLAN_WPA2-aaa_prof  tunnel        iPad

    This user has the role BYOD.

    Now check the firewall policy for this role with the show rights command:

    (Aruba7005) # show rights BYOD

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'BYOD'
 Up BW contract = 5M-BYOD(5000000 bits/sec)   Down BW contract = 5M-BYOD(5000000 bits/sec)
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Number of users referencing it = 0
 Periodic reauthentication: Disabled
 DPI Classification: Enabled
 Youtube education: Disabled
 Web Content Classification: Enabled
 ACL Number = 105/0
 Max Sessions = 65535

 Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name  Type
----  ----

Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------
Position  Name               Type     Location
--------  ----               ----     --------
1         global-sacl        session
2         apprf-BYOD-sacl  session
3         BYODsession

global-sacl
-----------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
apprf-BYOD-sacl
-----------------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
BYOD
------
Priority  Source  Destination              Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------              -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     255.255.255.255          svc-dhcp               permit                           Low                                                           4
2         any     10.0.0.0 255.0.0.0       any                    deny               Yes           Low                                                           4
3         any     172.16.0.0 255.240.0.0   any                    deny               Yes           Low                                                           4
4         any     192.168.0.0 255.255.0.0  any                    deny               Yes           Low                                                           4
5         any     any                      any                    permit             Yes           Low                                                           4

Expired Policies (due to time constraints) = 0

     



  • 3.  RE: problem aaa roles

    Posted May 02, 2016 04:08 AM

    Hi, thank u for the reply im aware with that, here are the output :

    user role are ftp

    Spoiler
    Name: , IP: 10.50.32.12, MAC: e8:b1:fc:18:60:1e, Role: ftp, ACL: 83/0, Age: 00:03:54
    Authentication: No, status: not started, method: , protocol: , server:
    Role Derivation: AAA profile default role
    VLAN Derivation: Default VLAN
    Idle timeout (global): 30 seconds, Age: 00:00:00
    Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
    Flags: internal=0, trusted_ap=0, l3auth=0, mba=0, vpnflags=0, u_stm_ageout=1
    Flags: innerip=0, outerip=0, vpn_outer_ind:0, download=1, wispr=0
    IP User termcause: 0
    phy_type: g-HT-20, l3 reauth: 0, BW Contract: up:0 down:0, user-how: 1
    Vlan default: 5, Assigned: 5, Current: 5 vlan-how: 1 DP assigned vlan:0
    Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, Flags=0x0
    SlotPort=0x2100, Port=0x1008f (tunnel 143)
    Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role: n/a
        Current Role name: ftp, role-how: 10, L2-role: ftp, L3-role: ftp
    Essid: aruba-ap, Bssid: ac:a3:1e:db:f5:c2 AP name/group: AP15-TIK03/semar-lowpower Phy-type: g-HT-20
    RadAcct sessionID:n/a
    RadAcct Traffic In 175199/30660140 Out 131188/18575510 (2:44127/0:0:467:54828,2:116/0:0:283:28822)
    Timers: L3 reauth 0, mac reauth 0 (Reason: ), dot1x reauth 0 (Reason: )
    Profiles AAA:ftp, dot1x:, mac: CP: def-role:'ftp' sip-role:'' via-auth-profile:''
    ncfg flags udr 0, mac 0, dot1x 0, RADIUS interim accounting 0
    IP Born: 1462161617 (Mon May  2 11:00:17 2016)
    Core User Born: 1462161616 (Mon May  2 11:00:16 2016)
    Upstream AP ID: 0, Downstream AP ID: 0
    User Agent String: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.32
    HTTP based device-id info - Index: 45, Device: Windows
    Overall device-id info - Index: 27, Device: Windows
    L3-Auth Session Timeout from Radius: 0
    Mac-Auth Session Timeout Value from Radius: 0
    Dot1x Session Timeout Value from Radius: 0
    CoA Session Timeout Value from Radius: 0
    Dot1x Session Term-Action Value from Radius: Default
    Reauth-interval from role: 0
    Number of reauthentication attempts: mac reauth 0, dot1x reauth 0
    mac auth server: N/A, dot1x auth server: N/A
    Address is from DHCP: yes
    Per-user-log pointer 0x1972d34 (id 9671), num logs 1


