Wireless Access

Reply
Contributor II

Re: Necessary firewall rules between Access Point and Controller with directions

Now that I think about it...I guess it doesn't matter? TCP is connection oriented.

Guru Elite

Re: Necessary firewall rules between Access Point and Controller with directions

Why don't you try it on a single port and let us know?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Contributor II

Re: Necessary firewall rules between Access Point and Controller with directions

Below if the firewall filter created on the Juniper switch. It is currently applied to just one switch port. When applied, the AP goes to a "down" status. Once removed, the AP comes back up. Not sure if anyone has tried this before and was successful? Added the multicast group as a last ditch effort.

 

firewall {
family ethernet-switching {
filter WAP-in {
term aruba-ap_udp {
from {
destination-port [ bootps dhcp tftp 8211 domain syslog 4500 ntp 53 ];
ip-protocol udp;
}
then accept;
}
term aruba-ap_udp_s {
from {
source-port 8211;
ip-protocol udp;
}
then accept;
}
term aruba-ap_tcp {
from {
destination-port ftp;
ip-protocol tcp;
}
then accept;
}
term aruba-ap_gre {
from {
ip-protocol gre;
}
then accept;
}
term permit-ping {
from {
icmp-type [ echo-reply unreachable ];
ip-protocol icmp;
}
then accept;
}
term permit-tcp_est {
from {
tcp-established;
ip-protocol tcp;
}
then accept;
}
term aruba-adp {
from {
ip-destination-address {
239.0.82.0/24;
}
ip-protocol udp;
}
then accept;
}
term default-deny {
then {
discard;
log;
count WAP-denied;
}
}
}

 

Thanks,

hlavender

Guru Elite

Re: Necessary firewall rules between Access Point and Controller with directions

Just curious, why are you doing an ACL for the AP? The access points are hardened and traffic is tunneled back to the controller. 

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor II

Re: Necessary firewall rules between Access Point and Controller with directions

The customer has requested for the ports to be locked down since the AP's will be in an untrusted or common area. It's actually a little more to it than just that but that's the request in a nutshell.

Guru Elite

Re: Necessary firewall rules between Access Point and Controller with directions

Is the concern that someone would unplug the AP and connect another device? 

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor II

Re: Necessary firewall rules between Access Point and Controller with directions

Yes. 

Guru Elite

Re: Necessary firewall rules between Access Point and Controller with directions

Basic 802.1X authentication solves that problem without the concern of using up all your ACE entries in the switch. 

If the AP were to be unplugged, the port would effectively reset and the next device that is plugged in would have to pass 802.1X or other authorization methods. 

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor II

Re: Necessary firewall rules between Access Point and Controller with directions

Hhmmm, I didn't think about that. We have configured 802.1x currently on the wire so that may be an option.

 

Otherwise, any thoughts on acl's on switchports? This may still be the way they would like to go.

Contributor II

Re: Necessary firewall rules between Access Point and Controller with directions

Issue resolved...for the most part.

 

The AP, which is an AP-325 was getting stuck while attempting to upgrade the software. During a wireshark packet capture, it was determined that passive FTP was being used. Since this uses "random" ports, the firewall filter on the Juniper EX4300 needed to be tweaked to allow this.

 

Made adjustments and now it works...the for most part bit was that additional ports are required for this to work. This would have been easier if this was passing through a firewall in flow mode or application layer firewall.

 

Anyhoo.

-hlavender

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: