Wireless Access

Reply
Regular Contributor I

Guest Post Auth Role needs... to roam between access Points

I am testing Aruba version 8.3.0.3 in our company.  We have setup 2  guest roles that use captive portal and they are working well; but, this company is big into security and woudl prefer me to lock the guest access down as much as possible.

 

One of the things I realized was that the Guest Post Suthenticatin role  denied access to everything and one must allow specific services such as DNS, http, https.  That is fine; but, I realized that multiple android cell phones would not re-connect to the Aruba Guest SSID unless I applied the rule:

 

ANY source to ANY destination PERMIT Service-DHCP.  The the cell phone was able to roam between access Points just fine. Without this rule I saw my android phone display 'Failed to obtain IP address' when roaming between Access Points.

 

My question is how can I limit this DHCP rule so an 'rouge' device cannot distribute IP addresses on the guest network?

Regular Contributor I

Re: Guest Post Auth Role needs... to roam between access Points

The follwoing combinations have not worked.

 

- Source-USER, ANY-destination, Permit-DHCP 

 

- Any Device, to Host (DHCP Server IP on Guest VLAN), PERMIT-DHCP

 

Both at th same time

- Any Device, to Network of Access Point IP addresses, PERMIT - DHCP &

- Any Device, to Host (DHCP Server IP on Guest VLAN), PERMIT-DHCP

 

 

The only thing so far that has worked is

ANY Device, ANY Destination, PERMIT-DHCP,   See screen shot.

Guru Elite

Re: Guest Post Auth Role needs... to roam between access Points

You would put the following ACL on top of everything:

 

user any udp 68 deny

 

This will stop a user from responding to dhcp requests.

 

Then you can put "any any service svc-dhcp permit"


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Highlighted
Regular Contributor I

Re: Guest Post Auth Role needs... to roam between access Points

Very good,

 

So if I understand correctly, "... The deny UDP 68 ACL (the default) prevents DHCP replies on a wireless network from wireless users from acting as a DHCP server. ..."

 

https://community.arubanetworks.com/t5/Controller-Based-WLANs/What-is-the-purpose-of-denying-UDP-68-traffic/ta-p/177728

 

That should prevent any user sending out DHCP requests that other devices might be listening for in the Pre-Auth Role, Correct?. 

 

Is it a good idea to add the same rule in the Post Authentication Role as well?

Regular Contributor I

Re: Guest Post Auth Role needs... to roam between access Points

Ok,

I have 2 related questions:

 

1.  Does the 'User' reference (in the A.C.L. rule) covers any 'physical device' like a tablet that connects to the Pre-auth policy?

 

 

2.  When I added the rule, I saw how the original rule was  listed in 'logon-control' policy; but, the new rule htat I crweated do esnot look exactly the same.  Specifically, I put down the minimum /Maximum values as 68.

     a.  See the attached screen shots.

     b.  I hope that is going to work the same.  I was not allowed to leave the Maximum field empty.

Regular Contributor I

Re: Guest Post Auth Role needs... to roam between access Points

Is it a good idea to put this rule on every WLAN

 

Any - User, Any Destination, UDP-68, Deny access?

Guru Elite

Re: Guest Post Auth Role needs... to roam between access Points

1.  The user refers to any user in the user table.

2.  That is the correct way to do it.

 

You could add it into your post authentication role, as well.  It means that no user can answer a DHCP request.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Regular Contributor I

Re: Guest Post Auth Role needs... to roam between access Points

Hello Cjoseph,

 

Your explanation is a little different from https://community.arubanetworks.com/t5/Controller-Based-WLANs/What-is-the-purpose-of-denying-UDP-68-traffic/ta-p/177728

 

I just want to make sure I understand.  The follwoing article I think clarifies. https://community.arubanetworks.com/t5/Controllerless-Networks/How-do-i-create-a-rule-for-IAP-s-to-prevent-users-from-issuing/m-p/241784

 

Please let me know if you confirm. "... if you want to allow a client to get an IP address, allow UDP 67 traffic from the client, if you want to stop the client to Assign/Renew the IP, Deny ( Stop) UDP 68 traffic from the Client. ..."

 

To me it sounds as if denying UDP oort 68 prevents users (from the user-table) from assigning IP addresses to other devices.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: