Roles and Policies. Aruba Instant 6.5.2.0, RAP-155, IAP-207, RAP-108, IAP-305, Instant

Chapter 14

Roles and Policies

This chapter describes the procedures for configuring user roles, role assignment, and firewall policies.

n n n n n

Firewall Policies on page 185

Content Filtering on page 198

Configuring User Roles on page 202

Configuring Derivation Rules on page 204

Using Advanced Expressions in Role and VLAN Derivation Rules on page 211

Firewall Policies

Instant firewall provides identity-based controls to enforce application-layer security, prioritization, traffic forwarding, and network performance policies for wired and wireless networks. Using Instant firewall, you can enforce network access policies that define access to the network, areas of the network that users may access, and the performance thresholds of various applications.

Instant supports a role-based stateful firewall. Instant firewall recognizes flows in a network and keeps track of the state of sessions. Instant firewall manages packets according to the first rule that matches the packet. The firewall logs on the IAPs are generated as syslog messages.

Access Control List Rules

You can use Access Control List (ACL) rules to either permit or deny data packets passing through the IAP. You can also limit packets or bandwidth available to a set of user roles by defining access rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses.

You can create access rules to allow or block data packets that match the criteria defined in an access rule. You can create rules for either inbound traffic or outbound traffic. Inbound rules explicitly allow or block the inbound network traffic that matches the criteria in the rule. Outbound rules explicitly allow or block the network traffic that matches the criteria in the rule. For example, you can configure a rule to explicitly block outbound traffic to an IP address through the firewall.

The IAP clients are associated with user roles, that determine the client’s network privileges and the frequency at which clients re-authenticate.

Instant supports the following types of ACLs: n n n

ACLs that permit or deny traffic based on the source IP address of the packet.

ACLs that permit or deny traffic based on the source or destination IP address, and the source or destination port number.

ACLs that permit or deny traffic based on network services, application, application categories, web categories, and security ratings.

You can configure up to 128 access control entries in an ACL for a user role.

The maximum configurable universal role is 4096.

Aruba Instant 6.5.2.0 | User Guide Roles and Policies | 185

Configuring ACL Rules for Network Services

This section describes the procedure for configuring ACLs to control access to network services.

n

For information on configuring access rules based on application and application categories, see

Configuring

ACL Rules for Application and Application Categories on page 271

.

n

For information on configuring access rules based on web categories and web reputation, see

Configuring

Web Policy Enforcement Service on page 274

.

In the Instant UI

To configure ACL rules for a user role:

1. Navigate to Security > Roles . The Roles tab contents are displayed.

Alternatively, you can configure access rules for a wired or wireless client through the WLAN wizard or the

Wired Profile window.

a. To configure access rules through the Wired Profile window: n

Navigate to More > Wired .

n

Click Edit and then Edit Wired Network .

n

Click Access .

b. To configure access rules through WLAN wizard: n n

Navigate to Network > WLAN SSID .

Click Edit and then Edit WLAN .

n

Click Access .

2. Select the role for which you want to configure access rules.

3. In the Access rules section, click New to add a new rule. The New Rule window is displayed.

4. Ensure that the rule type is set to Access Control .

5. To configure a rule to control access to network services, select Network under service category and specify the following parameters:

186 | Roles and Policies Aruba Instant 6.5.2.0 | User Guide

Table 40: Access Rule Configuration Parameters

Service

Category

Description

Network

Action

Destination

Log

Blacklist

Classify media

Select a service from the list of available services. You can allow or deny access to any or all of the services based on your requirement: n any —Access is allowed or denied to all services.

n custom —Available options are TCP, UDP, and Other. If you select the TCP or UDP options, enter appropriate port numbers. If you select the Other option, enter the appropriate ID.

NOTE: If Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) use the same port, ensure that you configure separate access rules to permit or deny access.

Select any of following actions: n

Select Allow to allow access to users based on the access rule.

n n

Select Deny to deny access to users based on the access rule.

Select Destination-NAT to allow making changes to the destination IP address.

n Select Source-NAT to allow making changes to the source IP address.

l Default : All client traffic is directed to the default VLAN.

l l

Tunnel : The traffic from the Network Assigned clients is directed to the VPN tunnel.

VLAN : Specify the non-default VLAN ID to which the guest traffic needs to be redirected to.

Select a destination option for the access rules for network services, applications, and application categories. You can allow or deny access to any the following destinations based on your requirements.

n to all destinations — Access is allowed or denied to all destinations.

n n n to a particular server —Access is allowed or denied to a particular server. After selecting this option, specify the IP address of the destination server.

except to a particular server —Access is allowed or denied to servers other than the specified server. After selecting this option, specify the IP address of the destination server.

to a network —Access is allowed or denied to a network. After selecting this option, specify the IP address and netmask for the destination network.

n n except to a network —Access is allowed or denied to networks other than the specified network. After selecting this option, specify the IP address and netmask of the destination network.

to domain name —Access is allowed or denied to the specified domains. After selecting this option, specify the domain name in the Domain Name text box.

Select the Log check box if you want a log entry to be created when this rule is triggered.

Instant supports firewall-based logging. Firewall logs on the IAPs are generated as security logs.

Select the Blacklist check box to blacklist the client when this rule is triggered. The blacklisting lasts for the duration specified as Auth failure blacklist time on the

Blacklisting tab of the Security window. For more information, see

Blacklisting Clients on page 179

.

Select the Classify media check box to prioritize video and voice traffic. When enabled, a packet inspection is performed on all non-NAT traffic and the traffic is marked as follows: n n

Video: Priority 5 (Critical)

Voice: Priority 6 (Internetwork Control)


Table 40: Access Rule Configuration Parameters

Service

Category

Description

Disable scanning

DSCP tag

802.1p priority

Select Disable scanning check box to disable ARM scanning when this rule is triggered.

The selection of Disable scanning applies only if ARM scanning is enabled. For more information, see

Configuring Radio Settings on page 261 .

Select the DSCP tag check box to specify a DSCP value to prioritize traffic when this rule is triggered. Specify a value within the range of 0–63. To assign a higher priority, specify a higher value.

Select the 802.1p priority check box to specify an 802.1p priority. Specify a value between

0 and 7. To assign a higher priority, specify a higher value.

6. Click OK and then click Finish .

In the CLI

To configure access rules:

(Instant AP)(config)# wlan access-rule <access-rule-name>

(Instant AP)(Access Rule <Name>)#rule <dest> <mask> <match/invert> {<protocol> <start-port>

<end-port> {permit|deny|src-nat [vlan <vlan_id>|tunnel]|dst-nat{<IP-address> <port>|<port>}}

[<option1....option9>]

(Instant AP)(Access Rule <Name>)# end

(Instant AP)# commit apply

Example

(Instant AP)(config)# wlan access-rule employee

(Instant AP)(Access Rule "employee")# rule 10.17.88.59 255.255.255.255 match 6 4343 4343 log classify-media

(Instant AP)(Access Rule "employee")# rule 192.0.2.8 255.255.255.255 invert 6 110 110 permit

(Instant AP)(Access Rule "employee")# rule 192.0.2.2 255.255.255.0 192.0.2.7 255.255.255.0

match tcp 21 21 deny

(Instant AP)(Access Rule "employee")# rule 192.0.2.2

255.255.255.0 192.0.2.7 255.255.255.0

match udp 21 21 deny

(Instant AP)(Access Rule "employee")# rule 192.0.2.2 255.255.255.0 match 6 631 631 permit

(Instant AP)(Access Rule "employee")# rule 192.0.2.8 255.255.255.255 invert 6 21 21 deny

(Instant AP)(Access Rule "employee")# rule 192.0.2.1 255.255.255.0 invert 17 67 69 deny

(Instant AP)(Access Rule "employee")# end


Configuring Network Address Translation Rules

Network Address Translation (NAT) is the process of modifying network address information when packets pass through a routing device. The routing device acts as an agent between the public (the Internet) and the private (local network), which allows translation of private network IP addresses to a public address space.

Instant supports the NAT mechanism to allow a routing device to use the translation tables for mapping the private addresses into a single IP address. When packets are sent from this address, they appear to originate from the routing device. Similarly, if packets are sent to the private IP address, the destination address is translated as per the information stored in the translation tables of the routing device.

Configuring a Source-NAT Access Rule

The source-NAT action in access rules allows the user to override the routing profile entries. For example, when a routing profile is configured to use 0.0.0.0/0, the client traffic in L3 mode access on an SSID destined to the


corporate network is sent to the tunnel. When an access rule is configured with Source-NAT action, the users can specify the service, protocol, or destination to which the source-NAT is applied.

You can also configure source-based routing to allow client traffic on one SSID to reach the Internet through the corporate network, while the other SSID can be used as an alternate uplink. You can create an access rule to perform source-NAT by using the Instant UI or the CLI.


To configure a source-NAT access rule:

1. Navigate to the WLAN wizard or the Wired settings window: n

To configure access rules for a WLAN SSID, in the Network tab, click New to create a new network profile or click edit to modify an existing profile.

n

To configure access rules for a wired profile, More > Wired . In the Wired window, click New under

Wired Networks to create a new network or click Edit to select an existing profile.

2. Click the Access tab.

3. To configure access rules for the network, move the slider to the Network-based access control type. To configure access rules for user roles, move the slider to the Role-based access control type.

4. To create a new rule for the network, click New . To create an access rule for a user role, select the user role and then click New . The New Rule window is displayed.

5. In the New Rule window, perform the following steps: a. Select Access control from the Rule type drop-down list.

b. Select Source-NAT from the Action drop-down list, to allow for making changes to the source IP address.

c. Select a service from the list of available services.

Default : All client traffic by default will be directed to the native vlan.

Tunnel : All network-based traffic will be directed to the VPN tunnel.

VLAN : All client based traffic will be directed to the specified uplink VLAN using the IP address of the interface that IAP has on that VLAN. If the interface is not found, this option has no effect.

d. Select the required option from the Destination drop-down list.

e. If required, enable other parameters such as Log , Blacklist , Classify media , Disable scanning , DSCP tag , and 802.1p priority .

f. Click OK .

6. Click Finish .

In the CLI

To configure source-NAT access rule:

(Instant AP)(config)# wlan access-rule <access_rule>

(Instant AP)(Access Rule "<access_rule>")# rule <dest> <mask> <match> <protocol> <sport>

<eport> src-nat [vlan <vlan_id>|tunnel]

(Instant AP)(Access Rule "<access_rule>")# end


Configuring Policy-Based Corporate Access

To allow different forwarding policies for different SSIDs, you can configure policy-based corporate access. The configuration overrides the routing profile configuration and allows any destination or service to be configured


to have direct access to the Internet (bypassing VPN tunnel) based on the ACL rule definition. When policybased corporate access is enabled, the VC performs source-NAT by using its uplink IP address.

To configure policy-based corporate access:

1. Ensure that an L3 subnet with netmask, gateway, VLAN, and IP address is configured. For more information on configuring L3 subnet, see

Configuring L3-Mobility on page 345

.

2. Ensure that the source IP address is associated with the IP address configured for the L3 subnet.

3. Create an access rule for the SSID profile with Source-NAT action as described in

Configuring a Source-NAT

Access Rule on page 188 . The source-NAT pool is configured and corporate access entry is created.

Configuring a Destination-NAT Access Rule

Instant supports configuration of the destination-NAT rule, which can be used to redirect traffic to the specified IP address and destination port. The destination-NAT configuration is supported only in the bridge mode without VPN.

You can configure a destination-NAT access rule by using the Instant UI or the CLI.


To configure a destination-NAT access rule:


To configure access rules for a WLAN SSID, in the Network tab, click New to create a new network profile or click edit to modify an existing profile.

n

To configure access rules for a wired profile, More > Wired . In the Wired window, click New under


2. Click the Access tab and perform any of the following steps: n n

To configure access rules for the network, move the slider to the Network-based access control type.

To configure access rules for user roles, move the slider to the Role-based access control type.

3. To create a new rule for the network, click New . To create an access rule for a user role, select the user role and then click New . The New Rule window is displayed.

4. In the New Rule window, perform the following steps: a. Select Access control from the Rule type drop-down list.

b. Select destination-NAT from the Action drop-down list, to allow for making changes to the source IP address.

c. Specify the IP address and port details.

d. Select a service from the list of available services.

e. Select the required option from the Destination drop-down list.

f. If required, enable other parameters such as Log , Blacklist , Classify media , Disable scanning , DSCP tag , and 802.1p priority .

g. Click OK .

5. Click Finish .

In the CLI

To configure destination-NAT access rule:


(Instant AP)(Access Rule "<access_rule>")# rule <dest> <mask> <match> <protocol> <sport>

<eport> dst-nat ip <IP-address> [<port>]

(Instant AP)(Access Rule "<access_rule>")# end



Configuring ALG Protocols

You can enable or disable protocols for Application Layer Gateway (ALG) using the Instant UI or the CLI.


To enable or disable ALG protocols:

1. Click the Security link located directly above the Search bar on the Instant main window.

2. Click the Firewall Settings tab. The Firewall Settings tab contents are displayed. The following figure shows the contents of the Firewall Settings tab:

Figure 41 Firewall Settings—ALG Protocols

3. Select Enabled from the corresponding drop-down lists to enable SIP, VOCERA, Alcatel NOE, and Cisco

Skinny protocols.

