Wireless Access

got a weird situation were it seems traffic is denied by an ACL when it shouldnt be.

it is a normal guest setup (controller based, ArubaOS 6.0) and the logon role has three policies: captive portal, modified logon control (only one DNS server) and deny internal networks.

but when the user tries to get the captive portal to open i see that DNS traffic to the server which should be allowed in denied, both via the GUI and CLI. is there somewhere else an ACL might have kick in to cause this?

can you show us the show rights for your guest pre-auth role please?

Is the user traffic crossing another untrusted interface, like an untrusted VLAN or physical interface?  If you have a problem, the best thing to do is to look at your audit trail to see how you got there in the first place...

@Michael_Clarke

Derived Role = 'guest-prelogon'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 57/0
 Max Sessions = 65535

 Captive Portal profile = default

access-list List
----------------
Position  Name           Type     Location
--------  ----           ----     --------
1         captiveportal  session
2         logon-ctrl     session
3         deny-internal  session

captiveportal
-------------
Priority  Source  Destination  Service          Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------          ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    controller   svc-https        dst-nat 8081                           Low                                                           4
2         user    any          svc-http         dst-nat 8080                           Low                                                           4
3         user    any          svc-https        dst-nat 8081                           Low                                                           4
4         user    any          svc-http-proxy1  dst-nat 8088                           Low                                                           4
5         user    any          svc-http-proxy2  dst-nat 8088                           Low                                                           4
6         user    any          svc-http-proxy3  dst-nat 8088                           Low                                                           4
logon-ctrl
----------
Priority  Source  Destination  Service   Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------   ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         any     any          svc-dhcp  permit                           Low                                                           4
2         any     theDNS       svc-dns   permit                           Low                                                           4
deny-internal
-------------
Priority  Source  Destination  Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         any     localNets    any      deny                             Low                                                           4

Expired Policies (due to time constraints) = 0

@cjoseph

you mean putting the logging level higher for the user and follow the log? the audit trail is for changes made on the config right?

Yes.  Type "show audit-trail all" to see how you got into your current situation.

Try putting the logon-control acl above the captiveportal acl.

a good thing to check:

if your captive portal - controller /dns server is in the internal network...and u blocking traffic to it - it may be effecting your clients.

try to disable the ACL of the deny internal - and let's us know if it's working for u.

@Michael_Clarke any reason for that?

@kdisc98, ACLs are processed in order right? so even if the DNS server and captive portal are within the internal net (which they are) that should matter right?

shamefully the system was rebooted and the issue went away, configwise nothing changed. still a bit in doubt what the cause could have been, but will use these tips for the next time.

@kdisc98, ACLs are processed in order right? so even if the DNS server and captive portal are within the internal net (which they are) that should matter right?

 In order for the user to see captive portal - the controller must be able to resolve the client request.(and it's better first to do the logon-control and then after the captive-portal (the logon-control got all the needed basic services like DNS/DHCP/NAT...)

shamefully the system was rebooted and the issue went away, configwise nothing changed. still a bit in doubt what the cause could have been, but will use these tips for the next time.

Ok... :( :(  i dont like not now to know what causing issues :)

Are u sure that the client u tested with didnt got other ACL while u tried to log in? it sound like your user-db had a record of your device....

---

@kdisc98 wrote:

Ok... :( :(  i dont like now to know what causing issues :)

Are u sure that the client u tested with didnt got other ACL while u tried to log in? it sound like your user-db had a record of your device....

 

---

me neither, but the issue seemed so weird that it was choice between reboot or spend another hour staring at the issue.

im quite sure the role and ACLs were correct, i removed the client once via the CLI (aaa user delete) so it would come back fresh. the counters for the ACL also went up in the GUI.

anyhow, lets put it away a incident and move to a newer ArubaOS version.