Wireless Access

I am not 100% certain that I am explaining this correct, so obviously feel free to ask questions.

I have an Aruba7210-US controller with multiple AP Groups, Virtual APs, and SSIDs. I recently created a new Virtual AP/SSID on a separate VLAN, in other to connect specific laptops and completely separate them from the rest of the network.

The problem is that since there are other, existing Virtual AP/SSIDs that the "general public" (staff) uses within these AP Groups, I am unable to remove those other VLANs from the uplink port for the wireless controller on the switch, which means that my new Virtual AP/SSID can still connect to other servers/systems that I do not want them to connect to.

What can I do on the actual wireless controller in order to completely segratate this new Virtual AP/SSID from the rest of the network. Thank you in advance for any help.

You can apply an ACL to any user role to block any destination, protocol or any combination of both that you don't want specific users connecting to.  This is irrespective of any VLAN you have trunked to a controller.

Again, you should be restricting user traffic based on ACLs attached to the the user's role.

Are you able to point me in the right direction of where the ACLs are configured within the GUI? I actually have an open case with support, but the technician was doing it via the terminal and could not get it working. I am willing to do it myself, as I am familiar with networking. I just don't know how to do it on an Aruba Controller; either via the GUI or the terminal.

Please advise. Thank you.

What version of ArubaOS is this?  That will determine where to look.

What was the technican trying to do?  If you are not satisified, you should ask to escalate the issue.

Model: Aruba7210-US / Version: 6.5.3.4

The technician was attempting to create an ACL via the terminal, but for whatever reason was not successful. If I can be honest, I have never had a successful support call with Aruba and I am knowledgeable enough that if I am guided in the right direction I can figure it out.

The documentation for creating a firewall policy in a user role is here:  https://www.arubanetworks.com/techdocs/ArubaOS_6_5_4_X_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/Firewall_Roles/Policies.htm

You have been so helpful that I have to take advantage of your knowledge with one last question. I know that I have been concentrating on blocking everything, but could you point me in the right the direction if I wanted to allow access to one specific IP address?

Thanks again.

In the session ACL you would have:

user  host <ip address> any permit

Just to add to the other comments. You want to create a "session" ACL, which uses the Aruba firewall, as opposed to the traditional standard or extended ACLs that are traditionally used with switches.

Firewall rules make up policies. Firewall policies make up roles. Roles are assigned to users that connect to untrusted connections, such as an SSID.

If you wanted/needed to put restrictions on a physical port or a VLAN, you can assign a firewall policy to the port or VLAN.

I hope this helps,