4. Click OK .

When the protocols for ALG are set to Disabled , the changes are not applied until the existing user sessions expire.

Reboot the IAP and the client, or wait for a few minutes to view the changes.

In the CLI

To configure protocols for ALG:

(Instant AP)(config)# alg

(Instant AP)(ALG)# sccp-disable

(Instant AP)(ALG)# no sip-disable

(Instant AP)(ALG)# no ua-disable

(Instant AP)(ALG)# no vocera-disable

(Instant AP)(ALG)# end


To view the ALG configuration:

(Instant AP)# show alg

Current ALG

-----------

ALG

---

Status

-----sccp sip

Disabled

Enabled ua Enabled vocera Enabled

Configuring Firewall Settings for Protection from ARP Attacks

You can configure firewall settings to protect the network against attacks using the Instant UI or the CLI.



To configure firewall settings:

1. Click the Security link located directly above the Search bar on the Instant main window.

2. Click the Firewall Settings tab. The Firewall Settings tab contents are displayed.

3. To configure protection against security attacks, select the following check boxes: n

Select Drop bad ARP to enable the IAP to drop the fake ARP packets.

n n

Select Fix malformed DHCP for the IAP to fix the malformed DHCP packets.

Select ARP poison check to enable the IAP to trigger alerts about ARP poisoning that may have been caused by rogue IAPs. ARP Poisoning detection triggers alerts when a known client on the IAP spoofs the base MAC address of the IAP.

Figure 42 Firewall Settings —Protection Against Wired Attacks

4. Click OK.

In the CLI

To configure firewall settings to prevent attacks:

(Instant AP)(config)# attack

(Instant AP)(ATTACK)# drop-bad-arp-enable

(Instant AP)(ATTACK)# fix-dhcp-enable

(Instant AP)(ATTACK)# poison-check-enable

(Instant AP)(ATTACK)# end


To view the configuration status:

(Instant AP)# show attack config

Current Attack

--------------

Attack

------

Status

-----drop-bad-arp Enabled fix-dhcp Enabled poison-check Enabled

To view the attack statistics

(Instant AP)# show attack stats attack counters

--------------------------------------

Counter

------arp packet counter drop bad arp packet counter dhcp response packet counter fixed bad dhcp packet counter send arp attack alert counter send dhcp attack alert counter arp poison check counter

0

0

0

0

0

0

0

Value

-------


garp send check counter 0

Auto Topology Rules

Auto Topology is a feature that automatically adds ACL rules into the firewall. This ensures that any kind of control-plane messages required for the automatic cluster formation are never blocked. By default, this feature is enabled. However, this feature can be disabled when customers prefer full control on the security policy rather than accepting automatic ACL rules. This feature governs all the ACLs and impacts all the traffic that is hit by the ACLs.

Configuring Firewall Settings to Disable Auto Topology Rules

You can disable the rules by configuring firewall settings in the IAP.

In order to deny auto topology communication outside the IAP subnet, the inbound firewall settings must be enabled.

When the inbound firewall settings are enabled: n n

Access Control Entities (ACEs) must be configured to block auto topology messages, as there is no default rule at the top of predefined ACLs.

ACEs must be configured to override the guest VLAN auto-expanded ACEs. In other words, the user defined

ACEs take higher precedence over guest VLAN ACEs.

For more information on inbound firewall settings, see

Managing Inbound Traffic on page 193

The priority of a particular ACE is determined based on the order in which it is programmed. Ensure that you do not accidentally override the guest VLAN ACEs.

You can change the status of auto topology rules by using the Instant UI or the CLI:


1. Click the Security located directly above the Search bar in the Instant main window.

2. Go to the Firewall Settings tab.

3. In Firewall section, select Disabled from the Auto topology rules drop-down list.

4. Click OK .

In the CLI

(Instant AP)(config)# firewall

(Instant AP)(firewall)# disable-auto-topology-rules

(Instant AP)(firewall)# end


To view the configuration status:

Firewall

--------

Type

----

Value

-----

Auto topology rules disable

Managing Inbound Traffic

Instant now supports an enhanced inbound firewall by allowing the configuration of firewall rules and management subnets, and restricting corporate access through an uplink switch.

To allow flexibility in firewall configuration, Instant supports the following features: n

Inbound firewall rules n

Configurable management subnets


n

Restricted corporate access

Configuring Inbound Firewall Rules

You can now configure firewall rules for the inbound traffic coming through the uplink ports of an IAP. The rules defined for the inbound traffic are applied if the destination is not a user connected to the IAP. If the destination already has a user role assigned, the user role overrides the actions or options specified in the inbound firewall configuration. However, if a deny rule is defined for the inbound traffic, it is applied irrespective of the destination and user role. Unlike the ACL rules in a WLAN SSID or a wired profile, the inbound firewall rules can be configured based on the source subnet.

For all subnets, a deny rule is created by default as the last rule. If at least one rule is configured, the deny all rule is applied to the upstream traffic by default.

Management access to the IAP is allowed irrespective of the inbound firewall rule. For more information on configuring restricted management access, see

Configuring Management Subnets on page 196 .

The inbound firewall is not applied to traffic coming through the GRE tunnel.

You can configure inbound firewall rules through the Instant UI or the CLI.


1. Navigate to Security > Inbound Firewall . The Inbound Firewall tab contents are displayed.

2. Under Inbound Firewall Rules , click New . The New Rule window is displayed.

Figure 43 Inbound Firewall Rules - New Rule Window

3. Configure the following parameters:


Table 41: Inbound Firewall Rule Configuration Parameters

Parameter

Action

Description

Select any of following actions: n Select Allow to allow to access users based on the access rule.

n n n

Select Deny to deny access to users based on the access rule.

Select Destination-NAT to allow making changes to the destination IP address.

Select Source-NAT to allow making changes to the source IP address.

The destination-NAT and source-NAT actions apply only to the network services rules.

Service

Select a service from the list of available services. You can allow or deny access to any or all of the services based on your requirement: n any —Access is allowed or denied to all services.

n custom —Available options are TCP, UDP, and Other. If you select the TCP or UDP options, enter appropriate port numbers. If the Other option is selected, ensure that an appropriate ID is entered.

Source

Destination

Log

Blacklist

Select any of the following options: n n n from all sources —Traffic from all sources is either allowed, denied, or the IP address is translated at the source or the destination as defined in the rule.

from a host —Traffic from a particular host is either allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the IP address of the host.

from a network —Traffic from a particular network is either allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the IP address and netmask of the source network.

