Wireless Access

We have a handful of contractors on site that use Microsoft Outlook 2007 and 2010 with their Outlook.com (POP3) accounts. When they use our hard secondary WiFi (non-Aruba/non-ClearPass) it works just fine. But when they try register in our Guest Portal and use our WiFi that goes through Aruba AP 105's and ClearPass 6.3, they're email fails to send or recieve. They can go everywhere else on the web and it works fine, even outlook.com but for some reason their Microsoft Outlook fails. I switch them back to the "off-net" DSL WiFi and it immediately startes working. Any advice on this?

 

Thanks in advance

 

Chad

What role are they getting when connected to the network?   Run show user to see the role.  Then run show rights <nameofrole> to see if POP3 and SMTP are allowed.   I think outlook.com uses TLS encrypted SMTP (TCP 587) and SSL encryption for POP (TCP 995) or IMAP (TCP 993).  You can check the client settings, but you'll need to make sure those ports are open for that role.

Thanks for the reply clembo...I am logged into ClearPass (SSH) as appadmin and it doesn't recognize those commands.

doing this from the controller now

I do not see any entries for POP3 or those associated ports; nor do I see any entries for SMTP, but SMPT obviously works.

 

Here is the output for the "guest" Role. FYI: These people on guest are MAC Authenticated so that we can extend their WiFi duration:

********************************************************

Derived Role = 'guest'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 3/0
 Max Sessions = 65535

access-list List
----------------
Position  Name          Location
--------  ----          --------
1         http-acl
2         https-acl
3         dhcp-acl
4         icmp-acl
5         dns-acl
6         v6-http-acl
7         v6-https-acl
8         v6-dhcp-acl
9         v6-icmp-acl
10        v6-dns-acl

******************************************************

If they are getting the "guest" role as you have indicated, they do not have the ability to do POP3, IMAP, or SMTP based on your firewall rules.  SMTP is required to send email and POP3/IMAP is required to retrieve email (for this service).     As I mentioned, outlook.com uses encrypted ports for this.   I'd confirm what the Outlook clients have defined and add the following as necessary:

 

Create new services if Outlook is using TLS and SSL (confirm through Outlook settings) -  Seen Here

netservice svc-smtp-secure tcp 587

netservice svc-pop3-secure tcp 995

netservice svc-imap-secure tcp 993

 

Create new service if using standard ports

netservice svc-imap tcp 143

 

Create new ACL (add those necessary)

ip access-list session guest-email-acl

user any svc-smtp-secure permit

user any svc-pop3-secure permit

user any svc-imap-secure permit

user any svc-smtp permit

user any svc-pop3 permit

user any svc-imap permit

 

Apply ACL to role

user-role guest

access-list session guest-email-acl

 

 

 

***Disclaimer.  Be sure you want to allow SMTP for your guests, some organizations view this as against policy to allow SMTP outbound from corporate networks (even for guests). 

You may also want to suggest they set up Outlook to use ActiveSync/Outlook Anywhere. They will have less problems when they use different networks with port restrictions

Thanks everyone for the help, I appreciate it greatly. I will need to check with corporate prior to applying these ACL's.

 

I wanted to add some things to this Post:

 

Our Guest access does not run on the corporate network, it is seperate. We have a dedicated line for guest access only. We use the Captive Portal for guest registration for this circuit. For users that need longer duration access (they are onsite for 2 or 3 months for example), we use MAC Auth which allows us to go into ClearPass Guest and modify their access. These MAC Auth entries use the Role "guest". If they are a standard, 8 hour guest, we do not change their expiration...they get a different Role, "CP-Guest-guest-logon".

Would I need to add these ACLs to every Role?

 

Would these missing ACL's also cause issues such as guests' VPN's to not function properly? For example guests can connect just fine and make the initial connection to their end point, but they cannot access certain server resources, etc. I can then disconnect them, hard wire them to a seperate off-net DSL modem and it works just fine.

You would need to add the access-list to any roles that need it (post authentication; MAC or CP).  If it is a logon role, they should not have it.    If you want to also allow VPN access in these roles, add the vpnlogon policy (predefined) to the role.

Example:

user-role guest

  access-list session vpnlogon

 

 

Hi Clembo.

 

 

I already set command those, but still can not send email.

 

 

Thank you.

 

 

I do not see anything regarding POP3, or even SMTP for that matter:

 

 

********************************************

Derived Role = 'guest'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 3/0
 Max Sessions = 65535

access-list List
----------------
Position  Name          Location
--------  ----          --------
1         http-acl
2         https-acl
3         dhcp-acl
4         icmp-acl
5         dns-acl
6         v6-http-acl
7         v6-https-acl
8         v6-dhcp-acl
9         v6-icmp-acl
10        v6-dns-acl

***************************************************