    The phy column shows client's operational capabilities for current association

    Flags: A: Active, B: Band Steerable, H: Hotspot(802.11u) client, K: 802.11K client, R: 802.11R client, W: WMM client, w: 802.11w client V: 802.11v BSS trans capable

    PHY Details: HT   : High throughput;      20: 20MHz;  40: 40MHz
                 VHT  : Very High throughput; 80: 80MHz; 160: 160MHz; 80p80: 80MHz + 80MHz
                 <n>ss: <n> spatial streams

    Association Table
    -----------------
    Name        bssid              mac                auth  assoc  aid  l-int  essid     vlan-id  tunnel-id  phy             assoc. time  num assoc  Flags  Band steer moves (T/S)
    ----        -----              ---                ----  -----  ---  -----  -----     -------  ---------  ---             -----------  ---------  -----  ----------------------
    AP15-TIK03  ac:a3:1e:db:f5:c2  e8:b1:fc:18:60:1e  y     y      1    250    aruba-ap  5        0x1008f    g-HT-20sgi-2ss  3h:55m:22s   1          WA     0/0

    e8:b1:fc:18:60:1e-ac:a3:1e:db:f5:c2 Stats
    ------------------------------------------
    Parameter                            Value
    ---------                            -----
    Channel                              1
    Channel Frame Retry Rate(%)          6
    Channel Frame Low Speed Rate(%)      0
    Channel Frame Non Unicast Rate(%)    1
    Channel Frame Fragmentation Rate(%)  0
    Channel Frame Error Rate(%)          0
    Channel Bandwidth Rate(kbps)         260
    Channel Noise                        97
    Client Frame Retry Rate(%)           9
    Client Frame Low Speed Rate(%)       0
    Client Frame Non Unicast Rate(%)     0
    Client Frame Fragmentation Rate(%)   0
    Client Frame Receive Error Rate(%)   22
    Client Bandwidth Rate(kbps)          200
    Client Tx Packets                    306082
    Client Rx Packets                    121225
    Client Tx Bytes                      38698277
    Client Rx Bytes                      16966623
    Client SNR                           45
    A2c_SM SeqNum, Old SeqNums           3563 0

    and ftp role is

    Spoiler
    (Aruba7220) #show rights ftp

    Derived Role = 'ftp'
     Up BW:No Limit   Down BW:No Limit
     L2TP Pool = default-l2tp-pool
     PPTP Pool = default-pptp-pool
     Periodic reauthentication: Disabled
     DPI Classification: Enabled
     Web Content Classification: Enabled
     ACL Number = 83/0
     Max Sessions = 65535

     Check CP Profile for Accounting = TRUE

    Application Exception List
    --------------------------
    Name  Type
    ----  ----

    Application BW-Contract List
    ----------------------------
    Name  Type  BW Contract  Id  Direction
    ----  ----  -----------  --  ---------

    access-list List
    ----------------
    Position  Name            Type     Location
    --------  ----            ----     --------
    1         global-sacl     session
    2         apprf-ftp-sacl  session
    3         allowall        session

    global-sacl
    -----------
    Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
    apprf-ftp-sacl
    --------------
    Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
    allowall
    --------
    Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
    1         any     any          any                   permit                           Low                                                           4
    2         any     any          any-v6                permit                           Low                                                           6

    Expired Policies (due to time constraints) = 0

    allow all, because i create this role for troubleshoot so i just give allow all but the problem is traffic to port ftp n http still blocked

     



  • 4.  RE: problem aaa roles

    EMPLOYEE
    Posted May 02, 2016 04:46 AM

    Your output also shows the flag: Y (No SYN); which indicates that the blocked session does not go through the firewall from the start of the session; or it can be that you have asymetric routing (the client is connected to two networks; can it be wired and wireless??)

     

    If you have your client connected to the wired as well, please disconnect your wired connection and restart your application before you test again.

     

    Advanced Services > Stateful Firewall > Global Settings; uncheck the option: Enforce TCP Handshake Before Allowing Data.. This option should not be needed to unchecked, unless there are some issues in your routing/network.

     

    If this does not help, please work through your partner with Aruba TAC to get this investigated. It looks weird to me and does not reflect what I normally see.



  • 5.  RE: problem aaa roles

    Posted May 02, 2016 04:58 AM

    first no there is no other connection, i just turn on the wifi. second its unchecked already. thanks anyway