Select a destination option for the access rules for network services, applications, and application categories. You can allow or deny access to any the following destinations based on your requirements.

n n n to all destinations —Traffic for all destinations is allowed, denied, or the IP address is translated at the source or the destination as defined in the rule.

to a particular server —Traffic to a specific server is allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the IP address of the destination server.

except to a particular server —Access is allowed or denied to servers other than the specified server. After selecting this option, specify the IP address of the destination server.

n n n to a network —Traffic to the specified network is allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the IP address and netmask for the destination network.

except to a network —Access is allowed or denied to networks other than the specified network. After selecting this option, specify the IP address and netmask of the destination network.

to domain name —Traffic to the specified domain is allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the domain name in the Domain Name text box.

Select the Log check box if you want a log entry to be created when this rule is triggered.

Instant supports firewall-based logging function. Firewall logs on the IAPs are generated as security logs.

Select the Blacklist check box to blacklist the client when this rule is triggered. The blacklisting lasts for the duration specified in the Auth failure blacklist time on the

Blacklisting tab of the Security window. For more information, see

Blacklisting Clients on page 179

.


Table 41: Inbound Firewall Rule Configuration Parameters

Parameter

Classify media

Description

Select the Classify media check box to prioritize video and voice traffic. When enabled, a packet inspection is performed on all non-NAT traffic and the traffic is marked as follows: n n

Video: Priority 5 (Critical)

Voice: Priority 6 (Internetwork Control)

Disable scanning Select Disable scanning check box to disable ARM scanning when this rule is triggered.

The selection of Disable scanning applies only if ARM scanning is enabled. For more information, see

Configuring Radio Settings on page 261 .

DSCP tag

Select the DSCP tag check box to specify a DSCP value to prioritize traffic when this rule is triggered. Specify a value within the range of 0–63. To assign a higher priority, specify a higher value.

802.1p priority

Select the 802.1p priority check box to specify an 802.1p priority. Specify a value between

0 and 7. To assign a higher priority, specify a higher value.

4. Click OK and then click Finish .

In the CLI

To configure inbound firewall rules:

(Instant AP)(config)# inbound-firewall

(Instant AP)(inbound-firewall)# rule <subnet> <smask> <dest> <mask> <protocol> <sport> <eport>

{permit|deny|src-nat|dst-nat <IP-address> <port>} [<option1....option9>]

(Instant AP)(inbound-firewall)# end


Example

(Instant AP)(config)# inbound-firewall

(Instant AP)(inbound-firewall)# rule 192.0.2.1 255.255.255.255 any any match 6 631 631 permit

(Instant AP)(inbound-firewall)# end


Configuring Management Subnets

You can configure subnets to ensure that the IAP management is carried out only from these subnets. When the management subnets are configured, access through Telnet, SSH, and UI is restricted to these subnets only.

You can configure management subnets by using the Instant UI or the CLI.


To configure management subnets:

1. Navigate to Security > Inbound Firewall . The Inbound Firewall tab contents are displayed.


Figure 44 Firewall Settings—Management Subnets

2. To add a new management subnet: n n

In the Add new management subnet section, enter the subnet address in Subnet .

Enter the subnet mask in Mask.

n

Click Add .

3. To add multiple subnets, repeat step 2.

4. Click OK .

In the CLI

To configure a management subnet:

(Instant AP)(config) # restricted-mgmt-access <subnet-IP-address> <subnet-mask>

(Instant AP)(config) # end


Configuring Restricted Access to Corporate Network

You can configure restricted corporate access to block unauthorized users from accessing the corporate network. When restricted corporate access is enabled, corporate access is blocked from the uplink port of master IAP, including clients connected to a slave IAP. You can configure restricted corporate access by using the Instant UI or the CLI.


To configure restricted corporate access:

1. Navigate to Security > Inbound Firewall . The Inbound Firewall (see

Figure 44

) tab contents are displayed.

2. Select Enabled from the Restrict Corporate Access drop-down list.

3. Click OK .

In the CLI

To configure restricted management access:

(Instant AP)(config) # restrict-corp-access

(Instant AP)(config) # end



Content Filtering

The content filtering feature allows you to route DNS requests to the OpenDNS platform and create content filtering policies.

With content filter, you can achieve the following: n

Allow all DNS requests to the non-corporate domains on a wireless or wired network to be sent to the

OpenDNS server. When the OpenDNS credentials are configured, the IAP uses these credentials to access

OpenDNS and provide enterprise-level content filtering. For more information, see

Configuring OpenDNS

Credentials on page 296 .

n n n n

Block certain categories of websites based on your organization policy. For example, if you block the webbased-email category, clients who are assigned this policy will not be able to visit email-based websites such as mail.yahoo.com.

Prevent known malware hosts from accessing your wireless network.

Improve employee productivity by limiting access to certain websites.

Reduce bandwidth consumption significantly.

Regardless of whether content filtering is disabled or enabled, the DNS requests to http://instant.arubanetworks.com

are always resolved internally on Instant.

The content filtering configuration applies to all IAPs in the network and the service is enabled or disabled globally across the wireless or wired network profiles.

Enabling Content Filtering

This section describes the following procedures: n n

Enabling Content Filtering for a Wireless Profile on page 198

Enabling Content Filtering for a Wired Profile on page 199

Enabling Content Filtering for a Wireless Profile

To enable content filtering for a wireless SSID, perform the following steps:


1. Select a wireless profile in the Network tab and then click the edit link. The window for editing the WLAN

SSID profile is displayed.

2. Click Show advanced options .

3. Select Enabled from the Content Filtering drop-down list, and click Next to continue.

You can also enable content filtering while adding a new wireless profile. For more information, see

Configuring

WLAN Settings for an SSID Profile on page 89

.

In the CLI

To enable content filtering on a WLAN SSID:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name>)# content-filtering

(Instant AP)(SSID Profile <name>)# end



Enabling Content Filtering for a Wired Profile

To enable content filtering for a wired profile, perform the following steps:


1. Click the Wired link under More in the Instant main window. The Wired window is displayed.

2. In the Wired window, select the wired profile to modify.

3. Click Edit . The Edit Wired Network window is displayed.

4. In the Wired Settings tab, select Enabled from the Content Filtering drop-down list, and click Next to continue.

In the CLI

To enable content filtering for a wired profile in the CLI:

(Instant AP)(config)# wired-port-profile test

(Instant AP)(wired ap profile <name>)# content-filtering

(Instant AP)(wired ap profile <name>)# end


Configuring Enterprise Domains

The enterprise domain names list displays the DNS domain names that are valid on the enterprise network.

This list is used to determine how client DNS requests must be routed. When Content Filtering is enabled, the

DNS request of the clients is verified and the domain names that do not match the names in the list are sent to the OpenDNS server.

