Roles and Policies. Aruba Instant 6.5.2.0, RAP-155, IAP-207, RAP-108, IAP-305, Instant
Add to My manuals466 Pages
advertisement
Chapter 14
Roles and Policies
This chapter describes the procedures for configuring user roles, role assignment, and firewall policies.
n n n n n
Configuring User Roles on page 202
Configuring Derivation Rules on page 204
Using Advanced Expressions in Role and VLAN Derivation Rules on page 211
Firewall Policies
Instant firewall provides identity-based controls to enforce application-layer security, prioritization, traffic forwarding, and network performance policies for wired and wireless networks. Using Instant firewall, you can enforce network access policies that define access to the network, areas of the network that users may access, and the performance thresholds of various applications.
Instant supports a role-based stateful firewall. Instant firewall recognizes flows in a network and keeps track of the state of sessions. Instant firewall manages packets according to the first rule that matches the packet. The firewall logs on the IAPs are generated as syslog messages.
Access Control List Rules
You can use Access Control List (ACL) rules to either permit or deny data packets passing through the IAP. You can also limit packets or bandwidth available to a set of user roles by defining access rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses.
You can create access rules to allow or block data packets that match the criteria defined in an access rule. You can create rules for either inbound traffic or outbound traffic. Inbound rules explicitly allow or block the inbound network traffic that matches the criteria in the rule. Outbound rules explicitly allow or block the network traffic that matches the criteria in the rule. For example, you can configure a rule to explicitly block outbound traffic to an IP address through the firewall.
The IAP clients are associated with user roles, that determine the client’s network privileges and the frequency at which clients re-authenticate.
Instant supports the following types of ACLs: n n n
ACLs that permit or deny traffic based on the source IP address of the packet.
ACLs that permit or deny traffic based on the source or destination IP address, and the source or destination port number.
ACLs that permit or deny traffic based on network services, application, application categories, web categories, and security ratings.
You can configure up to 128 access control entries in an ACL for a user role.
The maximum configurable universal role is 4096.
Aruba Instant 6.5.2.0 | User Guide Roles and Policies | 185
Configuring ACL Rules for Network Services
This section describes the procedure for configuring ACLs to control access to network services.
n
For information on configuring access rules based on application and application categories, see
ACL Rules for Application and Application Categories on page 271
.
n
For information on configuring access rules based on web categories and web reputation, see
Web Policy Enforcement Service on page 274
.
In the Instant UI
To configure ACL rules for a user role:
1. Navigate to Security > Roles . The Roles tab contents are displayed.
Alternatively, you can configure access rules for a wired or wireless client through the WLAN wizard or the
Wired Profile window.
a. To configure access rules through the Wired Profile window: n
Navigate to More > Wired .
n
Click Edit and then Edit Wired Network .
n
Click Access .
b. To configure access rules through WLAN wizard: n n
Navigate to Network > WLAN SSID .
Click Edit and then Edit WLAN .
n
Click Access .
2. Select the role for which you want to configure access rules.
3. In the Access rules section, click New to add a new rule. The New Rule window is displayed.
4. Ensure that the rule type is set to Access Control .
5. To configure a rule to control access to network services, select Network under service category and specify the following parameters:
186 | Roles and Policies Aruba Instant 6.5.2.0 | User Guide
Table 40: Access Rule Configuration Parameters
Service
Category
Description
Network
Action
Destination
Log
Blacklist
Classify media
Select a service from the list of available services. You can allow or deny access to any or all of the services based on your requirement: n any —Access is allowed or denied to all services.
n custom —Available options are TCP, UDP, and Other. If you select the TCP or UDP options, enter appropriate port numbers. If you select the Other option, enter the appropriate ID.
NOTE: If Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) use the same port, ensure that you configure separate access rules to permit or deny access.
Select any of following actions: n
Select Allow to allow access to users based on the access rule.
n n
Select Deny to deny access to users based on the access rule.
Select Destination-NAT to allow making changes to the destination IP address.
n Select Source-NAT to allow making changes to the source IP address.
l Default : All client traffic is directed to the default VLAN.
l l
Tunnel : The traffic from the Network Assigned clients is directed to the VPN tunnel.
VLAN : Specify the non-default VLAN ID to which the guest traffic needs to be redirected to.
Select a destination option for the access rules for network services, applications, and application categories. You can allow or deny access to any the following destinations based on your requirements.
n to all destinations — Access is allowed or denied to all destinations.
n n n to a particular server —Access is allowed or denied to a particular server. After selecting this option, specify the IP address of the destination server.
except to a particular server —Access is allowed or denied to servers other than the specified server. After selecting this option, specify the IP address of the destination server.
to a network —Access is allowed or denied to a network. After selecting this option, specify the IP address and netmask for the destination network.
n n except to a network —Access is allowed or denied to networks other than the specified network. After selecting this option, specify the IP address and netmask of the destination network.
to domain name —Access is allowed or denied to the specified domains. After selecting this option, specify the domain name in the Domain Name text box.
Select the Log check box if you want a log entry to be created when this rule is triggered.
Instant supports firewall-based logging. Firewall logs on the IAPs are generated as security logs.
Select the Blacklist check box to blacklist the client when this rule is triggered. The blacklisting lasts for the duration specified as Auth failure blacklist time on the
Blacklisting tab of the Security window. For more information, see
Blacklisting Clients on page 179
.
Select the Classify media check box to prioritize video and voice traffic. When enabled, a packet inspection is performed on all non-NAT traffic and the traffic is marked as follows: n n
Video: Priority 5 (Critical)
Voice: Priority 6 (Internetwork Control)
Aruba Instant 6.5.2.0 | User Guide Roles and Policies | 187
Table 40: Access Rule Configuration Parameters
Service
Category
Description
Disable scanning
DSCP tag
802.1p priority
Select Disable scanning check box to disable ARM scanning when this rule is triggered.
The selection of Disable scanning applies only if ARM scanning is enabled. For more information, see
Configuring Radio Settings on page 261 .
Select the DSCP tag check box to specify a DSCP value to prioritize traffic when this rule is triggered. Specify a value within the range of 0–63. To assign a higher priority, specify a higher value.
Select the 802.1p priority check box to specify an 802.1p priority. Specify a value between
0 and 7. To assign a higher priority, specify a higher value.
6. Click OK and then click Finish .
In the CLI
To configure access rules:
(Instant AP)(config)# wlan access-rule <access-rule-name>
(Instant AP)(Access Rule <Name>)#rule <dest> <mask> <match/invert> {<protocol> <start-port>
<end-port> {permit|deny|src-nat [vlan <vlan_id>|tunnel]|dst-nat{<IP-address> <port>|<port>}}
[<option1....option9>]
(Instant AP)(Access Rule <Name>)# end
(Instant AP)# commit apply
Example
(Instant AP)(config)# wlan access-rule employee
(Instant AP)(Access Rule "employee")# rule 10.17.88.59 255.255.255.255 match 6 4343 4343 log classify-media
(Instant AP)(Access Rule "employee")# rule 192.0.2.8 255.255.255.255 invert 6 110 110 permit
(Instant AP)(Access Rule "employee")# rule 192.0.2.2 255.255.255.0 192.0.2.7 255.255.255.0
match tcp 21 21 deny
(Instant AP)(Access Rule "employee")# rule 192.0.2.2
255.255.255.0 192.0.2.7 255.255.255.0
match udp 21 21 deny
(Instant AP)(Access Rule "employee")# rule 192.0.2.2 255.255.255.0 match 6 631 631 permit
(Instant AP)(Access Rule "employee")# rule 192.0.2.8 255.255.255.255 invert 6 21 21 deny
(Instant AP)(Access Rule "employee")# rule 192.0.2.1 255.255.255.0 invert 17 67 69 deny
(Instant AP)(Access Rule "employee")# end
(Instant AP)# commit apply
Configuring Network Address Translation Rules
Network Address Translation (NAT) is the process of modifying network address information when packets pass through a routing device. The routing device acts as an agent between the public (the Internet) and the private (local network), which allows translation of private network IP addresses to a public address space.
Instant supports the NAT mechanism to allow a routing device to use the translation tables for mapping the private addresses into a single IP address. When packets are sent from this address, they appear to originate from the routing device. Similarly, if packets are sent to the private IP address, the destination address is translated as per the information stored in the translation tables of the routing device.
Configuring a Source-NAT Access Rule
The source-NAT action in access rules allows the user to override the routing profile entries. For example, when a routing profile is configured to use 0.0.0.0/0, the client traffic in L3 mode access on an SSID destined to the
188 | Roles and Policies Aruba Instant 6.5.2.0 | User Guide
corporate network is sent to the tunnel. When an access rule is configured with Source-NAT action, the users can specify the service, protocol, or destination to which the source-NAT is applied.
You can also configure source-based routing to allow client traffic on one SSID to reach the Internet through the corporate network, while the other SSID can be used as an alternate uplink. You can create an access rule to perform source-NAT by using the Instant UI or the CLI.
In the Instant UI
To configure a source-NAT access rule:
1. Navigate to the WLAN wizard or the Wired settings window: n
To configure access rules for a WLAN SSID, in the Network tab, click New to create a new network profile or click edit to modify an existing profile.
n
To configure access rules for a wired profile, More > Wired . In the Wired window, click New under
Wired Networks to create a new network or click Edit to select an existing profile.
2. Click the Access tab.
3. To configure access rules for the network, move the slider to the Network-based access control type. To configure access rules for user roles, move the slider to the Role-based access control type.
4. To create a new rule for the network, click New . To create an access rule for a user role, select the user role and then click New . The New Rule window is displayed.
5. In the New Rule window, perform the following steps: a. Select Access control from the Rule type drop-down list.
b. Select Source-NAT from the Action drop-down list, to allow for making changes to the source IP address.
c. Select a service from the list of available services.
Default : All client traffic by default will be directed to the native vlan.
Tunnel : All network-based traffic will be directed to the VPN tunnel.
VLAN : All client based traffic will be directed to the specified uplink VLAN using the IP address of the interface that IAP has on that VLAN. If the interface is not found, this option has no effect.
d. Select the required option from the Destination drop-down list.
e. If required, enable other parameters such as Log , Blacklist , Classify media , Disable scanning , DSCP tag , and 802.1p priority .
f. Click OK .
6. Click Finish .
In the CLI
To configure source-NAT access rule:
(Instant AP)(config)# wlan access-rule <access_rule>
(Instant AP)(Access Rule "<access_rule>")# rule <dest> <mask> <match> <protocol> <sport>
<eport> src-nat [vlan <vlan_id>|tunnel]
(Instant AP)(Access Rule "<access_rule>")# end
(Instant AP)# commit apply
Configuring Policy-Based Corporate Access
To allow different forwarding policies for different SSIDs, you can configure policy-based corporate access. The configuration overrides the routing profile configuration and allows any destination or service to be configured
Aruba Instant 6.5.2.0 | User Guide Roles and Policies | 189
to have direct access to the Internet (bypassing VPN tunnel) based on the ACL rule definition. When policybased corporate access is enabled, the VC performs source-NAT by using its uplink IP address.
To configure policy-based corporate access:
1. Ensure that an L3 subnet with netmask, gateway, VLAN, and IP address is configured. For more information on configuring L3 subnet, see
Configuring L3-Mobility on page 345
.
2. Ensure that the source IP address is associated with the IP address configured for the L3 subnet.
3. Create an access rule for the SSID profile with Source-NAT action as described in
Access Rule on page 188 . The source-NAT pool is configured and corporate access entry is created.
Configuring a Destination-NAT Access Rule
Instant supports configuration of the destination-NAT rule, which can be used to redirect traffic to the specified IP address and destination port. The destination-NAT configuration is supported only in the bridge mode without VPN.
You can configure a destination-NAT access rule by using the Instant UI or the CLI.
In the Instant UI
To configure a destination-NAT access rule:
1. Navigate to the WLAN wizard or the Wired settings window: n
To configure access rules for a WLAN SSID, in the Network tab, click New to create a new network profile or click edit to modify an existing profile.
n
To configure access rules for a wired profile, More > Wired . In the Wired window, click New under
Wired Networks to create a new network or click Edit to select an existing profile.
2. Click the Access tab and perform any of the following steps: n n
To configure access rules for the network, move the slider to the Network-based access control type.
To configure access rules for user roles, move the slider to the Role-based access control type.
3. To create a new rule for the network, click New . To create an access rule for a user role, select the user role and then click New . The New Rule window is displayed.
4. In the New Rule window, perform the following steps: a. Select Access control from the Rule type drop-down list.
b. Select destination-NAT from the Action drop-down list, to allow for making changes to the source IP address.
c. Specify the IP address and port details.
d. Select a service from the list of available services.
e. Select the required option from the Destination drop-down list.
f. If required, enable other parameters such as Log , Blacklist , Classify media , Disable scanning , DSCP tag , and 802.1p priority .
g. Click OK .
5. Click Finish .
In the CLI
To configure destination-NAT access rule:
(Instant AP)(config)# wlan access-rule <access_rule>
(Instant AP)(Access Rule "<access_rule>")# rule <dest> <mask> <match> <protocol> <sport>
<eport> dst-nat ip <IP-address> [<port>]
(Instant AP)(Access Rule "<access_rule>")# end
190 | Roles and Policies Aruba Instant 6.5.2.0 | User Guide
(Instant AP)# commit apply
Configuring ALG Protocols
You can enable or disable protocols for Application Layer Gateway (ALG) using the Instant UI or the CLI.
In the Instant UI
To enable or disable ALG protocols:
1. Click the Security link located directly above the Search bar on the Instant main window.
2. Click the Firewall Settings tab. The Firewall Settings tab contents are displayed. The following figure shows the contents of the Firewall Settings tab:
Figure 41 Firewall Settings—ALG Protocols
3. Select Enabled from the corresponding drop-down lists to enable SIP, VOCERA, Alcatel NOE, and Cisco
Skinny protocols.
4. Click OK .
When the protocols for ALG are set to Disabled , the changes are not applied until the existing user sessions expire.
Reboot the IAP and the client, or wait for a few minutes to view the changes.
In the CLI
To configure protocols for ALG:
(Instant AP)(config)# alg
(Instant AP)(ALG)# sccp-disable
(Instant AP)(ALG)# no sip-disable
(Instant AP)(ALG)# no ua-disable
(Instant AP)(ALG)# no vocera-disable
(Instant AP)(ALG)# end
(Instant AP)# commit apply
To view the ALG configuration:
(Instant AP)# show alg
Current ALG
-----------
ALG
---
Status
-----sccp sip
Disabled
Enabled ua Enabled vocera Enabled
Configuring Firewall Settings for Protection from ARP Attacks
You can configure firewall settings to protect the network against attacks using the Instant UI or the CLI.
Aruba Instant 6.5.2.0 | User Guide Roles and Policies | 191
In the Instant UI
To configure firewall settings:
1. Click the Security link located directly above the Search bar on the Instant main window.
2. Click the Firewall Settings tab. The Firewall Settings tab contents are displayed.
3. To configure protection against security attacks, select the following check boxes: n
Select Drop bad ARP to enable the IAP to drop the fake ARP packets.
n n
Select Fix malformed DHCP for the IAP to fix the malformed DHCP packets.
Select ARP poison check to enable the IAP to trigger alerts about ARP poisoning that may have been caused by rogue IAPs. ARP Poisoning detection triggers alerts when a known client on the IAP spoofs the base MAC address of the IAP.
