Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Controller ACL problem

This thread has been viewed 3 times

  • 1.  Controller ACL problem

    Posted Aug 02, 2019 11:05 AM

    Folks, I've posted before about odd behaviour with ACLs. Recently I've come across a problem that I can't explain. Yes, I will open a TAC case about this, but in the meantime can anyone else explain this behaviour.

     

    Here's the scenario. Some tactical bodycams used by a team connect to a PSK protected SSID in order to upload captured footage and check into their management system. A PC connected to our wired network runs a utility that sweeps through configured addresses looking for an FTP server running on a camera. I don't trust the cameras, so need to restrict what they can talk to, and what can talk to them.

     

    The role "camera" is assigned to anything associated with the SSID and a VLAN is assigned to the VAP.

    There are three policies in the role: dns-acl, dhcp-acl, camera.

    The camera policy contains two entries - one allows any traffic from the wired subnet of the local PCs to the subnet of the camera vlan, the other allows anything from the camera vlan to the local PC subnet.

     

    This was setup some months ago and everything worked exactly as expected, until some point in late June when three of the cameras stopped working. These cameras connected to the WiFi, got an IP and responded to ping, but could not be reached via FTP. Because other cameras were working I diagnosed a problem with the cameras and moved on. It's important to note we're not aware of anything having changed.

     

    Then, a couple of weeks later - this time after an upgrade to 8.4.0.4 which has proven to be extremely problematic - the rest of the cameras stopped working.

     

    After further testing I found the cameras were not the problem.

     

    Adding an allow all policy to the role meant everything worked immediately.  I then added deny with log and could see things hitting that rule and being logged. 

     

    I deleted the role camera policy and re-created it. I deleted the role and recreated it. I kicked any active connections and re-associated. Nothing would work.

     

    Show rights looked as expected. 

     

    I'm left with no explanation as to why this wasn't working - why in fact it stopped working after being fine. 

     

    Any suggestions welcome.