Wireless Access

Hi,

We recently switched to IAPs at the recommendation of our Aruba rep who said that IAPs could do basically everything a controller can do. One big thing though I am struggling with is connecting to clients that are connected to an IAP.

Things like accessing admin share (C$), Computer Management, our software management agent, are all having issues because all inbound traffic is denied by default.

I have tried playing around with the pre-defined network and applications, but that is only taking me so far.

I am just curious if anyone else has switched from a controller based environment to an IAP environment and run into these issues?

Did I make a mistake switching?

If you have an SSID setup with a Virtual Controller Assigned VLAN, client traffic is natted out of the Virtual Controller, and you would not be able to reach them from outside the the Virtual Controller.  You should make sure clients are Network Assigned and your VLAN is 1.  That would give them ip addresses on the same VLAN as the IAPs for now.

I am currently using "Unrestricted" and have our ClearPass pass back user roles and user vlans.

We are not doing any NAT from the Virtual Controller.

Communication issues still exist.

 What is the default gateway of your clients?

Default gateway of our clients is the default gateway of whatever vlan they fall into. Each VLAN has it's own DHCP being provided by our AD.

Clients are able to receive IP addresses without an issue depending upon the VLAN. They can communicate with our servers as long as they are initiating the request. As soon as I need to initiate a request to a client, I run into problems. 

As I understand, the IAP firewall when applied in a user-role is one direction. The only exception to this appears to be if you use any of the predefined network (ports) or applications rules. But these will only carry you so far since not every application is accounted for.

What specific device is the default gateway of your clients?  That device could be blocking the traffic.

The specific device is a layer 3 Cisco switch.

It has no ACLs or any kind.

I should mention that we still have our controller environment as our primary production environment and communication with our clients is completely fine.

As soon as my test client connects to our IAP cluster, the communications issues start.

When I do a show datapath session on the IAP cluster, I can see inbound traffic destined for my test client being dropped.

Am I missing something on the IAP configuration? Or is am I correct in assuming that all inboud traffic is blocked regardless of how the user-role is configured?

If the role is "unrestricted" traffic should flow freely and is not subject to the firewall.

If a client is in the "unrestricted role", the "show datapath session table" should not show traffic for that client.

---

@th_son wrote:

I am currently using "Unrestricted" and have our ClearPass pass back user roles and user vlans.

 

We are not doing any NAT from the Virtual Controller.

 

Communication issues still exist.

---

If you have Unrestricted and ClearPass is sending a role back, that role overrides the unrestricted designation.  Either create a role that matches the ClearPass role allowing everything or remove ClearPass from the equation.

When configuring the SSID, the Access tab, I have it set to "Unrestricted".

I am passing roles back from the ClearPass that match roles that are defined in my IAP cluster. I have essentially mimiced our controller environment to the IAP.

I don't want to freely allow all traffic to flow to our wireless clients. I want to take advantage of the firewall on the IAP. The issue that I am running into though is that the rules only appear to work in one direction.

If the client initates the communication, there isn't a problem. As soon as an outside source (a server, an admin) attempts to the client, traffic is getting dropped.

Lets say for example that I want our server subnet to be able to freely communicate with a client connected to our IAP cluster. Whether the client initiates the communication, or the server does. Currently, the client can freely initiate the connection with the server. If the server attempts to reach out to the client, then traffic is dropped by the IAP.

Please correct me if I am wrong, but the firewall rules are no bi-directional.

If you want traffic from a server, you need to define from that IP address to any allow.  If not, traffic back to a server requires that traffic is initiated by the client.

In the IAP, how do we define "..from that IP address.."?

When creating the roles and adding rules, there is no source to destination, just destination.

In your diagram, the source is network.

The source can only be a port, not a defined network.

So for instance, if my server subnet is 192.168.2.0/24.

And there is a server that initiates communication to a client over port 10086.

I would put the rule as follows?

Sorry for all the stupid questions. I feel like I am missing something obvious.

A little update on this. I found that if I explicitly target a port in a rule, then then communicate will work in both directions. Doing an any any against a specific subnet isn't enough to allow all traffic to pass.