Figure 42 Firewall Settings —Protection Against Wired Attacks
4. Click OK.
In the CLI
To configure firewall settings to prevent attacks:
(Instant AP)(config)# attack
(Instant AP)(ATTACK)# drop-bad-arp-enable
(Instant AP)(ATTACK)# fix-dhcp-enable
(Instant AP)(ATTACK)# poison-check-enable
(Instant AP)(ATTACK)# end
(Instant AP)# commit apply
To view the configuration status:
(Instant AP)# show attack config
Current Attack
--------------
Attack
------
Status
-----drop-bad-arp Enabled fix-dhcp Enabled poison-check Enabled
To view the attack statistics
(Instant AP)# show attack stats attack counters
--------------------------------------
Counter
------arp packet counter drop bad arp packet counter dhcp response packet counter fixed bad dhcp packet counter send arp attack alert counter send dhcp attack alert counter arp poison check counter
0
0
0
0
0
0
0
Value
-------
192 | Roles and Policies Aruba Instant 6.5.2.0 | User Guide
garp send check counter 0
Auto Topology Rules
Auto Topology is a feature that automatically adds ACL rules into the firewall. This ensures that any kind of control-plane messages required for the automatic cluster formation are never blocked. By default, this feature is enabled. However, this feature can be disabled when customers prefer full control on the security policy rather than accepting automatic ACL rules. This feature governs all the ACLs and impacts all the traffic that is hit by the ACLs.
Configuring Firewall Settings to Disable Auto Topology Rules
You can disable the rules by configuring firewall settings in the IAP.
In order to deny auto topology communication outside the IAP subnet, the inbound firewall settings must be enabled.
When the inbound firewall settings are enabled: n n
Access Control Entities (ACEs) must be configured to block auto topology messages, as there is no default rule at the top of predefined ACLs.
ACEs must be configured to override the guest VLAN auto-expanded ACEs. In other words, the user defined
ACEs take higher precedence over guest VLAN ACEs.
For more information on inbound firewall settings, see
Managing Inbound Traffic on page 193
The priority of a particular ACE is determined based on the order in which it is programmed. Ensure that you do not accidentally override the guest VLAN ACEs.
You can change the status of auto topology rules by using the Instant UI or the CLI:
In the Instant UI
1. Click the Security located directly above the Search bar in the Instant main window.
2. Go to the Firewall Settings tab.
3. In Firewall section, select Disabled from the Auto topology rules drop-down list.
4. Click OK .
In the CLI
(Instant AP)(config)# firewall
(Instant AP)(firewall)# disable-auto-topology-rules
(Instant AP)(firewall)# end
(Instant AP)# commit apply
To view the configuration status:
Firewall
--------
Type
----
Value
-----
Auto topology rules disable
Managing Inbound Traffic
Instant now supports an enhanced inbound firewall by allowing the configuration of firewall rules and management subnets, and restricting corporate access through an uplink switch.
To allow flexibility in firewall configuration, Instant supports the following features: n
Inbound firewall rules n
Configurable management subnets
Aruba Instant 6.5.2.0 | User Guide Roles and Policies | 193
n
Restricted corporate access
Configuring Inbound Firewall Rules
You can now configure firewall rules for the inbound traffic coming through the uplink ports of an IAP. The rules defined for the inbound traffic are applied if the destination is not a user connected to the IAP. If the destination already has a user role assigned, the user role overrides the actions or options specified in the inbound firewall configuration. However, if a deny rule is defined for the inbound traffic, it is applied irrespective of the destination and user role. Unlike the ACL rules in a WLAN SSID or a wired profile, the inbound firewall rules can be configured based on the source subnet.
For all subnets, a deny rule is created by default as the last rule. If at least one rule is configured, the deny all rule is applied to the upstream traffic by default.
Management access to the IAP is allowed irrespective of the inbound firewall rule. For more information on configuring restricted management access, see
Configuring Management Subnets on page 196 .
The inbound firewall is not applied to traffic coming through the GRE tunnel.
You can configure inbound firewall rules through the Instant UI or the CLI.
In the Instant UI
1. Navigate to Security > Inbound Firewall . The Inbound Firewall tab contents are displayed.
2. Under Inbound Firewall Rules , click New . The New Rule window is displayed.
Figure 43 Inbound Firewall Rules - New Rule Window
3. Configure the following parameters:
194 | Roles and Policies Aruba Instant 6.5.2.0 | User Guide
Table 41: Inbound Firewall Rule Configuration Parameters
Parameter
Action
Description
Select any of following actions: n Select Allow to allow to access users based on the access rule.
n n n
Select Deny to deny access to users based on the access rule.
Select Destination-NAT to allow making changes to the destination IP address.
Select Source-NAT to allow making changes to the source IP address.
The destination-NAT and source-NAT actions apply only to the network services rules.
Service
Select a service from the list of available services. You can allow or deny access to any or all of the services based on your requirement: n any —Access is allowed or denied to all services.
n custom —Available options are TCP, UDP, and Other. If you select the TCP or UDP options, enter appropriate port numbers. If the Other option is selected, ensure that an appropriate ID is entered.
Source
Destination
Log
Blacklist
Select any of the following options: n n n from all sources —Traffic from all sources is either allowed, denied, or the IP address is translated at the source or the destination as defined in the rule.
from a host —Traffic from a particular host is either allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the IP address of the host.
from a network —Traffic from a particular network is either allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the IP address and netmask of the source network.
Select a destination option for the access rules for network services, applications, and application categories. You can allow or deny access to any the following destinations based on your requirements.
n n n to all destinations —Traffic for all destinations is allowed, denied, or the IP address is translated at the source or the destination as defined in the rule.
to a particular server —Traffic to a specific server is allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the IP address of the destination server.
except to a particular server —Access is allowed or denied to servers other than the specified server. After selecting this option, specify the IP address of the destination server.
n n n to a network —Traffic to the specified network is allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the IP address and netmask for the destination network.
except to a network —Access is allowed or denied to networks other than the specified network. After selecting this option, specify the IP address and netmask of the destination network.
to domain name —Traffic to the specified domain is allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the domain name in the Domain Name text box.
Select the Log check box if you want a log entry to be created when this rule is triggered.
Instant supports firewall-based logging function. Firewall logs on the IAPs are generated as security logs.
Select the Blacklist check box to blacklist the client when this rule is triggered. The blacklisting lasts for the duration specified in the Auth failure blacklist time on the
Blacklisting tab of the Security window. For more information, see
Blacklisting Clients on page 179
.
Aruba Instant 6.5.2.0 | User Guide Roles and Policies | 195
Table 41: Inbound Firewall Rule Configuration Parameters
Parameter
Classify media
Description
Select the Classify media check box to prioritize video and voice traffic. When enabled, a packet inspection is performed on all non-NAT traffic and the traffic is marked as follows: n n
Video: Priority 5 (Critical)
Voice: Priority 6 (Internetwork Control)
Disable scanning Select Disable scanning check box to disable ARM scanning when this rule is triggered.
The selection of Disable scanning applies only if ARM scanning is enabled. For more information, see
Configuring Radio Settings on page 261 .
DSCP tag
Select the DSCP tag check box to specify a DSCP value to prioritize traffic when this rule is triggered. Specify a value within the range of 0–63. To assign a higher priority, specify a higher value.
802.1p priority
Select the 802.1p priority check box to specify an 802.1p priority. Specify a value between
0 and 7. To assign a higher priority, specify a higher value.
4. Click OK and then click Finish .
In the CLI
To configure inbound firewall rules:
(Instant AP)(config)# inbound-firewall
(Instant AP)(inbound-firewall)# rule <subnet> <smask> <dest> <mask> <protocol> <sport> <eport>
{permit|deny|src-nat|dst-nat <IP-address> <port>} [<option1....option9>]
(Instant AP)(inbound-firewall)# end
(Instant AP)# commit apply
Example
(Instant AP)(config)# inbound-firewall
(Instant AP)(inbound-firewall)# rule 192.0.2.1 255.255.255.255 any any match 6 631 631 permit
(Instant AP)(inbound-firewall)# end
(Instant AP)# commit apply
Configuring Management Subnets
You can configure subnets to ensure that the IAP management is carried out only from these subnets. When the management subnets are configured, access through Telnet, SSH, and UI is restricted to these subnets only.
You can configure management subnets by using the Instant UI or the CLI.
In the Instant UI
To configure management subnets:
1. Navigate to Security > Inbound Firewall . The Inbound Firewall tab contents are displayed.
196 | Roles and Policies Aruba Instant 6.5.2.0 | User Guide
Figure 44 Firewall Settings—Management Subnets
2. To add a new management subnet: n n
In the Add new management subnet section, enter the subnet address in Subnet .
Enter the subnet mask in Mask.
n
Click Add .
3. To add multiple subnets, repeat step 2.
4. Click OK .
In the CLI
To configure a management subnet:
(Instant AP)(config) # restricted-mgmt-access <subnet-IP-address> <subnet-mask>
(Instant AP)(config) # end
(Instant AP)# commit apply
Configuring Restricted Access to Corporate Network
You can configure restricted corporate access to block unauthorized users from accessing the corporate network. When restricted corporate access is enabled, corporate access is blocked from the uplink port of master IAP, including clients connected to a slave IAP. You can configure restricted corporate access by using the Instant UI or the CLI.
In the Instant UI
To configure restricted corporate access:
1. Navigate to Security > Inbound Firewall . The Inbound Firewall (see
) tab contents are displayed.
2. Select Enabled from the Restrict Corporate Access drop-down list.
3. Click OK .
In the CLI
To configure restricted management access:
(Instant AP)(config) # restrict-corp-access
(Instant AP)(config) # end
(Instant AP)# commit apply
Aruba Instant 6.5.2.0 | User Guide Roles and Policies | 197
Content Filtering
The content filtering feature allows you to route DNS requests to the OpenDNS platform and create content filtering policies.
With content filter, you can achieve the following: n
Allow all DNS requests to the non-corporate domains on a wireless or wired network to be sent to the
OpenDNS server. When the OpenDNS credentials are configured, the IAP uses these credentials to access
OpenDNS and provide enterprise-level content filtering. For more information, see
n n n n
Block certain categories of websites based on your organization policy. For example, if you block the webbased-email category, clients who are assigned this policy will not be able to visit email-based websites such as mail.yahoo.com.
Prevent known malware hosts from accessing your wireless network.
Improve employee productivity by limiting access to certain websites.
Reduce bandwidth consumption significantly.
Regardless of whether content filtering is disabled or enabled, the DNS requests to http://instant.arubanetworks.com
are always resolved internally on Instant.
The content filtering configuration applies to all IAPs in the network and the service is enabled or disabled globally across the wireless or wired network profiles.
Enabling Content Filtering
This section describes the following procedures: n n
Enabling Content Filtering for a Wireless Profile on page 198
Enabling Content Filtering for a Wired Profile on page 199
Enabling Content Filtering for a Wireless Profile
To enable content filtering for a wireless SSID, perform the following steps:
In the Instant UI
1. Select a wireless profile in the Network tab and then click the edit link. The window for editing the WLAN
SSID profile is displayed.
2. Click Show advanced options .
3. Select Enabled from the Content Filtering drop-down list, and click Next to continue.
You can also enable content filtering while adding a new wireless profile. For more information, see
WLAN Settings for an SSID Profile on page 89
.
In the CLI
To enable content filtering on a WLAN SSID:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# content-filtering
(Instant AP)(SSID Profile <name>)# end
(Instant AP)# commit apply
198 | Roles and Policies Aruba Instant 6.5.2.0 | User Guide
Enabling Content Filtering for a Wired Profile
To enable content filtering for a wired profile, perform the following steps:
In the Instant UI
1. Click the Wired link under More in the Instant main window. The Wired window is displayed.
2. In the Wired window, select the wired profile to modify.
3. Click Edit . The Edit Wired Network window is displayed.
4. In the Wired Settings tab, select Enabled from the Content Filtering drop-down list, and click Next to continue.
In the CLI
To enable content filtering for a wired profile in the CLI:
(Instant AP)(config)# wired-port-profile test
(Instant AP)(wired ap profile <name>)# content-filtering
(Instant AP)(wired ap profile <name>)# end
(Instant AP)# commit apply
Configuring Enterprise Domains
The enterprise domain names list displays the DNS domain names that are valid on the enterprise network.
This list is used to determine how client DNS requests must be routed. When Content Filtering is enabled, the
DNS request of the clients is verified and the domain names that do not match the names in the list are sent to the OpenDNS server.
You can configure an enterprise domain through the Instant UI or the CLI.
In the Instant UI
To manually add a domain:
1. Navigate to System > General and click Show advanced options > Enterprise Domains . The
Enterprise Domain tab contents are displayed.
2. Click New and enter a New Domain Name . Using asterisk (*) as an enterprise domain causes all DNS traffic to go through the tunnel to the original DNS server of clients. If you are configuring routing profile with split-tunnel disabled, you need to add asterisk (*) to the enterprise domain list.
3. Click OK to apply the changes.
To delete a domain, select the domain and click Delete . This will remove the domain name from the list.
In the CLI
To configure an enterprise domain:
(Instant AP)(config)# internal-domains
(Instant AP)(domain)# domain-name <name>
(Instant AP)(domain)# end
(Instant AP)# commit apply
Configuring URL Filtering Policies
You can configure URL filtering policies to block certain categories of websites based on your organization specifications by defining ACL rules either through the Instant UI or the CLI.
In the Instant UI
To control access based on web categories and security settings:
1. Navigate to Security > Roles .
Aruba Instant 6.5.2.0 | User Guide Roles and Policies | 199
2. Select any WLAN SSID or wired profile role, and click New in the Access Rules section. The New Rule window appears.
3. Select Access Control from the Rule Type drop-down list.
4. To set an access policy based on the web category: a. Under Service section, select Web category and expand the Web categories drop-down list.
Figure 45 Roles—New Rule b. Select the categories to which you want to deny or allow access. You can also search for a web category and select the required option.
c. From the Action drop-down list, select Allow or Deny as required.
d. Click OK .
5. To filter access based on the security ratings of the website: a. Select Web reputation under Service section.
b. Move the slider to the required security rating level.
c. From the Action drop-down list, select Allow or Deny as required.
6. To set a bandwidth limit based on web category or web reputation score, select Application Throttling check box and specify the downstream and upstream rates in Kbps. For example, you can set a higher bandwidth for trusted sites and a low bandwidth rate for high-risk sites.
7. Click OK to save the rules.
8. Click OK in the Roles tab to save the changes to the role for which you defined ACL rules.
In the CLI
To control access based on web categories and security ratings:
(Instant AP)(config)# wlan access-rule <access_rule>
(Instant AP)(Access Rule "<access-rule>")# rule <dest> <mask> <match> webcategory <webgrp>
{permit| deny}[<option1....option9>]
(Instant AP)(Access Rule "<access-rule>")# rule <dest> <mask> <match> webreputation <webrep>
{permit|deny}[<option1....option9>]
(Instant AP)(Access Rule "<access-rule>")# end
(Instant AP)# commit apply
Example
(Instant AP)(config)# wlan access-rule URLFilter
(Instant AP)(Access Rule "URLFilter")# rule any any match webcategory gambling deny
(Instant AP)(Access Rule "URLFilter")# rule any any match webcategory training-and-tools permit
200 | Roles and Policies Aruba Instant 6.5.2.0 | User Guide
(Instant AP)(Access Rule "URLFilter")# rule any any match webreputation trustworthy-sites permit
(Instant AP)(Access Rule "URLFilter")# rule any any match webreputation suspicious-sites deny
(Instant AP)(Access Rule "URLFilter")# end
(Instant AP)# commit apply
Creating Custom Error Page for Web Access Blocked by AppRF Policies
You can create a list of URLs to which the users are redirected when they access blocked websites. You can define an access rule to use these redirect URLs and assign the rule to a user role in the WLAN network.
You can create a list of custom URLs and ACL rules for blocked websites either through the Instant UI or the
CLI.
Creating a List of Error Page URLs
To create a list of error page URLs:
In the Instant UI
1. Navigate to Security > Custom Blocked Page URL .
2. Click New and enter the URL that you want to block.
3. Repeat the procedure to add more URLs. You can add up to 8 URLs to the blocked page list.
4. Click OK .
In the CLI
(Instant AP)(config)# dpi-error-page-url <idx> <url>
(Instant AP)(config)# exit
(Instant AP)# commit apply
Configuring ACL Rules to Redirect Blocked HTTP Websites to a Custom Error Page URL
To redirect blocked HTTP websites to a custom error page URL:
In the UI
1. Navigate to Security > Roles .
2. Select any WLAN SSID or Wired profile role, and click New in the Access Rules section.
3. In the New Rule window, select the rule type as Blocked Page URL .
4. Select the URLs from the existing list of custom redirect URLs. To add a new URL, click New .
5. Click OK .
6. Click OK in the Roles tab to save the changes.
In the CLI
To configure an ACL rule to redirect blocked HTTP websites to a custom error page URL:
(Instant AP)(config)# wlan access-rule <access_rule_name>
(Instant AP) (Access Rule "<access_rule_name>")# dpi-error-page-url <idx>
(Instant AP) (Access Rule "<access_rule_name>")# end
(Instant AP)# commit apply
Configuring ACL Rules to Redirect Blocked HTTPS Websites to a Custom Blocked Page URL
Before you configure an ACL rule for a specific WLAN SSID or Wired profile to redirect HTTPS websites to a custom error page, you must ensure that the Blocked Page URL rule is configured for the HTTP websites blocked for the same WLAN SSID or Wired profile. In this scenario, all the blocked HTTP and HTTPS websites will be redirected to the custom error page URL.
Aruba Instant 6.5.2.0 | User Guide Roles and Policies | 201
To redirect blocked HTTPS websites to a custom error page URL
In the UI
1. Navigate to Security > Roles .
2. Select any WLAN SSID or Wired profile role, and click New in the Access Rules section.
3. In the New Rule window, select the rule type as Redirect Blocked HTTPS .
4. Click OK .
5. Click OK in the Roles tab to save the changes.
In the CLI
To configure an ACL rule to redirect blocked HTTPS to a custom error page URL:
(Instant AP)(config)# wlan access-rule <access_rule_name>
(Instant AP) (Access Rule "<access_rule_name>")# dpi-error-page-url <idx>
(Instant AP) (Access Rule "<access_rule_name>")# redirect-blocked-https-traffic
Instant AP) (Access Rule "<access_rule_name>")# end
(Instant AP)# commit apply
Configuring User Roles
Every client in the Instant network is associated with a user role that determines the network privileges for a client, the frequency of reauthentication, and the applicable bandwidth contracts.
Instant allows you to configure up to 32 user roles. If the number of roles exceed 32, an error message is displayed.
The user role configuration on an IAP involves the following procedures: n n n
Creating a User Role on page 202
Assigning Bandwidth Contracts to User Roles on page 203
Configuring Machine and User Authentication Roles on page 204
Creating a User Role
You can create a user role by using the Instant UI or the CLI.
In the Instant UI
To create a user role:
1. Click the Security link located directly above the Search bar in the Instant main window. The Security window is displayed.
2. Click the Roles tab. The Roles tab contents are displayed.
3. Under Roles, click New .
4. Enter a name for the new role and click OK .
You can also create a user role when configuring wireless or wired network profiles. For more information, see
Configuring Access Rules for a WLAN SSID Profile on page 103
and
Configuring Access Rules for a Wired Profile on page 116
.
In the CLI
To configure user roles and access rules:
(Instant AP)(config)# wlan access-rule <access-rule-name>
202 | Roles and Policies Aruba Instant 6.5.2.0 | User Guide
(Instant AP)(Access Rule <Name>)# rule <dest> <mask> <match> <protocol> <start-port> <endport> {permit|deny|src-nat [vlan <vlan_id>|tunnel]|dst-nat {<IP-address> <port>|<port>}}
[<option1…option9>]
Assigning Bandwidth Contracts to User Roles
The administrators can manage bandwidth utilization by assigning either maximum bandwidth rates, or bandwidth contracts to user roles. The administrator can assign a bandwidth contract configured in Kbps to upstream (client to the IAP) or downstream (IAP to clients) traffic for a user role. The bandwidth contract will not be applicable to the user traffic on the bridged out (same subnet) destinations. For example, if clients are connected to an SSID, you can restrict the upstream bandwidth rate allowed for each user to 512 Kbps.
By default, all users that belong to the same role share a configured bandwidth rate for upstream or downstream traffic. The assigned bandwidth will be served and shared among all the users. You can also assign bandwidth rate per user to provide every user a specific bandwidth within a range of 1–65,535 Kbps. If there is no bandwidth contract specified for a traffic direction, unlimited bandwidth is allowed.
In the earlier releases, bandwidth contract could be assigned per SSID. In the current release, the bandwidth contract can also be assigned for each SSID user. If the bandwidth contract is assigned for an SSID in the Instant 6.2.1.0-3.4.0.0
version, and when the IAP is upgraded to Instant 6.5.2.0 release version, the bandwidth configuration per SSID will be treated as a per-user downstream bandwidth contract for that SSID.
In the Instant UI
1. Click the Security link located directly above the Search bar in the Instant main window. The Security window is displayed.
2. Click the Roles tab. The Roles tab contents are displayed.
3. Create a new role (see
Creating a User Role on page 202
) or select an existing role.
4. Under Access Rules , click New . The New Rule window is displayed.
5. Select Bandwidth Contract from the Rule Type drop-down list.
6. Specify the downstream and upstream rates in Kbps. If the assignment is specific for each user, select the
Peruser check box.
7. Click OK .
8. Associate the user role to a WLAN SSID or a wired profile.
You can also create a user role and assign bandwidth contracts when
or a
.
In the CLI:
To assign a bandwidth contract in the CLI:
(Instant AP)(config)# wlan access-rule <name>
(Instant AP) (Access Rule <name>)# bandwidth-limit {downstream <kbps>|upstream <kbps>|peruser
{downstream <kbps>| upstream <kbps>}}
(Instant AP) (Access Rule <name>)# end
(Instant AP) # commit apply
To associate the access rule to a wired profile:
(Instant AP)(config)# wired-port-profile <name>
(Instant AP)(wired ap profile <name>)# access-rule-name <access-rule-name>
Aruba Instant 6.5.2.0 | User Guide Roles and Policies | 203
(Instant AP)(wired ap profile <name>)# end
(Instant AP) # commit apply
Configuring Machine and User Authentication Roles
You can assign different rights to clients based on whether their hardware device supports machine authentication. Machine authentication is only supported on Windows devices, so that this can be used to distinguish between Windows devices and other devices such as iPads.
You can create any of the following types of rules: n n
Machine Auth only role—This indicates a Windows machine with no user logged in. The device supports machine authentication and has a valid RADIUS account, but a user has not yet logged in and authenticated.
User Auth only role—This indicates a known user or a non-Windows device. The device does not support machine authentication or does not have a RADIUS account, but the user is logged in and authenticated.
When a device does both machine and user authentication, the user obtains the default role or the derived role based on the RADIUS attribute.
You can configure machine authentication with role-based access control using the Instant UI or the CLI.
In the Instant UI
To configure machine authentication with role-based access control:
1. In the Access tab of the WLAN wizard ( New WLAN or Edit <WLAN-profile> ) or in the wired profile configuration window ( New Wired Network or Edit Wired Network ), under Roles , create Machine auth only and User auth only roles.
2. Configure access rules for these roles by selecting the role, and applying the rule. For more information on configuring access rules, see
Configuring ACL Rules for Network Services on page 186 .
3. Select Enforce Machine Authentication and select the Machine auth only and User auth only roles.
4. Click Finish to apply these changes.
In the CLI
To configure machine and user authentication roles for a WLAN SSID:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# set-role-machine-auth <machine_only> <user_only>
(Instant AP)(SSID Profile <name>)# end
(Instant AP)# commit apply
To configure machine and user authentication roles for a wired profile:
(Instant AP)(config)# wired-port-profile <name>
(Instant AP)(wired ap profile <name>)# set-role-machine-auth <machine_only> <user_only>
(Instant AP)(wired ap profile <name>)# end
(Instant AP)# commit apply
Configuring Derivation Rules
Instant allows you to configure role and VLAN derivation-rules. You can configure these rules to assign a user role or a VLAN to the clients connecting to an SSID or a wired profile.
204 | Roles and Policies Aruba Instant 6.5.2.0 | User Guide
Understanding Role Assignment Rule
When an SSID or a wired profile is created, a default role for the clients connecting to this SSID or wired profile is assigned. You can assign a user role to the clients connecting to an SSID by any of the following methods.
