Wireless Access

Hello Community,

I have a problem with an aruba 7010 Controller and guest Internet Access. Firmware arubaOS 8.2.0.2, Standalone Controller.

I have created an VLAN ID and VLAN Interface for Internet-Access

interface vlan 666
    ip address 212.80.xxx.xxx 255.255.255.248
    description "Internet-Zugang"

I bound it to an Interface an also added the default route through the internet.

ip default-gateway 212.80.xxx.xxx

Now I want my guest traffic to be NATted out through this interface. So I created a VLAN for my guests with DHCP Server enabled and IP Nat Inside

interface vlan 180
    ip address 192.168.179.1 255.255.255.0
    no suppress-arp
    ip nat inside

When I connect to my network, I get an IP address, see the captive portal and after entering the correct credentials I will be placed in the default guest user role. That's all fine.

Now I can resolve DNS Names with nslookup and I can ping and traceroute outside to the internet.

But I am not able to connect to any website.

When I look at the CLI and type "show datapath session table" I can see an "DENY" flag on port 80 and 443 connections.

I tried to use the "authenticated" role instead of the guest role, but there was no change. I was still unable to access any website.

I don't have any idea where the problem might be. Are there any additional steps to do? Can you help me?

Thanks

What is the user role after the user authenticates?

Type "show rights <role>" to see what ACLs are being applied.

the apllied role after successful captive portal authentication is "guest"

(WLAN-CNTRL-1) *[mynode] #show rights guest

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'guest'
 Up BW contract = guestupstreamper-roleui (21000000 bits/sec)   Down BW contract = guestdownstreamper-roleui (20000000 bits/sec)
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Number of users referencing it = 0
 Periodic reauthentication: Disabled
 DPI Classification: Enabled
 Youtube education: Disabled
 Web Content Classification: Enabled
 IP-Classification Enforcement: Enabled
 ACL Number = 7/0
 Openflow: Enabled
 Max Sessions = 65535

 Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name  Type
----  ----

Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------
Position  Name              Type     Location
--------  ----              ----     --------
1         global-sacl       session
2         apprf-guest-sacl  session
3         ra-guard          session
4         http-acl          session
5         https-acl         session
6         dhcp-acl          session
7         icmp-acl          session
8         dns-acl           session
9         v6-http-acl       session
10        v6-https-acl      session
11        v6-dhcp-acl       session
12        v6-icmp-acl       session
13        v6-dns-acl        session

global-sacl
-----------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  ------  --------
apprf-guest-sacl
----------------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  ------  --------
ra-guard
--------
Priority  Source  Destination  Service          Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  IPv4/6  Contract
--------  ------  -----------  -------          -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  ------  --------
1         user    any          icmpv6 rtr-adv                deny                             Low                                            6
http-acl
--------
Priority  Source  Destination  Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  IPv4/6  Contract
--------  ------  -----------  -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  ------  --------
1         any     any          svc-http               permit                           Low                                            4
https-acl
---------
Priority  Source  Destination  Service    Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  IPv4/6  Contract
--------  ------  -----------  -------    -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  ------  --------
1         any     any          svc-https               permit                           Low                                            4
dhcp-acl
--------
Priority  Source  Destination  Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  IPv4/6  Contract
--------  ------  -----------  -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  ------  --------
1         any     any          svc-dhcp               permit                           Low                                            4
icmp-acl
--------
Priority  Source  Destination  Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  IPv4/6  Contract
--------  ------  -----------  -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  ------  --------
1         any     any          svc-icmp               permit                           Low                                            4
dns-acl
-------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  ------  --------
1         any     any          svc-dns               permit                           Low                                            4
v6-http-acl
-----------
Priority  Source  Destination  Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  IPv4/6  Contract
--------  ------  -----------  -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  ------  --------
1         any     any          svc-http               permit                           Low                                            6
v6-https-acl
------------
Priority  Source  Destination  Service    Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  IPv4/6  Contract
--------  ------  -----------  -------    -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  ------  --------
1         any     any          svc-https               permit                           Low                                            6
v6-dhcp-acl
-----------
Priority  Source  Destination  Service      Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  IPv4/6  Contract
--------  ------  -----------  -------      -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  ------  --------
1         any     any          svc-v6-dhcp               permit                           Low                                            6
v6-icmp-acl
-----------
Priority  Source  Destination  Service      Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  IPv4/6  Contract
--------  ------  -----------  -------      -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  ------  --------
1         any     any          svc-v6-icmp               permit                           Low                                            6
v6-dns-acl
----------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  ------  --------
1         any     any          svc-dns               permit                           Low                                            6

Expired Policies (due to time constraints) = 0

Do you have an ACL on the controller's uplink to the internet?

type "show acl hits" to see if you can see what is denying access

no, I didn't have an ACL on the uplink. show acl hits shows this:

(WLAN-CNTRL-1) *[mynode] #show acl hits

User Role ACL Hits
------------------
Role                   Policy            Src   Dst                  Service/Application  Action   Dest/Opcode  New Hits  Total Hits  Index  Ipv4/Ipv6
----                   ------            ---   ---                  -------------------  ------   -----------  --------  ----------  -----  ---------
logon                  logon-control     user  any                  17 68-68             deny                  19        19          9670   ipv4
logon                  logon-control     any   any                  svc-icmp             permit                1052      1052        9671   ipv4
logon                  logon-control     any   any                  svc-dns              permit                2135      2135        9672   ipv4
logon                  captiveportal     user  any                  svc-http             dst-nat  8080         5         5           9678   ipv4
logon                  captiveportal     user  any                  svc-https            dst-nat  8081         2         2           9679   ipv4
logon                  captiveportal     user  any                  svc-http-proxy1      dst-nat  8088         1         1           9680   ipv4
logon                  captiveportal     user  any                  svc-http-proxy2      dst-nat  8088         2         2           9681   ipv4
logon                  captiveportal     user  any                  svc-http-proxy3      dst-nat  8088         1         1           9682   ipv4
guest                  http-acl          any   any                  svc-http             permit                14090     14090       9855   ipv4
guest                  https-acl         any   any                  svc-https            permit                87973     87973       9856   ipv4
guest                  dhcp-acl          any   any                  svc-dhcp             permit                2014      2014        9857   ipv4
guest                  icmp-acl          any   any                  svc-icmp             permit                1477      1477        9858   ipv4
guest                  dns-acl           any   any                  svc-dns              permit                89526     89526       9859   ipv4
sys-ap-role            sys-control       any   any                  sys-svc-papi         permit                1234992   1234992     9706   ipv4
sys-ap-role            sys-control       any   any                  sys-svc-sec-papi     permit                206075    206075      9708   ipv4
sys-ap-role            sys-control       any   any                  sys-svc-natt         permit                263731    263731      9718   ipv4
sys-ap-role            sys-ap-acl        any   any                  sys-svc-gre          permit                279       279         9721   ipv4
sys-ap-role            sys-ap-acl        any   any                  sys-svc-syslog       permit                835       835         9723   ipv4
dw-guest-guest-logon   logon-control     any   any                  svc-icmp             permit                333       333         9527   ipv4
dw-guest-guest-logon   logon-control     any   any                  svc-dns              permit                33666     33666       9528   ipv4
dw-guest-guest-logon   logon-control     any   any                  svc-dhcp             permit                2458      2458        9529   ipv4
dw-guest-guest-logon   logon-control     any   240.0.0.0 240.0.0.0  any                  deny                  44        44          9532   ipv4
dw-guest-guest-logon   captiveportal     user  controller           svc-https            dst-nat  8081         2086      2086        9533   ipv4
dw-guest-guest-logon   captiveportal     user  any                  svc-http             dst-nat  8080         13825     13825       9534   ipv4
dw-guest-guest-logon   captiveportal     user  any                  svc-https            dst-nat  8081         32691     32691       9535   ipv4
dw-guest-guest-logon   captiveportal     user  any                  svc-http-proxy1      dst-nat  8088         20        20          9536   ipv4
dw-guest-guest-logon   captiveportal     user  any                  svc-http-proxy2      dst-nat  8088         78        78          9537   ipv4
authenticated          allowall          any   any                  any                  permit                236062    236062      9563   ipv4
dwh_guest-guest-logon  logon-control     any   any                  svc-icmp             permit                416       416         9810   ipv4
dwh_guest-guest-logon  logon-control     any   any                  svc-dns              permit                1470      1470        9811   ipv4
dwh_guest-guest-logon  logon-control     any   any                  svc-dhcp             permit                42        42          9812   ipv4
dwh_guest-guest-logon  captiveportal     user  controller           svc-https            dst-nat  8081         122       122         9816   ipv4
dwh_guest-guest-logon  captiveportal     user  any                  svc-http             dst-nat  8080         486       486         9817   ipv4
dwh_guest-guest-logon  captiveportal     user  any                  svc-https            dst-nat  8081         239       239         9818   ipv4
dw-authenticated       dw-authenticated  any   any                  6 443-443            src-nat               805       805         9880   ipv4
dw-authenticated       allowall          any   any                  any                  permit                942       942         9881   ipv4

Port Based Session/Route ACL
----------------------------
Policy     Src                      Dst  Service/Application  Action  Dest/Opcode  New Hits  Total Hits  Index  Ipv4/Ipv6
------     ---                      ---  -------------------  ------  -----------  --------  ----------  -----  ---------
validuser  169.254.0.0 255.255.0.0  any  any                  deny                 392       392         9495   ipv4
validuser  any                      any  any                  permit               2138      2138        9499   ipv4

Port ACL Hits
-------------
ACL  ACE  New Hits  Total Hits  Index  Ipv4/Ipv6
---  ---  --------  ----------  -----  ---------

You should have a user in that role and be actively trying to pass traffic.  Collect the output right after that.

ok, I will do it when I am on site again. For now I can only look from a remote location.

But is the Configuration basically correct? One interface for the Internet with an external IP Adresse, default Route on that Interface, another interface for guests with "ip nat inside" ans a role that allows dns, http and https outside? Or did I forgot something?

On the face of it, that could work, but you could be doing something else that is blocking your traffic.