You can configure an enterprise domain through the Instant UI or the CLI.


To manually add a domain:

1. Navigate to System > General and click Show advanced options > Enterprise Domains . The

Enterprise Domain tab contents are displayed.

2. Click New and enter a New Domain Name . Using asterisk (*) as an enterprise domain causes all DNS traffic to go through the tunnel to the original DNS server of clients. If you are configuring routing profile with split-tunnel disabled, you need to add asterisk (*) to the enterprise domain list.

3. Click OK to apply the changes.

To delete a domain, select the domain and click Delete . This will remove the domain name from the list.

In the CLI

To configure an enterprise domain:

(Instant AP)(config)# internal-domains

(Instant AP)(domain)# domain-name <name>

(Instant AP)(domain)# end


Configuring URL Filtering Policies

You can configure URL filtering policies to block certain categories of websites based on your organization specifications by defining ACL rules either through the Instant UI or the CLI.


To control access based on web categories and security settings:

1. Navigate to Security > Roles .


2. Select any WLAN SSID or wired profile role, and click New in the Access Rules section. The New Rule window appears.

3. Select Access Control from the Rule Type drop-down list.

4. To set an access policy based on the web category: a. Under Service section, select Web category and expand the Web categories drop-down list.

Figure 45 Roles—New Rule b. Select the categories to which you want to deny or allow access. You can also search for a web category and select the required option.

c. From the Action drop-down list, select Allow or Deny as required.

d. Click OK .

5. To filter access based on the security ratings of the website: a. Select Web reputation under Service section.

b. Move the slider to the required security rating level.

c. From the Action drop-down list, select Allow or Deny as required.

6. To set a bandwidth limit based on web category or web reputation score, select Application Throttling check box and specify the downstream and upstream rates in Kbps. For example, you can set a higher bandwidth for trusted sites and a low bandwidth rate for high-risk sites.

7. Click OK to save the rules.

8. Click OK in the Roles tab to save the changes to the role for which you defined ACL rules.

In the CLI

To control access based on web categories and security ratings:


(Instant AP)(Access Rule "<access-rule>")# rule <dest> <mask> <match> webcategory <webgrp>

{permit| deny}[<option1....option9>]

(Instant AP)(Access Rule "<access-rule>")# rule <dest> <mask> <match> webreputation <webrep>

{permit|deny}[<option1....option9>]

(Instant AP)(Access Rule "<access-rule>")# end


Example

(Instant AP)(config)# wlan access-rule URLFilter

(Instant AP)(Access Rule "URLFilter")# rule any any match webcategory gambling deny

(Instant AP)(Access Rule "URLFilter")# rule any any match webcategory training-and-tools permit


(Instant AP)(Access Rule "URLFilter")# rule any any match webreputation trustworthy-sites permit

(Instant AP)(Access Rule "URLFilter")# rule any any match webreputation suspicious-sites deny

(Instant AP)(Access Rule "URLFilter")# end


Creating Custom Error Page for Web Access Blocked by AppRF Policies

You can create a list of URLs to which the users are redirected when they access blocked websites. You can define an access rule to use these redirect URLs and assign the rule to a user role in the WLAN network.

You can create a list of custom URLs and ACL rules for blocked websites either through the Instant UI or the

CLI.

Creating a List of Error Page URLs

To create a list of error page URLs:


1. Navigate to Security > Custom Blocked Page URL .

2. Click New and enter the URL that you want to block.

3. Repeat the procedure to add more URLs. You can add up to 8 URLs to the blocked page list.

4. Click OK .

In the CLI

(Instant AP)(config)# dpi-error-page-url <idx> <url>

(Instant AP)(config)# exit


Configuring ACL Rules to Redirect Blocked HTTP Websites to a Custom Error Page URL

To redirect blocked HTTP websites to a custom error page URL:

In the UI


2. Select any WLAN SSID or Wired profile role, and click New in the Access Rules section.

3. In the New Rule window, select the rule type as Blocked Page URL .

4. Select the URLs from the existing list of custom redirect URLs. To add a new URL, click New .

5. Click OK .

6. Click OK in the Roles tab to save the changes.

In the CLI

To configure an ACL rule to redirect blocked HTTP websites to a custom error page URL:

(Instant AP)(config)# wlan access-rule <access_rule_name>

(Instant AP) (Access Rule "<access_rule_name>")# dpi-error-page-url <idx>

(Instant AP) (Access Rule "<access_rule_name>")# end


Configuring ACL Rules to Redirect Blocked HTTPS Websites to a Custom Blocked Page URL

Before you configure an ACL rule for a specific WLAN SSID or Wired profile to redirect HTTPS websites to a custom error page, you must ensure that the Blocked Page URL rule is configured for the HTTP websites blocked for the same WLAN SSID or Wired profile. In this scenario, all the blocked HTTP and HTTPS websites will be redirected to the custom error page URL.


To redirect blocked HTTPS websites to a custom error page URL

In the UI


2. Select any WLAN SSID or Wired profile role, and click New in the Access Rules section.

3. In the New Rule window, select the rule type as Redirect Blocked HTTPS .

4. Click OK .

5. Click OK in the Roles tab to save the changes.

In the CLI

To configure an ACL rule to redirect blocked HTTPS to a custom error page URL:

(Instant AP)(config)# wlan access-rule <access_rule_name>

(Instant AP) (Access Rule "<access_rule_name>")# dpi-error-page-url <idx>

(Instant AP) (Access Rule "<access_rule_name>")# redirect-blocked-https-traffic

Instant AP) (Access Rule "<access_rule_name>")# end


Configuring User Roles

Every client in the Instant network is associated with a user role that determines the network privileges for a client, the frequency of reauthentication, and the applicable bandwidth contracts.

Instant allows you to configure up to 32 user roles. If the number of roles exceed 32, an error message is displayed.

The user role configuration on an IAP involves the following procedures: n n n

Creating a User Role on page 202

Assigning Bandwidth Contracts to User Roles on page 203

Configuring Machine and User Authentication Roles on page 204

Creating a User Role

You can create a user role by using the Instant UI or the CLI.


To create a user role:

1. Click the Security link located directly above the Search bar in the Instant main window. The Security window is displayed.

2. Click the Roles tab. The Roles tab contents are displayed.

3. Under Roles, click New .

4. Enter a name for the new role and click OK .

You can also create a user role when configuring wireless or wired network profiles. For more information, see

Configuring Access Rules for a WLAN SSID Profile on page 103

and

Configuring Access Rules for a Wired Profile on page 116

.

In the CLI

To configure user roles and access rules:

(Instant AP)(config)# wlan access-rule <access-rule-name>


(Instant AP)(Access Rule <Name>)# rule <dest> <mask> <match> <protocol> <start-port> <endport> {permit|deny|src-nat [vlan <vlan_id>|tunnel]|dst-nat {<IP-address> <port>|<port>}}

[<option1…option9>]

Assigning Bandwidth Contracts to User Roles

The administrators can manage bandwidth utilization by assigning either maximum bandwidth rates, or bandwidth contracts to user roles. The administrator can assign a bandwidth contract configured in Kbps to upstream (client to the IAP) or downstream (IAP to clients) traffic for a user role. The bandwidth contract will not be applicable to the user traffic on the bridged out (same subnet) destinations. For example, if clients are connected to an SSID, you can restrict the upstream bandwidth rate allowed for each user to 512 Kbps.

By default, all users that belong to the same role share a configured bandwidth rate for upstream or downstream traffic. The assigned bandwidth will be served and shared among all the users. You can also assign bandwidth rate per user to provide every user a specific bandwidth within a range of 1–65,535 Kbps. If there is no bandwidth contract specified for a traffic direction, unlimited bandwidth is allowed.

In the earlier releases, bandwidth contract could be assigned per SSID. In the current release, the bandwidth contract can also be assigned for each SSID user. If the bandwidth contract is assigned for an SSID in the Instant 6.2.1.0-3.4.0.0

version, and when the IAP is upgraded to Instant 6.5.2.0 release version, the bandwidth configuration per SSID will be treated as a per-user downstream bandwidth contract for that SSID.


1. Click the Security link located directly above the Search bar in the Instant main window. The Security window is displayed.


3. Create a new role (see

Creating a User Role on page 202

) or select an existing role.

4. Under Access Rules , click New . The New Rule window is displayed.

5. Select Bandwidth Contract from the Rule Type drop-down list.

6. Specify the downstream and upstream rates in Kbps. If the assignment is specific for each user, select the

Peruser check box.

7. Click OK .

8. Associate the user role to a WLAN SSID or a wired profile.

You can also create a user role and assign bandwidth contracts when

configuring an SSID

or a

wired profile

.

In the CLI:

To assign a bandwidth contract in the CLI:

(Instant AP)(config)# wlan access-rule <name>

(Instant AP) (Access Rule <name>)# bandwidth-limit {downstream <kbps>|upstream <kbps>|peruser

{downstream <kbps>| upstream <kbps>}}

(Instant AP) (Access Rule <name>)# end

(Instant AP) # commit apply

To associate the access rule to a wired profile:

(Instant AP)(config)# wired-port-profile <name>

(Instant AP)(wired ap profile <name>)# access-rule-name <access-rule-name>



(Instant AP) # commit apply

Configuring Machine and User Authentication Roles

You can assign different rights to clients based on whether their hardware device supports machine authentication. Machine authentication is only supported on Windows devices, so that this can be used to distinguish between Windows devices and other devices such as iPads.

You can create any of the following types of rules: n n

Machine Auth only role—This indicates a Windows machine with no user logged in. The device supports machine authentication and has a valid RADIUS account, but a user has not yet logged in and authenticated.

User Auth only role—This indicates a known user or a non-Windows device. The device does not support machine authentication or does not have a RADIUS account, but the user is logged in and authenticated.

When a device does both machine and user authentication, the user obtains the default role or the derived role based on the RADIUS attribute.

You can configure machine authentication with role-based access control using the Instant UI or the CLI.


To configure machine authentication with role-based access control:

1. In the Access tab of the WLAN wizard ( New WLAN or Edit <WLAN-profile> ) or in the wired profile configuration window ( New Wired Network or Edit Wired Network ), under Roles , create Machine auth only and User auth only roles.

2. Configure access rules for these roles by selecting the role, and applying the rule. For more information on configuring access rules, see

Configuring ACL Rules for Network Services on page 186 .

3. Select Enforce Machine Authentication and select the Machine auth only and User auth only roles.

4. Click Finish to apply these changes.

In the CLI

To configure machine and user authentication roles for a WLAN SSID:


(Instant AP)(SSID Profile <name>)# set-role-machine-auth <machine_only> <user_only>



To configure machine and user authentication roles for a wired profile:


(Instant AP)(wired ap profile <name>)# set-role-machine-auth <machine_only> <user_only>



Configuring Derivation Rules

Instant allows you to configure role and VLAN derivation-rules. You can configure these rules to assign a user role or a VLAN to the clients connecting to an SSID or a wired profile.


Understanding Role Assignment Rule

When an SSID or a wired profile is created, a default role for the clients connecting to this SSID or wired profile is assigned. You can assign a user role to the clients connecting to an SSID by any of the following methods.

The role assigned by some methods may take precedence over the roles assigned by the other methods.

RADIUS VSA Attributes

The user role can be derived from Aruba Vendor-Specific Attributes (VSA) for RADIUS server authentication.

The role derived from an Aruba VSA takes precedence over roles defined by other methods.

MAC-Address Attribute

The first three octets in a MAC address are known as Organizationally Unique Identifier (OUI), and are purchased from the Institute of Electrical and Electronics Engineers, Incorporated (IEEE) Registration Authority.

This identifier uniquely identifies a vendor, manufacturer, or other organization (referred to by the IEEE as the

“assignee”) globally and effectively reserves a block of each possible type of derivative identifier (such as MAC addresses) for the exclusive use of the assignee.

IAPs use the OUI part of a MAC address to identify the device manufacturer and can be configured to assign a desired role for users who have completed 802.1X authentication and MAC authentication. The user role can be derived from the user attributes after a client associates with an IAP. You can configure rules to assign a user role to clients that match a MAC-address-based criteria. For example, you can assign a voice role to any client with a MAC address starting with a0:a1:a2.

Roles Based on Client Authentication

The user role can be the default user role configured for an authentication method, such as 802.1X

authentication. For each authentication method, you can configure a default role for the clients who are successfully authenticated using that method.

DHCP Option and DHCP Fingerprinting

The DHCP fingerprinting allows you to identify the operating system of a device by looking at the options in the DHCP frame. Based on the operating system type, a role can be assigned to the device.

For example, to create a role assignment rule with the DHCP option, select equals from the Operator dropdown list and enter 370103060F77FC in the String text box. Since 370103060F77FC is the fingerprint for

Apple iOS devices such as iPad and iPhone, IAP assigns Apple iOS devices to the role that you choose.

Table 42: Validated DHCP Fingerprint

Device

Apple iOS

DHCP Option

Option 55

Android

Blackberry

Windows 7/Vista Desktop

Windows XP (SP3, Home,

Professional)

Windows Mobile

Windows 7 Phone

Apple Mac OS X

Option 60

Option 60

Option 55

Option 55

Option 60

Option 55

Option 55

DHCP Fingerprint

370103060F77FC

3C64686370636420342E302E3135

3C426C61636B4265727279

37010f03062c2e2f1f2179f92b

37010f03062c2e2f1f21f92b

3c4d6963726f736f66742057696e646f777320434500

370103060f2c2e2f

370103060f775ffc2c2e2f


Creating a Role Derivation Rule

You can configure rules for determining the role that is assigned for each authenticated client.

When creating more than one role assignment rule, the first matching rule in the rule list is applied.

You can create a role assignment rule by using the Instant UI or the CLI.



To configure access rules for a WLAN SSID, in the Network tab, click New to create a new network profile or edit to modify an existing profile.

n

To configure access rules for a wired profile, go to More > Wired . In the Wired window, click New under


2. Click the Access tab.

3. Under Role Assignment Rules , click New . The New Role Assignment window allows you to define a match method by which the string in Operand is matched with the attribute value returned by the authentication server.

4. Select the attribute that matches with the rule from the Attribute drop-down list. The list of supported attributes includes RADIUS attributes, dhcp-option, dot1x-authentication-type, mac-address, and macaddress-and-dhcp-options. For information on a list of RADIUS attributes, see

RADIUS Server

Authentication with VSA on page 154

.

5. Select the operator from the Operator drop-down list. The following types of operators are supported: n n n n contains —The rule is applied only if the attribute value contains the string specified in Operand .

Is the role —The rule is applied if the attribute value is the role.

equals —The rule is applied only if the attribute value is equal to the string specified in Operand .

not-equals —The rule is applied only if the attribute value is not equal to the string specified in Operand .

n n n starts-with —The rule is applied only if the attribute value starts with the string specified in Operand .

ends-with —The rule is applied only if the attribute value ends with the string specified in Operand .

matches-regular-expression —The rule is applied only if the attribute value matches the regular expression pattern specified in Operand . This operator is available only if the mac-address-and-dhcpoptions attribute is selected in the Attribute drop-down list. The mac-address-and-dhcp-options attribute and matches-regular-expression are applicable only for the WLAN clients.

6. Enter the string to match the attribute in the String text box.

7. Select the appropriate role from the Role drop-down list.

8. Click OK .

When Enforce Machine Authentication is enabled, both the device and the user must be authenticated for the role assignment rule to apply.

In the CLI

To configure role assignment rules for a WLAN SSID:


(Instant AP)(SSID Profile <name>)# set-role <attribute>{{equals|not-equals|starts-with|endswith|contains|matches-regular-expression} <operator><role>|value-of}



To configure role assignment rules for a wired profile:



(Instant AP)(wired ap profile <name>)# set-role <attribute>{{equals|not-equal|starts-with| ends-with|contains}<operator> <role>|value-of}



Example

(Instant AP)(config)# wlan ssid-profile Profile1

(Instant AP)(SSID Profile "Profile1")# set-role mac-address-and-dhcp-options matches-regularexpression \bring\b Profile1

(Instant AP)(SSID Profile"Profile1")# end


Understanding VLAN Assignment

You can assign VLANs to a client based on the following configuration conditions: n

The default VLAN configured for the WLAN can be assigned to a client.

n n n n n

If VLANs are configured for a WLAN SSID or an Ethernet port profile, the VLAN for the client can be derived before the authentication, from the rules configured for these profiles.

If a rule derives a specific VLAN, it is prioritized over the user roles that may have a VLAN configured.

The user VLANs can be derived from the default roles configured for 802.1X authentication or MAC authentication.

After client authentication, the VLAN can be derived from Vendor-Specific Attributes (VSA) for RADIUS server authentication.

The DHCP-based VLANs can be derived for captive portal authentication.

Instant supports role derivation based on the DHCP option for captive portal authentication. When the captive portal authentication is successful, the role derivation based on the DHCP option assigns a new user role to the guest users, instead of the pre-authenticated role.

Vendor-Specific Attributes

When an external RADIUS server is used, the user VLAN can be derived from the Aruba-User-Vlan VSA. The

VSA is then carried in an Access-Accept packet from the RADIUS server. The IAP can analyze the return message and derive the value of the VLAN which it assigns to the user.


Figure 46 RADIUS Access-Accept Packets with VSA

Figure 47 Configure VSA on a RADIUS Server

VLAN Assignment Based on Derivation Rules

When an external RADIUS server is used for authentication, the RADIUS server may return a reply message for authentication. If the RADIUS server supports return attributes, and sets an attribute value to the reply message, the IAP can analyze the return message and match attributes with a user pre-defined VLAN derivation rule. If the rule is matched, the VLAN value defined by the rule is assigned to the user. For a complete list of

RADIUS server attributes, see

RADIUS Server Authentication with VSA on page 154 .


Figure 48 Configuring RADIUS Attributes on the RADIUS Server

User Role

If the VSA and VLAN derivation rules are not matching, then the user VLAN can be derived by a user role.

VLANs Created for an SSID

If the VSA and VLAN derivation rules are not matching, and the User Role does not contain a VLAN, the user

VLAN can be derived by VLANs configured for an SSID or an Ethernet port profile.

Configuring VLAN Derivation Rules

The VLAN derivation rules allow administrators to assign a VLAN to the IAP clients based on the attributes returned by the RADIUS server.

You can configure VLAN derivation rules for an SSID profile by using the Instant UI or the CLI.


To configure VLAN derivation rules:

1. Perform the following steps: n n

To configure VLAN derivation rule for a WLAN SSID profile, navigate to Network > New > New WLAN

> VLAN or Network > edit > Edit <WLAN-profile> > VLAN . Select the Dynamic option under the

Client VLAN assignment .

To configure VLAN derivation rule for a wired network profile, navigate to Wired > New > New Wired

Network > VLAN or Wired > Edit > Edit Wired Network > VLAN . The VLAN tab contents are displayed.


2. Click New to create a VLAN assignment rule. The New VLAN Assignment Rule window is displayed. In this window, you can define a match method by which the string in Operand is matched with the attribute values returned by the authentication server.

Figure 49 VLAN Assignment Rule Window

3. Select the attribute from the Attribute drop-down list. The list of supported attributes includes RADIUS attributes, dhcp-option, dot1x-authentication-type, mac-address, and mac-address-and-dhcp-options. For information on a list of RADIUS attributes, see

RADIUS Server Authentication with VSA on page 154 .

4. Select the operator from the Operator drop-down list. The following types of operators are supported: n contains —The rule is applied only if the attribute value contains the string specified in Operand .

n n

Is the VLAN —The rule is applied if the VLAN is the same as the one returned by the RADIUS attribute.

equals —The rule is applied only if the attribute value is equal to the string specified in Operand .

n n not-equals —The rule is applied only if the attribute value is not equal to the string specified in Operand .

starts-with —The rule is applied only if the attribute value starts with the string specified in Operand .

n ends-with —The rule is applied only if the attribute value ends with the string specified in Operand .