The role assigned by some methods may take precedence over the roles assigned by the other methods.
RADIUS VSA Attributes
The user role can be derived from Aruba Vendor-Specific Attributes (VSA) for RADIUS server authentication.
The role derived from an Aruba VSA takes precedence over roles defined by other methods.
MAC-Address Attribute
The first three octets in a MAC address are known as Organizationally Unique Identifier (OUI), and are purchased from the Institute of Electrical and Electronics Engineers, Incorporated (IEEE) Registration Authority.
This identifier uniquely identifies a vendor, manufacturer, or other organization (referred to by the IEEE as the
“assignee”) globally and effectively reserves a block of each possible type of derivative identifier (such as MAC addresses) for the exclusive use of the assignee.
IAPs use the OUI part of a MAC address to identify the device manufacturer and can be configured to assign a desired role for users who have completed 802.1X authentication and MAC authentication. The user role can be derived from the user attributes after a client associates with an IAP. You can configure rules to assign a user role to clients that match a MAC-address-based criteria. For example, you can assign a voice role to any client with a MAC address starting with a0:a1:a2.
Roles Based on Client Authentication
The user role can be the default user role configured for an authentication method, such as 802.1X
authentication. For each authentication method, you can configure a default role for the clients who are successfully authenticated using that method.
DHCP Option and DHCP Fingerprinting
The DHCP fingerprinting allows you to identify the operating system of a device by looking at the options in the DHCP frame. Based on the operating system type, a role can be assigned to the device.
For example, to create a role assignment rule with the DHCP option, select equals from the Operator dropdown list and enter 370103060F77FC in the String text box. Since 370103060F77FC is the fingerprint for
Apple iOS devices such as iPad and iPhone, IAP assigns Apple iOS devices to the role that you choose.
Table 42: Validated DHCP Fingerprint
Device
Apple iOS
DHCP Option
Option 55
Android
Blackberry
Windows 7/Vista Desktop
Windows XP (SP3, Home,
Professional)
Windows Mobile
Windows 7 Phone
Apple Mac OS X
Option 60
Option 60
Option 55
Option 55
Option 60
Option 55
Option 55
DHCP Fingerprint
370103060F77FC
3C64686370636420342E302E3135
3C426C61636B4265727279
37010f03062c2e2f1f2179f92b
37010f03062c2e2f1f21f92b
3c4d6963726f736f66742057696e646f777320434500
370103060f2c2e2f
370103060f775ffc2c2e2f
Aruba Instant 6.5.2.0 | User Guide Roles and Policies | 205
Creating a Role Derivation Rule
You can configure rules for determining the role that is assigned for each authenticated client.
When creating more than one role assignment rule, the first matching rule in the rule list is applied.
You can create a role assignment rule by using the Instant UI or the CLI.
In the Instant UI
1. Navigate to the WLAN wizard or the Wired settings window: n
To configure access rules for a WLAN SSID, in the Network tab, click New to create a new network profile or edit to modify an existing profile.
n
To configure access rules for a wired profile, go to More > Wired . In the Wired window, click New under
Wired Networks to create a new network or click Edit to select an existing profile.
2. Click the Access tab.
3. Under Role Assignment Rules , click New . The New Role Assignment window allows you to define a match method by which the string in Operand is matched with the attribute value returned by the authentication server.
4. Select the attribute that matches with the rule from the Attribute drop-down list. The list of supported attributes includes RADIUS attributes, dhcp-option, dot1x-authentication-type, mac-address, and macaddress-and-dhcp-options. For information on a list of RADIUS attributes, see
Authentication with VSA on page 154
.
5. Select the operator from the Operator drop-down list. The following types of operators are supported: n n n n contains —The rule is applied only if the attribute value contains the string specified in Operand .
Is the role —The rule is applied if the attribute value is the role.
equals —The rule is applied only if the attribute value is equal to the string specified in Operand .
not-equals —The rule is applied only if the attribute value is not equal to the string specified in Operand .
n n n starts-with —The rule is applied only if the attribute value starts with the string specified in Operand .
ends-with —The rule is applied only if the attribute value ends with the string specified in Operand .
matches-regular-expression —The rule is applied only if the attribute value matches the regular expression pattern specified in Operand . This operator is available only if the mac-address-and-dhcpoptions attribute is selected in the Attribute drop-down list. The mac-address-and-dhcp-options attribute and matches-regular-expression are applicable only for the WLAN clients.
6. Enter the string to match the attribute in the String text box.
7. Select the appropriate role from the Role drop-down list.
8. Click OK .
When Enforce Machine Authentication is enabled, both the device and the user must be authenticated for the role assignment rule to apply.
In the CLI
To configure role assignment rules for a WLAN SSID:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# set-role <attribute>{{equals|not-equals|starts-with|endswith|contains|matches-regular-expression} <operator><role>|value-of}
(Instant AP)(SSID Profile <name>)# end
(Instant AP)# commit apply
To configure role assignment rules for a wired profile:
206 | Roles and Policies Aruba Instant 6.5.2.0 | User Guide
(Instant AP)(config)# wired-port-profile <name>
(Instant AP)(wired ap profile <name>)# set-role <attribute>{{equals|not-equal|starts-with| ends-with|contains}<operator> <role>|value-of}
(Instant AP)(wired ap profile <name>)# end
(Instant AP)# commit apply
Example
(Instant AP)(config)# wlan ssid-profile Profile1
(Instant AP)(SSID Profile "Profile1")# set-role mac-address-and-dhcp-options matches-regularexpression \bring\b Profile1
(Instant AP)(SSID Profile"Profile1")# end
(Instant AP)# commit apply
Understanding VLAN Assignment
You can assign VLANs to a client based on the following configuration conditions: n
The default VLAN configured for the WLAN can be assigned to a client.
n n n n n
If VLANs are configured for a WLAN SSID or an Ethernet port profile, the VLAN for the client can be derived before the authentication, from the rules configured for these profiles.
If a rule derives a specific VLAN, it is prioritized over the user roles that may have a VLAN configured.
The user VLANs can be derived from the default roles configured for 802.1X authentication or MAC authentication.
After client authentication, the VLAN can be derived from Vendor-Specific Attributes (VSA) for RADIUS server authentication.
The DHCP-based VLANs can be derived for captive portal authentication.
Instant supports role derivation based on the DHCP option for captive portal authentication. When the captive portal authentication is successful, the role derivation based on the DHCP option assigns a new user role to the guest users, instead of the pre-authenticated role.
Vendor-Specific Attributes
When an external RADIUS server is used, the user VLAN can be derived from the Aruba-User-Vlan VSA. The
VSA is then carried in an Access-Accept packet from the RADIUS server. The IAP can analyze the return message and derive the value of the VLAN which it assigns to the user.
Aruba Instant 6.5.2.0 | User Guide Roles and Policies | 207
Figure 46 RADIUS Access-Accept Packets with VSA
Figure 47 Configure VSA on a RADIUS Server
VLAN Assignment Based on Derivation Rules
When an external RADIUS server is used for authentication, the RADIUS server may return a reply message for authentication. If the RADIUS server supports return attributes, and sets an attribute value to the reply message, the IAP can analyze the return message and match attributes with a user pre-defined VLAN derivation rule. If the rule is matched, the VLAN value defined by the rule is assigned to the user. For a complete list of
RADIUS server attributes, see
RADIUS Server Authentication with VSA on page 154 .
208 | Roles and Policies Aruba Instant 6.5.2.0 | User Guide
Figure 48 Configuring RADIUS Attributes on the RADIUS Server
User Role
If the VSA and VLAN derivation rules are not matching, then the user VLAN can be derived by a user role.
VLANs Created for an SSID
If the VSA and VLAN derivation rules are not matching, and the User Role does not contain a VLAN, the user
VLAN can be derived by VLANs configured for an SSID or an Ethernet port profile.
Configuring VLAN Derivation Rules
The VLAN derivation rules allow administrators to assign a VLAN to the IAP clients based on the attributes returned by the RADIUS server.
You can configure VLAN derivation rules for an SSID profile by using the Instant UI or the CLI.
In the Instant UI
To configure VLAN derivation rules:
1. Perform the following steps: n n
To configure VLAN derivation rule for a WLAN SSID profile, navigate to Network > New > New WLAN
> VLAN or Network > edit > Edit <WLAN-profile> > VLAN . Select the Dynamic option under the
Client VLAN assignment .
To configure VLAN derivation rule for a wired network profile, navigate to Wired > New > New Wired
Network > VLAN or Wired > Edit > Edit Wired Network > VLAN . The VLAN tab contents are displayed.
Aruba Instant 6.5.2.0 | User Guide Roles and Policies | 209
2. Click New to create a VLAN assignment rule. The New VLAN Assignment Rule window is displayed. In this window, you can define a match method by which the string in Operand is matched with the attribute values returned by the authentication server.
Figure 49 VLAN Assignment Rule Window
3. Select the attribute from the Attribute drop-down list. The list of supported attributes includes RADIUS attributes, dhcp-option, dot1x-authentication-type, mac-address, and mac-address-and-dhcp-options. For information on a list of RADIUS attributes, see
RADIUS Server Authentication with VSA on page 154 .
4. Select the operator from the Operator drop-down list. The following types of operators are supported: n contains —The rule is applied only if the attribute value contains the string specified in Operand .
n n
Is the VLAN —The rule is applied if the VLAN is the same as the one returned by the RADIUS attribute.
equals —The rule is applied only if the attribute value is equal to the string specified in Operand .
n n not-equals —The rule is applied only if the attribute value is not equal to the string specified in Operand .
starts-with —The rule is applied only if the attribute value starts with the string specified in Operand .
n ends-with —The rule is applied only if the attribute value ends with the string specified in Operand .
5. Enter the string to match the attribute in the String text box.
6. Select the appropriate VLAN ID from the VLAN drop-down list.
7. Click OK .
8. Ensure that the required security and access parameters are configured.
9. Click Finish to apply the changes.
In the CLI
To create a VLAN assignment rule for a WLAN SSID:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# set-vlan <attribute>{equals|not-equals|starts-with|endswith|contains}<operator><VLAN-ID>|value-of}
(Instant AP)(SSID Profile <name>)# end
(Instant AP)# commit apply
To configure a VLAN assignment rule for a wired profile:
(Instant AP)(config)# wired-port-profile <nname>
(Instant AP)(wired ap profile <name>)# set-vlan <attribute>{equals|not-equals|startswith|ends-with|contains}<operator><VLAN-ID>|value-of}
(Instant AP)(wired ap profile <name>)# end
(Instant AP)# commit apply
Example
(Instant AP)(config)# wlan ssid-profile Profile1
210 | Roles and Policies Aruba Instant 6.5.2.0 | User Guide
(Instant AP)(SSID Profile "Profile1")# set-vlan mac-address-and-dhcp-options matches-regularexpression ..link 100
(Instant AP)(SSID Profile "Profile1")# end
(Instant AP)# commit apply
Using Advanced Expressions in Role and VLAN Derivation Rules
For complex policies of role and VLAN derivation using device DHCP fingerprints, you can use a regular expression to match with the combined string of the MAC address and the DHCP options. The combined string is formed by concatenating the hexadecimal presentation of the MAC address and all of the DHCP options sent by a particular device. The regular expression is a powerful pattern description language that can be used to perform advanced pattern matching of the above string.
If the combined device fingerprint string matches the specified regular expression, the role or VLAN can be set to the WLAN client.
The following table lists some of the most commonly used regular expressions, which can be used in user role and user VLAN derivation rules:
Table 43: Regular Expressions
$
*
.
Operator Description
Matches any character. For example, l..k matches lack, lark, link, lock, look, Lync, and so on.
\
[ ]
\b
\B
^
[^]
?
Matches the character that follows the backslash. For example, \192.\.0\.. matches IP address ranges that start with 192.0, such as 192.0.1.1. The expression looks up only for the single characters that match.
Matches any one character listed between the brackets. For example, [bc]lock matches block and clock.
Matches the words that begin and end with the given expression. For example, \bdown matches downlink, linkdown, shutdown.
Matches the middle of a word. For example, \Bvice matches services, devices, serviceID, deviceID, and so on.
Matches the characters at starting position in a string. For example, ^bcd matches bcde or bcdf, but not abcd.
Matches any characters that are not listed between the brackets. For example, [^u]link matches downlink, link, but not uplink.
Matches any one occurrence of the pattern. For example, ?est matches best, nest, rest, test, and so on.
Matches the end of an input string. For example, eth$ matches Eth, but not Ethernet.
Matches the declared element multiple times if it exists. For example, eth* matches all occurrences of eth, such as Eth, Ethernet, Eth0, and so on.
Aruba Instant 6.5.2.0 | User Guide Roles and Policies | 211
\<
\>
{n}
( )
|
Operator Description
+ Matches the declared element one or more times. For example, aa+ matches occurrences of aa and aaa.
Matches nested characters. For example, (192)* matches any number of the character string 192.
Matches the character patterns on either side of the vertical bar. You can use this expression to construct a series of options.
{n,}
Matches the beginning of the word. For example, \<wire matches wired, wireless, and so on.
Matches the end of the word. For example, \>list matches blacklist, whitelist, and so on.
Where n is an integer. Matches the declared element exactly n times. For example, {2}link matches uplink, but not downlink.
Where n is an integer. Matches the declared element at n times. For example, {2,}ink matches downlink, but not uplink.
For information on how to use regular expressions in role and VLAN derivation rules, see the following topics: n n
Creating a Role Derivation Rule on page 206
Configuring VLAN Derivation Rules on page 209
Configuring a User Role for VLAN Derivation
This section describes the following procedures: n n
Creating a User VLAN Role on page 212
Assigning User VLAN Roles to a Network Profile on page 213
Creating a User VLAN Role
You can create a user role for VLAN derivation using the Instant UI or the CLI.
In the Instant UI
To configure a user role for VLAN derivation:
1. Click the Security link located directly above the Search bar in the Instant main window.
2. Click the Roles tab. The Roles tab contents are displayed.
3. Under Roles , click New .
4. Enter a name for the new role and click OK .
5. Under Access rules , click New .
6. Select the Rule type as VLAN assignment .
7. Enter the ID of the VLAN in the VLAN ID text box.
8. Click OK .
In the CLI
To create a VLAN role:
(Instant AP)(config)# wlan access-rule <rule-name>
(Instant AP)(Access Rule <rule-name>)# vlan 200
(Instant AP)(Access Rule <rule-name>)# end
(Instant AP)# commit apply
212 | Roles and Policies Aruba Instant 6.5.2.0 | User Guide
Assigning User VLAN Roles to a Network Profile
You can configure user VLAN roles for a network profile using Instant UI or the CLI.
In the Instant UI
To assign a user VLAN role:
1. Click Network > New > New WLAN > Access or click Network > edit > Edit <WLAN-profile> >
Access .
2. On the Access tab, ensure that the slider is at the Role-based option.
3. Click New under the New Role Assignment and configure the following parameters: a. Select the attribute from the Attribute drop-down list.
b. Select the operator to match attribute from the Operator drop-down list.
c. Enter the string to match in the String text box.
d. Select the role to be assigned from the Role text box.
