Wireless Access

last person joined: 11 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Why is NATT UDP 4500 Allowed to "any" in the "logon-control" role?

This thread has been viewed 4 times

  • 1.  Why is NATT UDP 4500 Allowed to "any" in the "logon-control" role?

    Posted Aug 19, 2015 12:30 PM

    In the controller "logon-control" user role I understand the reasoning for all the firewall rules listed below except the one circled in red.  Why is this natt allowed anywhere by default?  I'm just curious.  I would think this might allow someone to get/go places they should not prior to going through the captive portal...hope that makes sense, thanks.

     

    Capture.PNG



  • 2.  RE: Why is NATT UDP 4500 Allowed to "any" in the "logon-control" role?
    Best Answer

    EMPLOYEE
    Posted Aug 19, 2015 12:38 PM
    You can create a new logon-control and remove it. It's not required for end
    user devices.


  • 3.  RE: Why is NATT UDP 4500 Allowed to "any" in the "logon-control" role?

    Posted Aug 19, 2015 01:51 PM

    Thank you.  Yeah I'll remove it but I was just curious why it came from the factory that way...I didn't know if there was some necessary reason to leave it that I didn't know about, thanks.



  • 4.  RE: Why is NATT UDP 4500 Allowed to "any" in the "logon-control" role?
    Best Answer

    Posted Aug 19, 2015 04:47 PM

    When in doubt, check the user guide for default configurations and their purposes:

     

    http://www.arubanetworks.com/techdocs/ArubaOS_64x_WebHelp/Web_Help_Index.htm?_ga=1.25739901.1709261467.1439923703#ArubaFrameStyles/Defaults/Defaults.htm

     

    For the logon-control policy, it actually mentions removing svc-natt if not needed.

     aos-defaults-logon-control.png