Wireless Access

Reply
Highlighted
Occasional Contributor II

Guest Wireless Network doesn't block access before authentication

Hi,

 

My infrastructure consists of aruba 315 access points and we have a guest network with authentication.

 

We have a dedicated vlan for this network and the rules created block access to all private networks.

 

We found that when we are connected to the guest network prior to authentication, we have access to public ips from the command line, but when we go through the browser it doesn't work as expected.

 

Is there any configuration we can do to block all access until authentication is done on the authentication page?

 

 

 

 

##########################################################

 

Scanning www.google.com (172.217.17.4) [4 ports]
Completed Ping Scan at 10:33, 2.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:33
Completed Parallel DNS resolution of 1 host. at 10:33, 5.54s elapsed
Initiating SYN Stealth Scan at 10:33

Nmap scan report for www.google.com (172.217.17.4)
Host is up (0.0032s latency).
rDNS record for 172.217.17.4: mad07s09-in-f4.1e100.net
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http mini_httpd
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: <empty>
|_http-title: Did not follow redirect to https://securelogin.hpe.com/swarm.cgi?opcode=cp_generate&orig_url=687474703a2f2f7777772e676f6f676c652e636f6d2f
443/tcp open ssl/https?
|_ssl-date: TLS randomness does not represent time
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|storage-misc
Running (JUST GUESSING): Crestron 2-Series (87%), HP embedded (85%)
OS CPE: cpe:/o:crestron:2_series cpe:/h:hp:p2000_g3
Aggressive OS guesses: Crestron XPanel control system (87%), HP P2000 G3 NAS device (85%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 12.225 days (since Sat Aug 31 05:10:34 2019)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 ...
2 2.00 ms mad07s09-in-f4.1e100.net (172.217.17.4)

NSE: Script Post-scanning.
Initiating NSE at 10:34
Completed NSE at 10:34, 0.00s elapsed
Initiating NSE at 10:34
Completed NSE at 10:34, 0.00s elapsed
Read data files from: C:\Program Files (x86)\Nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.88 seconds
Raw packets sent: 2096 (97.232KB) | Rcvd: 73 (3.977KB)

 

 

 

 

Frequent Contributor II

Re: Guest Wireless Network doesn't block access before authentication

You should create 2 roles, 1 pre-logon-guest and 1 authenticated-guest.

 

When a client connects it will be assigned the pre-logon-guest role, in this role an acl deny's all traffic.

 

After authentication, you assign the role authenticated-guest, this rol has an acl that blocks internal subnets but allows internet.

----------Aruba ACCX #748, ACDX #758, ACMP, ACEAP | HPE Master ASE----------
Feel free to give kudos or accept as a solution!
Occasional Contributor II

Re: Guest Wireless Network doesn't block access before authentication

Hi Fabien,

 

Thank you for your feedback.

 

I create another wireless network to test, with 2 rules, one pre_authentication and other after authentication, but still have the same behavior, I can get to public ips from internet by command line.

 

What I have to do more?

 

Thanks

Frequent Contributor I

Re: Guest Wireless Network doesn't block access before authentication

Connect the user to the Guest network, but don't logon. From the controller, issue the command "show user-table" to list the connected users. Find the user and then look at the Role. After you confirm the role that is assigned to the user, issue the command "show rights <rolename>". 

 

Post the output here so people can see what firewall permissions are being allowed/denied for the user.

 

David
Sr. Trainer and Author of upcoming "Understanding ArubaOS: Version 8.x" book
Occasional Contributor II

Re: Guest Wireless Network doesn't block access before authentication

Hi David,

 

Thank you for your feedback.

 

SSID: Test

ASSIGN PRE-AUTHENTICATION ROLE: Rule_pre_authentication

 

I don't have the command "show rights <rolename>",

 

I sen the info on the attach file.

 

Thanks

 

Frequent Contributor I

Re: Guest Wireless Network doesn't block access before authentication

From the CLI of the controller you should be able to type

 

show rights

 

which will display all of the roles. From there you can type the command again, with the name of the role, such as

 

show rights rolename

 

Do this for the role that is being assigned as the initial role of the user.

 

David
Sr. Trainer and Author of upcoming "Understanding ArubaOS: Version 8.x" book
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: