Wireless Access

I wanting want to deploy a RAP5 and use split tunneling, but to do so, I need firewall and policy settings.  The last time I applied a PEFNG license it took down our wireless network because the firewall policy for the the user role that our devices get assigned to is "Not Configured".  When I applied the licenses it enatced a firewall rule of Deny All since it was "Not Configured.

However I cannot figure out how to add a Firewall policy to this user role.  Do I need to create a new user role and apply the firewall policy to it and then change the user role for our auth'd users to the new user role?

Sorry if this is confusing.

Josh

Josh,

Yes, you will need to create firewall policies, create a user role with the associated firewall policies and then apply the new user role to the auth'd users.

-Mike

I have created a firewall policy, and I am attempting to create a User Role.  When I hit new for the user role I do not have an "add" button to pick a firewall policy.

Can you post a screen shot of this? I just want to make sure you are in the right place.

Here you go.

I have seen that happen before after an AOS upgrade. My recommendation is to clear your cache and try it again. Also, try it in Chrome as well.

It is happening in Chrome too.  We did upgrade to 5.0.4.4 last week.  I will flush browser cache and see what happens.

just for my own sanity, how do you add a user-role in the terminal session?  I see in documentation that it should be #user-role "UserRole"

but it is not accepting it as a valid command.

Make sure you are in config t mode first:

(Aruba3200) #configure t
Enter Configuration commands, one per line. End with CNTL/Z

(Aruba3200) (config) #user-role ?
STRING Name of user role

I am in config t

this is the output i get

(jhsscmc3600) (config) #user-role ?

(jhsscmc3600) (config) #user-role

I would open a case with TAC. That is odd.

The only time I've seen that is when the controller doesn't have any licenses on it. But you said you installed the PEFNG license. So that should work.

I did install the licesnes but removed them because all of my profiles that are used have firewall policies of "Not Configured".  So when the licesnes were applied it applied a deny rule to all my users.

I think I am in a catch22 if you will.  To change the firewall policy I need to apply the Lic, but if I apply the Lic, the users get a Deny policy until it is configed.

Make sense?

Yes, we understand the issue.

1. Without license, you cannot create or edit the user role.

2. when the liceses are added and after reload, it should create the respective roles and polices. 

Please use the below steps. 

1. List out all the roles where the users are falling into. ( most likely logon or guest role)

1.  upload the license. 

2.  save the config and reload the controller.

3.  try "show right". you should be able to see the default polices and roles. 

4. If not copy and paste the commands on the attached file and you should be able to get the default roles and policies. 

Attachment(s)

default-acl.docx   14 KB 1 version

Since I did apply the licesnes at one time, I did a "show right" and got the following:

(jhsscmc3600) #show right

RoleTable --------- Name               ACL  Bandwidth                  ACL List                  Type ----               ---  ---------                  --------                  ---- ap-role            4    Up: No Limit,Dn: No Limit                            System cpbase             14   Up: No Limit,Dn: No Limit  cpbase/                   User denyall            12   Up: No Limit,Dn: No Limit  denyall/                  User guest              3    Up: No Limit,Dn: No Limit                            User guest-logon        6    Up: No Limit,Dn: No Limit                            User jmh-guest-cp_prof  39   Up: No Limit,Dn: No Limit  jmh-guest-cp_prof/        User logon              1    Up: No Limit,Dn: No Limit                            User stateful-dot1x     5    Up: No Limit,Dn: No Limit                            System sys-ap-role        7    Up: No Limit,Dn: No Limit  sys-control/,sys-ap-acl/  System (not editable)

There is a profile called "jmh-guest-cp_prof" that does have a firewall policy applied to it.  This user-role is not referenced anywhere so it is not in use.  If I change the firewall policy on this user role to a policy of "allowall", then apply my licesens will this allow my users to work?

Thanks for the reply. 

I suspect  "jmh-guest-cp_prof"  role was created by the controller, when you created a captive portal profile called "jmh-guest-cp_prof". (without PEF)

To answer your second question. 

You cannot apply any ACL to any role without applying license. You can do this after applying license and reloading the controller. 

thanks for the help.  applied all applicable licesens.  all is well.

Can you provide the output of "show license"?

-Mike

Also share the show keys all output. 

Here is what the configure looks like:

!
user-role test-role
 access-list session allow-ports
!

 To do the above, assuming you have the "allow-ports" policy define, you would do the following:

From the # prompt:
- configure terminal
- user-role test-role
- access-list session allow-ports
- exit

Run "show rights test-role" to verify the configuration.

-Mike

---

@joshb wrote:

I wanting want to deploy a RAP5 and use split tunneling, but to do so, I need firewall and policy settings.  The last time I applied a PEFNG license it took down our wireless network because the firewall policy for the the user role that our devices get assigned to is "Not Configured".  When I applied the licenses it enatced a firewall rule of Deny All since it was "Not Configured.

 

However I cannot figure out how to add a Firewall policy to this user role.  Do I need to create a new user role and apply the firewall policy to it and then change the user role for our auth'd users to the new user role?

 

Sorry if this is confusing.

 

Josh

---

Under the "Remote Access Points" chapter in the ArubaOS user guide, there is a subchapter called "Split Tunneling" that details how.