Wireless Access

I have a few clients that need to connect to their corporate networks via various VPN client software and they're complaining that they can't connect and the connection times out. I've added the vpnlogon policy in the captive portal profile for the auth-guest user-role as shown below. Since the controller itself is not terminating any VPN sessions, is there anything else I need to do? Shouldn't this user-role allow for all vpn traffic to/from the controller?

 

user-role auth-guest
 session-acl cplogout
 session-acl logon-control
 session-acl auth-guest-access
 session-acl vpnlogon
 ipv6 session-acl v6-logon-control
 session-acl drop-and-log

 

 

Update:

 

Ok, I've looked into the problem a little more. After configuring the auth-guest role to remove all policies except the cplogout and logon-control and adding the allowall policy as well, I still have the same issue. The current authenticated user role looks like this:

 

user-role auth-guest
 session-acl cplogout
 session-acl logon-control
 session-acl allowall

 

Doing a show datapath session table for the particular user trying to use his VPN client, I see that only traffic to/from UDP 500 to the VPN servers is being blocked:

 

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       I - Deep inspect, U - Locally destined

  Source IP     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination TAge Flags
--------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- ---- -----
x.x.x.x            y.y.y.y             17   500   500    0/0     0 96  0   tunnel 71   6    FDC

 

 

Does anyone have any ideas as to what could be causing this traffic to be blocked? I should add that the controller is not the default gateway for this traffic but a firewall instead. But would I see traffic being blocked by the firewall as being "denied" here at the controller as I'm seeing above?

The vpnlogon policy looks like this:

 

1 user any svc-ike permit Low 4
2 user any svc-esp permit Low 4
3 any any svc-l2tp permit Low 4
4 any any svc-pptp permit Low 4
5 any any svc-gre permit Low 4

 

Does the vpn client use something other than these protocols?

 

Kevin

I would suggest adding UDP 10000 to the vpnlogon policy since some VPN clients use that.  Add svc-natt (UDP/4500) as well, and make sure SSL (TCP/443) is allowed somewhere.

 

Regards, 

Austin

The logon-control policy already allows for svc-natt. The auth-guest-access allows for https.

I believe it's cjoseph that has a post listing this as recommended update for the vpn-policy:

 

Step #1 - The policy, apply from the command line of the controller,
under the config t mode

!
ip access-list session VPN-Clients
user any svc-l2tp permit
user any svc-esp permit
user any svc-ike permit
user any tcp 17 permit
user any udp 51 permit
user any udp 4500 permit
user any tcp 10000 10001 permit
user any udp 10000 10001 permit
user any svc-pptp permit
user any svc-gre permit
!

Step #2 -- Associate the new policy with the guest account as follows
(also from command line)

!
user-role guest
access-list session VPN-Clients
!

 

This might not completely solve your issue tho.

In a scenario where the Controller is the default gateway and doing NAT we've found that some VPN clients (especially microsoft vpn) doesn't work for our guest user. This is supposedly fixed in the recent 6.1.2.6 release, but we've not been able to test this yet.

Ok, I've looked into the problem a little more. After configuring the auth-guest role to remove all policies except the cplogout and logon-control and adding the allowall policy as well, I still have the same issue. The current authenticated user role looks like this:

 

user-role auth-guest
 session-acl cplogout
 session-acl logon-control
 session-acl allowall

 

Doing a show datapath session table for the particular user trying to use his VPN client, I see that only traffic to/from UDP 500 to the VPN servers is being blocked:

 

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       I - Deep inspect, U - Locally destined

  Source IP     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination TAge Flags
--------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- ---- -----
x.x.x.x            y.y.y.y             17   500   500    0/0     0 96  0   tunnel 71   6    FDC

 

 

 

Does anyone have any ideas as to what could be causing this traffic to be blocked? I should add that the controller is not the default gateway for this traffic but a firewall instead. But would I see traffic being blocked by the firewall as being "denied" here at the controller as I'm seeing above?

 

Wait a minute! Am I making all the changes to the wrong user-role? The captive portal authentication profile assigns a role of auth-guest to users that authenticate via the captive portal but their role shows up as guest after they authenticate, instead of auth-guest. I always thought that was a GUI thing. Do I need to apply these rules to the guest user-role, i.e. the VPN policies?

---

@arubamonkey wrote:

Wait a minute! Am I making all the changes to the wrong user-role? The captive portal authentication profile assigns a role of auth-guest to users that authenticate via the captive portal but their role shows up as guest after they authenticate, instead of auth-guest. I always thought that was a GUI thing. Do I need to apply these rules to the guest user-role, i.e. the VPN policies?

---

When a user authenticates, type "show user" to see what role he gets AFTER he authenticates.

 

That is the role you are concerned about.

The role after CP authentication is guest.

So that is the role that you change.

 

I'm confused though because I assigned the auth-guest role to the CP profile for the "Default Role" but I see that there's a "Default Guest Role" there as well with "guest" as the default setting. It seems that this role is what is being applied to the users. What's the difference between the two?

---

@arubamonkey wrote:

I'm confused though. I assigned the auth-guest role to the Captive Portal default role but there's also a "default guest role" there with "guest" as the default setting. What's the difference between the two?

