Wireless Access

We have a bunch of RAP's connected over the internet to a mobility controller - we would like to see TCP traffic ( ie: RDP traffic ) from behind the RAP to the internal network of the mobility controller sent to a syslog server. So far we have tried a few times and no luck

We called TAC  and they said that is not supported at the moment and that i can use the show datapath session command instead.

We would eventually like to send the syslog data to our SIEM solution.

RAP-2WG and 650 mobility controller version 6.1.3.3

Thanks,

Paolo

What layer2 VLAN is the host on and can it be tunneled through the controller to your infrastructure?  That is the only way.

Which host are you referring to ? If you are referring to the Server where the clients/user connect via RDP is on then yes it is tunneled through the controller.

Ex. Vlan 1 - management side of the controller / same vlan where the syslog server is / same vlan where the Server that the clients connect to.

      Vlan 2 - Client ip / 192.168.80.0 ( remote user )

Thanks

---

@pyabut wrote:

Which host are you referring to ? If you are referring to the Server where the clients/user connect via RDP is on then yes it is tunneled through the controller.

 

Ex. Vlan 1 - management side of the controller / same vlan where the syslog server is / same vlan where the Server that the clients connect to.

      Vlan 2 - Client ip / 192.168.80.0 ( remote user )

 

Thanks

     

---

Please let us know what are you trying to do and how it is supposed to function.  What is the purpose of the transport and how should it work?

Thanks for the reply - Here's my initial post

 --------

We have a bunch of RAP's connected over the internet to a mobility controller - we would like to see TCP traffic ( ie: RDP traffic ) from behind the RAP to the internal network of the mobility controller sent to a syslog server. So far we have tried a few times and no luck

We called TAC  and they said that is not supported at the moment and that i can use the show datapath session command instead.

We would eventually like to send the syslog data to our SIEM solution.

RAP-2WG and 650 mobility controller version 6.1.3.3

---

@pyabut wrote:

Thanks for the reply - Here's my initial post

 --------

We have a bunch of RAP's connected over the internet to a mobility controller - we would like to see TCP traffic ( ie: RDP traffic ) from behind the RAP to the internal network of the mobility controller sent to a syslog server. So far we have tried a few times and no luck

 

We called TAC  and they said that is not supported at the moment and that i can use the show datapath session command instead.

 

We would eventually like to send the syslog data to our SIEM solution.

 

RAP-2WG and 650 mobility controller version 6.1.3.3

 

 

---

When you say you want to "See" the traffic behind a RAP, do you mean wired or wireless traffic?  Does it Pass Through the RAP?  If it passes through the RAP, the "show datapath session table" command is the only way we can even see this.  If it is not a client on the RAP, we cannot log traffic.

We would like to see both wired and wireless traffic and yes it passes through the rap and yes it is a client on the RAP

Ok so that kind of traffic doesnt get logged and it only shows via using the command "show datapath session table" ?

If it is a client on the RAP, you need to create an ACL in the user role that allows traffic for RDP and then check "log" on the ACL.  It would then show up in the security log.  You can ONLY use this method for clients on a tunneled SSID, or wired tunneled traffic.

http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/How-to-perform-legal-interception/td-p/3823

If it is NOT tunneled, the only method is the "show datapath" method.

I already have logging enabled on the acl / user role and i dont see the syslog event. I have the logging level on the security category all at debugging at the moment also

Well, type "show acl hits" to see if it is even hitting your ACL.  You might not have it configured.  By default it only logs the first packet in a conversation, not every packet.

i dont see the ACL hit - this is the acl

(Aruba650-US) #show acl hits

User Role ACL Hits ------------------ Role         Policy         Src   Dst                        Service           Action  Dest/Opcode  New Hits  Total Hits  Index ----         ------         ---   ---                        -------           ------  -----------  --------  ----------  ----- logon        logon-control  any   any                        svc-icmp          permit               0         3           8647 logon                       any   any                        0                 deny                 0         25          8672 sys-ap-role  sys-control    any   any                        sys-svc-icmp      permit               0         21          8741 sys-ap-role  sys-control    any   any                        sys-svc-sec-papi  permit               41        15517       8744 sys-ap-role  sys-ap-acl     any   any                        sys-svc-gre       permit               0         13          8750 sys-ap-role  sys-ap-acl     any   any                        sys-svc-syslog    permit               1         123         8751 VOIP_Role    VOIP-acl       any   192.168.9.0 255.255.255.0  svc-h323-tcp      permit               0         31          8555 VOIP_Role    VOIP-acl       any   192.168.9.0 255.255.255.0  svc-h323-udp      permit               0         93          8556 VOIP_Role    VOIP-acl       any   192.168.9.0 255.255.255.0  17 0-65535        permit               2         992         8557 VOIP_Role                   any   any                        0                 deny                 0         576         8561

Port Based Session ACL ---------------------- Policy     Src  Dst  Service  Action  Dest/Opcode  New Hits  Total Hits  Index ------     ---  ---  -------  ------  -----------  --------  ----------  ----- validuser  any  any  any      permit               0         49          7979

Port ACL Hits ------------- ACL  ACE  New Hits  Total Hits  Index ---  ---  --------  ----------  -----

Are you sure you are looking for the correct RDP port?  You should put it in manually AND make sure the client is assigned to the role with that ACL.

You should also do "show datapath session table <ip address of a client>" to ensure they are sending traffic to that host on that port.

Here is the show datapath

(Aruba650-US) #show datapath session table 192.168.80.244

Datapath Session Table Entries ------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT        D - deny, R - redirect, Y - no syn        H - high prio, P - set prio, T - set ToS        C - client, M - mirror, V - VOIP        Q - Real-Time Quality analysis        I - Deep inspect, U - Locally destined        E - Media Deep Inspect, G - media signal        u - User Index

  Source IP     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination TAge UsrIdx UsrVer Flags                               --------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- ---- ------ ------ -----                               192.168.80.244  192.168.1.163     6    61201 3389   0/0     0 0   0   tunnel 70   28b  0      0      SC

Are you sure that the Role your users end up in has that ACL?

Yes because i use one role and one acl for each RAP. I just checked it again and its definitley right.

I changed the ACL on that role to "block" RDP and it did.

Is the wireless traffic on a TUNNELED SSID?  Is the wired traffic on a tunnel port on the access point?  That is one reason why you would not see it.  If you verified that it is the correct role and it is tunneled, support will have to take a look at it.

If they told you that you could only use "show datapath session table" it would be because it is not tunneled.

I think it is but I am not 100% sure if the wireless traffic is on a tunneled SSID . How can i verify that ?

The RAP's where set to SPLIT-TUNNEL. When i change it to TUNNEL , I see the syslog event.

I need the RAP configured to SPLIT-TUNNEL though so i can guess i will put in a FEATURE REQUEST.

Thanks for your help !