4. Click OK .
In the CLI
To assign VLAN role to a WLAN profile:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# set-role <attribute>{{equals <operator> <role>|not-equals
<operator> <role>|starts-with <operator> <role>|ends-with <operator> <role>|contains
<operator> <role>}|value-of}
(Instant AP)(SSID Profile <name>)# end
(Instant AP)# commit apply
Aruba Instant 6.5.2.0 | User Guide Roles and Policies | 213
advertisement
Related manuals
advertisement
Table of contents
- 3 Contents
- 11 Revision History
- 12 About this Guide
- 12 Intended Audience
- 12 Related Documents
- 12 Conventions
- 13 Contacting Support
- 14 About Aruba Instant
- 14 Instant Overview
- 17 What is New in this Release
- 19 Setting up an IAP
- 19 Setting up Instant Network
- 20 Provisioning an IAP
- 23 Logging in to the Instant UI
- 24 Accessing the Instant CLI
- 28 Automatic Retrieval of Configuration
- 28 Managed Mode Operations
- 28 Prerequisites
- 29 Configuring Managed Mode Parameters
- 30 Verifying the Configuration
- 31 Instant User Interface
- 31 Login Screen
- 32 Main Window
- 60 Initial Configuration Tasks
- 60 Configuring System Parameters
- 66 Changing Password
- 67 Customizing IAP Settings
- 67 IAP Discovery Logic
- 72 Modifying the IAP Host Name
- 72 Configuring Zone Settings on an IAP
- 73 Specifying a Method for Obtaining IP Address
- 73 Configuring External Antenna
- 75 Configuring Radio Profiles for an IAP
- 76 Enabling Flexible Radio
- 77 Configuring Uplink VLAN for an IAP
- 77 Changing the IAP Installation Mode
- 78 Changing USB Port Status
- 79 Master Election and Virtual Controller
- 80 Adding an IAP to the Network
- 81 Removing an IAP from the Network
- 81 Support for BLE Asset Tracking
- 82 Intelligent Power Monitoring
- 83 Transmit Power Calculation Support on 200 Series and 300 Series Access Points
- 84 VLAN Configuration
- 84 VLAN Pooling
- 84 Uplink VLAN Monitoring and Detection on Upstream Devices
- 85 IPv6 Support
- 85 IPv6 Notation
- 85 Enabling IPv6 Support for IAP Configuration
- 87 Firewall Support for IPv6
- 87 Debugging Commands
- 88 Wireless Network Profiles
- 88 Configuring Wireless Network Profiles
- 106 Configuring Fast Roaming for Wireless Clients
- 110 Configuring Modulation Rates on a WLAN SSID
- 110 Multi-User-MIMO
- 111 Management Frame Protection
- 111 Disabling Short Preamble for Wireless Client
- 112 Editing Status of a WLAN SSID Profile
- 112 Editing a WLAN SSID Profile
- 112 Deleting a WLAN SSID Profile
- 113 Wired Profiles
- 113 Configuring a Wired Profile
- 118 Assigning a Profile to Ethernet Ports
- 118 Editing a Wired Profile
- 119 Deleting a Wired Profile
- 119 Link Aggregation Control Protocol
- 121 Understanding Hierarchical Deployment
- 122 Captive Portal for Guest Access
- 122 Understanding Captive Portal
- 123 Configuring a WLAN SSID for Guest Access
- 128 Configuring Wired Profile for Guest Access
- 129 Configuring Internal Captive Portal for Guest Network
- 132 Configuring External Captive Portal for a Guest Network
- 138 Configuring Facebook Login
- 139 Configuring Guest Logon Role and Access Rules for Guest Users
- 141 Configuring Captive Portal Roles for an SSID
- 143 Configuring Walled Garden Access
- 146 Authentication and User Management
- 146 Managing IAP Users
- 151 Supported Authentication Methods
- 152 Supported EAP Authentication Frameworks
- 153 Configuring Authentication Servers
- 167 Understanding Encryption Types
- 168 Configuring Authentication Survivability
- 170 Configuring 802.1X Authentication for a Network Profile
- 172 Enabling 802.1X Supplicant Support
- 173 Configuring MAC Authentication for a Network Profile
- 175 Configuring MAC Authentication with 802.1X Authentication
- 177 Configuring MAC Authentication with Captive Portal Authentication
- 178 Configuring WISPr Authentication
- 179 Blacklisting Clients
- 182 Uploading Certificates
- 185 Roles and Policies
- 185 Firewall Policies
- 198 Content Filtering
- 202 Configuring User Roles
- 204 Configuring Derivation Rules
- 211 Using Advanced Expressions in Role and VLAN Derivation Rules
- 214 DHCP Configuration
- 214 Configuring DHCP Scopes
- 221 Configuring the Default DHCP Scope for Client IP Assignment
- 223 Configuring Time-Based Services
- 223 Time Range Profiles
- 223 Configuring a Time Range Profile
- 224 Applying a Time Range Profile to a WLAN SSID
- 225 Verifying the Configuration
- 226 Dynamic DNS Registration
- 226 Enabling Dynamic DNS
- 227 Configuring Dynamic DNS Updates for DL3 Clients
- 227 Verifying the Configuration
- 229 VPN Configuration
- 229 Understanding VPN Features
- 230 Configuring a Tunnel from an IAP to a Mobility Controller
- 241 Configuring Routing Profiles
- 243 IAP-VPN Deployment
- 243 Understanding IAP-VPN Architecture
- 246 Configuring IAP and Controller for IAP-VPN Operations
- 254 Adaptive Radio Management
- 254 ARM Overview
- 255 Configuring ARM Features on an IAP
- 261 Configuring Radio Settings
- 265 Deep Packet Inspection and Application Visibility
- 265 Deep Packet Inspection
- 265 Enabling Application Visibility
- 266 Application Visibility
- 271 Enabling URL Visibility
- 271 Configuring ACL Rules for Application and Application Categories
- 274 Configuring Web Policy Enforcement Service
- 276 Voice and Video
- 276 Wi-Fi Multimedia Traffic Management
- 279 Media Classification for Voice and Video Calls
- 280 Enabling Enhanced Voice Call Tracking
- 282 Services
- 282 Configuring AirGroup
- 291 Configuring an IAP for RTLS Support
- 292 Configuring an IAP for Analytics and Location Engine Support
- 293 Managing BLE Beacons
- 294 Clarity Live
- 296 Configuring OpenDNS Credentials
- 296 Integrating an IAP with Palo Alto Networks Firewall
- 298 Integrating an IAP with an XML API Interface
- 301 CALEA Integration and Lawful Intercept Compliance
- 307 Cluster Security
- 307 Overview
- 308 Enabling Cluster Security
- 309 Cluster Security Debugging Logs
- 309 Verifying the Configuration
- 310 IAP Management and Monitoring
- 310 Managing an IAP from AirWave
- 321 Managing IAP from Aruba Central
- 323 Uplink Configuration
- 323 Uplink Interfaces
- 328 Uplink Preferences and Switching
- 333 Intrusion Detection
- 333 Detecting and Classifying Rogue IAPs
- 333 OS Fingerprinting
- 334 Configuring Wireless Intrusion Protection and Detection Levels
- 339 Configuring IDS
- 341 Mesh IAP Configuration
- 341 Mesh Network Overview
- 342 Setting up Instant Mesh Network
- 342 Configuring Wired Bridging on Ethernet 0 for Mesh Point
- 344 Mobility and Client Management
- 344 Layer-3 Mobility Overview
- 345 Configuring L3-Mobility
- 347 Spectrum Monitor
- 347 Understanding Spectrum Data
- 352 Configuring Spectrum Monitors and Hybrid IAPs
- 355 IAP Maintenance
- 355 Upgrading an IAP
- 358 Backing up and Restoring IAP Configuration Data
- 359 Converting an IAP to a Remote AP and Campus AP
- 365 Resetting a Remote AP or Campus AP to an IAP
- 365 Rebooting the IAP
- 367 Monitoring Devices and Logs
- 367 Configuring SNMP
- 370 Configuring a Syslog Server
- 372 Configuring TFTP Dump Server
- 373 Running Debug Commands
- 377 Uplink Bandwidth Monitoring
- 379 Hotspot Profiles
- 379 Understanding Hotspot Profiles
- 380 Configuring Hotspot Profiles
- 391 Sample Configuration
- 394 Mobility Access Switch Integration
- 394 Mobility Access Switch Overview
- 395 Configuring IAPs for Mobility Access Switch Integration
- 396 ClearPass Guest Setup
- 396 Configuring ClearPass Guest
- 400 Verifying ClearPass Guest Setup
- 401 Troubleshooting
- 402 IAP-VPN Deployment Scenarios
- 402 Scenario 1—IPsec: Single Datacenter Deployment with No Redundancy
- 408 Scenario 2—IPsec: Single Datacenter with Multiple Controllers for Redundancy
- 414 Scenario 3—IPsec: Multiple Datacenter Deployment with Primary and Backup Cont...
- 421 Scenario 4—GRE: Single Datacenter Deployment with No Redundancy
- 427 Glossary of Terms