Wireless Access

Hi Guys

 

I am not sure how to achieve this.

 

Currently we are deploying some Android Tablets to our production lines that will be used for one of our web apps that monitors the production lines and allows for input from the operators for stoppage causes and so on.

 

The only way I can see for this to work is to set up and SSID for the androids to connect to our internal network so they can access the internal web portals.

The problem is how can I block that SSID from accessing the normal internet or getting out of our internal network.

 

Cheers

 

Anthony

 

 

 

Simply create an access rule that allows access to the servers or subnets where the services live, DNS and DHCP and them put a deny all at the end.

Thanks for the Tip.

Unfortuantley it has been quite a while since I have set up these kind of rules so I am struggling to find where to implement them.

Also previously when we were setting up these rules I had an ARuba Technician with me to do it.

Are you able to give me the basics I where I need to go to make this happen?

 

Thanks

 

Cheers

 

Sy

netdestination INTERNAL-NETWORK
network W.X.Y.Z M.A.S.K
!
ip access-list session PERMIT_INTERNAL
any alias INTERNAL-NETWORK any permit
!
user-role <GUEST-ROLE>
access-list session logoncontrol
access-list session PERMIT_INTERNAL
!

Sorry for being a noob.

I am asuuming this is the commandline commands to set this?

If So I am able to get there and get to enbaled mode.

I tried the first line assuming that internal-network was the name of the wireless SSID. I also tired it with assuming that was the command.

I used the gateway address for the vlan we are trying to use.

for the network W.X.Y.Z M.A.S.K

IS this what you ment or am I complete in the wrong place?

 

Thanks

Sorry just need to dumb it down a little bit more for me.

So the commands you have listed are for command line or through the gui and if through the gui where do I start?

 

thanks

Cheers

 

Sy

Are you using an Aruba Controller or Aruba Instant?

Hi Colin

 

They are controlled from  7210 Mobility Controller.

We don't have any instants.

 

Thanks

Sy

Click on Monitoring> Controller> Clients.  Find out what role your android clients end up in.  Go to Configuration> Security> Access Control.  Find the role you saw before and edit it.   Under firewall policies click on add to add the rules that Tcappalli Suggested, one by one.  Please refer to the section here:  http://www.arubanetworks.com/techdocs/ArubaOS_64x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/Firewall_Roles/Policies.htm?Highlight=firewall policies for detailed information on how to do this.

 

 

Thanks for the help.

I think I have done what was recommended I am not sure though it still seems to be allowing the tablet to get to the internet tho.

So I have missied something.

What info can I send to you guys to make sure I have done it right?

 

Thanks

Let's try this:

 

What role does the device in question have?

 

On the commandline, what is the output of "show rights <role>"?

Also becasue I did not want to edit that Role as other networks were using it I have created a new role which I have name FactoryRestricted.

 

Then I have applied the policies to it and set that SSID to default role as FactoryRestricted.

 

Does that sound ok?

 

cheers

 

Sy

Is that the role that the androids have?

 

if yes, can we get the output of "show rights FactoryRestricted"?

Here you go

 

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'FactoryRestricted'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Number of users referencing it = 2
 Assigned VLAN = Factory
 Periodic reauthentication: Disabled
 DPI Classification: Enabled
 Youtube education: Disabled
 Web Content Classification: Enabled
 ACL Number = 72/0
 Max Sessions = 65535

 Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name  Type
----  ----

Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------
Position  Name                          Type     Location
--------  ----                          ----     --------
1         global-sacl                   session
2         apprf-FactoryRestricted-sacl  session
3         PERMIT_INTERNAL               session
4         logon-control                 session

global-sacl
-----------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
apprf-FactoryRestricted-sacl
----------------------------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
PERMIT_INTERNAL
---------------
Priority  Source  Destination       Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------       -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     Internal Network  any                   permit                           Low                                                           4     
logon-control
-------------
Priority  Source  Destination              Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------              -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    any                      udp 68                 deny                             Low                                                           4
2         any     any                      svc-icmp               permit                           Low                                                           4
3         any     any                      svc-dns                permit                           Low                                                           4
4         any     any                      svc-dhcp               permit                           Low                                                           4
5         any     any                      svc-natt               permit                           Low                                                           4
6         any     169.254.0.0 255.255.0.0  any                    deny                             Low                                                           4
7         any     240.0.0.0 240.0.0.0      any                    deny                             Low                                                           4

Expired Policies (due to time constraints) = 0

if only management would pay for me to do the Aruba course I would be better equiped for this.

 

Cheers

Sy

 

You should remove the "logon-control" ACL at the end.  Put the dhcp-acl at the top.  

 

What is your "Internal Network" defined as?

Hi Colin

 

I have made the change you suggested and the internal network is define as follows. 10.1.0.0 is our internal nework range

network

10.1.0.0

255.255.224.0

 

Cheers

 

Sy

That looks like it resolved the issue now all is working as it should :)

On the devices I got goole or any of the sreach engines then it gets stuck if I go to one of our internal webpages it works perfectly.

 

Thanks for all of your help.

Cjoseph and Tcappalli.

Cheers

Sy