---

The Captive Portal default role is the role users get when they authenticate with a username and password, UNLESS the server group attached to the captive portal authentication profile has the server derivation rule has "set role condition Role value-of" which means "take the role that the user is assigned in the local database and override the Captive Portal default role.  The default guest role is what the user is assigned if the captive portal authentication is "email address only".

 

In recap:

 

- Captive Portal users who authenticate with username and password get the Captive Portal default role, unless that user derviation rule in the server group, which would mean they get the role assigned in the local database instead.

 

Well, the users I have are using accounts created using the guest provisioning page, so yes, they have to login with a username and password. This means that they should get the auth-guest role as that's what I have assigned under "Default Role" in the CP profile no the guest role under the "Default Guest Role". I don't know where this "email address only" option is.

But, in the local user database, the user has a role of guest, so combined with that "set role condition Role value-of" server derivation rule (In the Default Server Group), the role becomes guest.

Where's this local user database where the role is guest?

Type "show local-userdb" and you will see it.  Please also consult our guest Validated Reference Design for many more details on guest access here:  http://www.arubanetworks.com/pdf/technology/AOS_GuestAcccess-AppNote.pdf 

Ah! So you're telling me that when a guest account is created using the guest provisioning page, it is assigned an automatic role of "guest"? Is there a way to change this?

---

@arubamonkey wrote:

Ah! So you're telling me that when a guest account is created using the guest provisioning page, it is assigned an automatic role of "guest"? Is there a way to change this?

---

Yes, it is.  It cannot be changed.

 

Was your VPN prolem resolved?????

 

I am having same Issue, My controll running on IOS 5.0.3.3.

 

Guest user can not able to Loging to thier outside VPN.

 

Please provide me detail information, if anybody resolve this issue....

 

 

jnlimbachia,

 

What VPN are your guests using?  What is your perimeter firewall?  Are you allowing VPN traffic in your guest role?

 

Hi ,

 

My Guest users using Cisco and Microsoft VPN clients.

 

Yes i have allowed VPN trafic to my guest role...

 

See below "show rights guest " output

 

show rights guest

Derived Role = 'guest'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Enabled, Interval = 4096 minutes
ACL Number = 3/0
Max Sessions = 65535

access-list List
----------------
Position Name Location
-------- ---- --------
1 allowall
2 http-acl
3 https-acl
4 dhcp-acl
5 icmp-acl
6 dns-acl
7 v6-http-acl
8 v6-https-acl
9 v6-dhcp-acl
10 v6-icmp-acl
11 v6-dns-acl
12 VPN-Clients

allowall
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 any any any permit Low
http-acl
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 any any svc-http permit Low
https-acl
---------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 any any svc-https permit Low
dhcp-acl
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 any any svc-dhcp permit Low
icmp-acl
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 any any svc-icmp permit Low
dns-acl
-------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 any any svc-dns permit Low
v6-http-acl
-----------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 any any svc-http permit Low
v6-https-acl
------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 any any svc-https permit Low
v6-dhcp-acl
-----------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 any any svc-v6-dhcp permit Low
v6-icmp-acl
-----------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 any any svc-v6-icmp permit Low
v6-dns-acl
----------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 any any svc-dns permit Low
VPN-Clients
-----------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 user any svc-l2tp permit Low
2 user any svc-esp permit Low
3 user any svc-ike permit Low
4 user any tcp 17 permit Low
5 user any udp 51 permit Low
6 user any udp 4500 permit Low
7 user any tcp 10000-10001 permit Low
8 user any udp 10000-10001 permit Low
9 user any svc-pptp permit Low
10 user any svc-gre permit Low
11 any user svc-natt permit Low

Expired Policies (due to time constraints) = 0

Proper solution is defined below:

 

1.  Connect user to guest wireless

2.  Perform lookup  on user to determine role

-SSH to controller, under enable mode type - "show user"

3.  Login to the Wireless Controller - go to Configuration tab.  

4.  Select "Access Control" under SECURITY on the left.

5.  If the role the user is in is "Guest" for example, then click "edit" to the right of that role.

6.  Under "Firewall Policies", click Add - then select "Choose From Configured Policies - Select "vpnlogon".

7.  After is shows under the list of polices, click on it to add an additional rule.  

8.  Click Add - IPv4, Any source, Any Destination, Service - then select "svc-natt", action permit, log uncheck, mirror uncheck, queue low.  All other options in the row need to be left alone.  

9.  Click Add.

10.  Click Apply - Be sure to save at the top.  

 

Services that should now be allowed are:

svc-ike

svc-esp

svc-l2tp

svc-pptp

svc-gre

svc-natt

What is natting your guest traffic out to the internet?

What is natting your guest traffic out to the internet?

Guest Network using Vlan 2 and source nating enable on this vlan

Okay. What does the nat after that? You might want to make your guest clan fully routable to avoid the double Nat.

Could you please more specify.. how to check this???

 

I really apreciate your promt reply on this...

I am asking, do you have a firewall that protects all of your users from the internet?  What kind is it?

 

We don't have any firewall in our environment.

 

We using ELFIQ as load balancer, and Aruba directly connected to ElFIQ.

 

There is no Firewall between ELFIQ and Aruba.

What translates your private internal addresses into a public internet address for internet access?

 

I guess ElFIQ translate private address to public address..