Overview
Access Control Lists (ACLs) can be challenging to work with, especially if you only do it infrequently. The Central GUI for ArubaOS-Switch (AOSS) devices makes it a lot less daunting.
In a recent
Aruba Product Security Advisory, available firmware updates needed some additional security to resolve the problem: "Implementing firewall controls to limit interactions of impacted switches with known good RADIUS sources" is also recommended. Since only the Aruba CX 10000 has a firewall, for an on-switch method, ACLs will have to be used instead - which is where this post comes in!
Preparation
- Work out the RADIUS servers that need to be enabled. For this location there is one ClearPass server acting as a RADIUS server: 172.20.100.188.
- What switches need to be configured. There are 2x 2930F switches at this location. Each one only has a single IP address, on VLAN 128.
- Where is RADIUS used? Both switches use RADIUS for local authentication and .1x
Based on this, the ACL needs to be developed to achieve the following on the switch:
- enable access to and from the authorised site RADIUS server 172.20.100.188
- block all other RADIUS traffic (defined by UDP ports 1812-1813)
- an explicit allow all needs to be included at the end because ACLs have an implicit deny all at the end.
ACL Creation
The access policies can be configured per switch or per group. It is preferable to configure as much as possible per group, as this will apply to all the members of the group, and minimise effort.
The following policy is configured for the group at this location:
- Select the group (sw-BV-2930F-8port)
- Chose Devices > Switches
- Select Security
- Add an Access Policy called CVE-2022-23677
- Add the 4 rules and Save
ip access-list extended "CVE-2022-23677"
1 permit udp 172.20.100.188 0.0.0.0 0.0.0.0 255.255.255.255 range 1812 1813
2 permit udp 0.0.0.0 255.255.255.255 172.20.100.188 0.0.0.0 range 1812 1813
3 deny udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 range 1812 1813
4 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
You can use the Remote Console from within Central to check that the ACL has been created on the switch.
ACL Assignment
Now that the ACL ready, it needs to be applied.
- Chose Interface > VLANs
- Highlight VLAN 128 and click the Pencil edit icon on the right end
- Move down to the VLAN Access Policy (IN) and select CVE-2022-23677 from the drop-down list
- Click OK and Save Settings
Check the success of application on one or more switches:
Validation
- Run tests that use the RADIUS server to ensure that everything still works as expected.
- These switches have RADIUS-based login authentication
- Many switches will have .1x authentication on switch ports.
- Use the show statistics command to check hit counts
bvgarage-30# sh statistics aclv4 CVE-2022-23677 vlan 128 vlan-in
Hit Counts for ACL CVE-2022-23677
Total
( 4 ) 1 permit udp 172.20.100.188 0.0.0.0 0.0.0.0 255.255.255.255 range 1812 1813
( 4 ) 2 permit udp 0.0.0.0 255.255.255.255 172.20.100.188 0.0.0.0 range 1812 1813
( 0 ) 3 deny udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 range 1812 1813
( 3510 ) 4 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
Everything tests OK with the defined RADIUS server 172.20.100.188!
Additional Testing and Troubleshooting
Bogus RADIUS Server
Now enable another RADIUS server on 172.20.101.30 - the bogus one.
This is a real server that tests OK.
I also added some config to the switch to test that the ACL blocks access to this bogus RADIUS Server.
radius-server host 172.20.101.30 key "xxxxxx"
aaa server-group radius "Qnap" host 172.20.101.30
aaa authentication port-access eap-radius server-group "Qnap"
aaa port-access authenticator 5
aaa port-access authenticator active
After plugging in a .1x supplicant to port 5, the hit count for denied packets starts to climb.
And syslog entries show no connection to the bogus RADIUS server too.
------------------------------
Richard Litchfield
Airheads MVP 2020, 2021, 2022
------------------------------