5. Enter the string to match the attribute in the String text box.

6. Select the appropriate VLAN ID from the VLAN drop-down list.

7. Click OK .

8. Ensure that the required security and access parameters are configured.

9. Click Finish to apply the changes.

In the CLI

To create a VLAN assignment rule for a WLAN SSID:


(Instant AP)(SSID Profile <name>)# set-vlan <attribute>{equals|not-equals|starts-with|endswith|contains}<operator><VLAN-ID>|value-of}



To configure a VLAN assignment rule for a wired profile:

(Instant AP)(config)# wired-port-profile <nname>

(Instant AP)(wired ap profile <name>)# set-vlan <attribute>{equals|not-equals|startswith|ends-with|contains}<operator><VLAN-ID>|value-of}



Example

(Instant AP)(config)# wlan ssid-profile Profile1


(Instant AP)(SSID Profile "Profile1")# set-vlan mac-address-and-dhcp-options matches-regularexpression ..link 100

(Instant AP)(SSID Profile "Profile1")# end


Using Advanced Expressions in Role and VLAN Derivation Rules

For complex policies of role and VLAN derivation using device DHCP fingerprints, you can use a regular expression to match with the combined string of the MAC address and the DHCP options. The combined string is formed by concatenating the hexadecimal presentation of the MAC address and all of the DHCP options sent by a particular device. The regular expression is a powerful pattern description language that can be used to perform advanced pattern matching of the above string.

If the combined device fingerprint string matches the specified regular expression, the role or VLAN can be set to the WLAN client.

The following table lists some of the most commonly used regular expressions, which can be used in user role and user VLAN derivation rules:

Table 43: Regular Expressions

$

*

.

Operator Description

Matches any character. For example, l..k matches lack, lark, link, lock, look, Lync, and so on.

\

[ ]

\b

\B

^

[^]

?

Matches the character that follows the backslash. For example, \192.\.0\.. matches IP address ranges that start with 192.0, such as 192.0.1.1. The expression looks up only for the single characters that match.

Matches any one character listed between the brackets. For example, [bc]lock matches block and clock.

Matches the words that begin and end with the given expression. For example, \bdown matches downlink, linkdown, shutdown.

Matches the middle of a word. For example, \Bvice matches services, devices, serviceID, deviceID, and so on.

Matches the characters at starting position in a string. For example, ^bcd matches bcde or bcdf, but not abcd.

Matches any characters that are not listed between the brackets. For example, [^u]link matches downlink, link, but not uplink.

Matches any one occurrence of the pattern. For example, ?est matches best, nest, rest, test, and so on.

Matches the end of an input string. For example, eth$ matches Eth, but not Ethernet.

Matches the declared element multiple times if it exists. For example, eth* matches all occurrences of eth, such as Eth, Ethernet, Eth0, and so on.


\<

\>

{n}

( )

|

Operator Description

+ Matches the declared element one or more times. For example, aa+ matches occurrences of aa and aaa.

Matches nested characters. For example, (192)* matches any number of the character string 192.

Matches the character patterns on either side of the vertical bar. You can use this expression to construct a series of options.

{n,}

Matches the beginning of the word. For example, \<wire matches wired, wireless, and so on.

Matches the end of the word. For example, \>list matches blacklist, whitelist, and so on.

Where n is an integer. Matches the declared element exactly n times. For example, {2}link matches uplink, but not downlink.

Where n is an integer. Matches the declared element at n times. For example, {2,}ink matches downlink, but not uplink.

For information on how to use regular expressions in role and VLAN derivation rules, see the following topics: n n

Creating a Role Derivation Rule on page 206

Configuring VLAN Derivation Rules on page 209

Configuring a User Role for VLAN Derivation

This section describes the following procedures: n n

Creating a User VLAN Role on page 212

Assigning User VLAN Roles to a Network Profile on page 213

Creating a User VLAN Role

You can create a user role for VLAN derivation using the Instant UI or the CLI.


To configure a user role for VLAN derivation:

1. Click the Security link located directly above the Search bar in the Instant main window.


3. Under Roles , click New .

4. Enter a name for the new role and click OK .

5. Under Access rules , click New .

6. Select the Rule type as VLAN assignment .

7. Enter the ID of the VLAN in the VLAN ID text box.

8. Click OK .

In the CLI

To create a VLAN role:

(Instant AP)(config)# wlan access-rule <rule-name>

(Instant AP)(Access Rule <rule-name>)# vlan 200

(Instant AP)(Access Rule <rule-name>)# end



Assigning User VLAN Roles to a Network Profile

You can configure user VLAN roles for a network profile using Instant UI or the CLI.


To assign a user VLAN role:

1. Click Network > New > New WLAN > Access or click Network > edit > Edit <WLAN-profile> >

Access .

2. On the Access tab, ensure that the slider is at the Role-based option.

3. Click New under the New Role Assignment and configure the following parameters: a. Select the attribute from the Attribute drop-down list.

b. Select the operator to match attribute from the Operator drop-down list.

c. Enter the string to match in the String text box.

d. Select the role to be assigned from the Role text box.

4. Click OK .

In the CLI

To assign VLAN role to a WLAN profile:


(Instant AP)(SSID Profile <name>)# set-role <attribute>{{equals <operator> <role>|not-equals

<operator> <role>|starts-with <operator> <role>|ends-with <operator> <role>|contains

<operator> <role>}|value-of}




Roles and Policies. Aruba Instant 6.5.2.0, RAP-155, IAP-207, RAP-108, IAP-305, Instant

Chapter 14

Roles and Policies

Firewall Policies

Access Control List Rules

Configuring ACL Rules for Network Services

In the Instant UI

In the CLI

Configuring Network Address Translation Rules

Configuring a Source-NAT Access Rule

Configuring Policy-Based Corporate Access

Configuring a Destination-NAT Access Rule

Configuring ALG Protocols

In the Instant UI

In the CLI

Configuring Firewall Settings for Protection from ARP Attacks

In the Instant UI

In the CLI

Auto Topology Rules

Configuring Firewall Settings to Disable Auto Topology Rules

Managing Inbound Traffic

Configuring Inbound Firewall Rules

Configuring Management Subnets

Configuring Restricted Access to Corporate Network

Content Filtering

Enabling Content Filtering

Enabling Content Filtering for a Wireless Profile

Enabling Content Filtering for a Wired Profile

Configuring Enterprise Domains

In the Instant UI

In the CLI

Configuring URL Filtering Policies

In the Instant UI

In the CLI

Creating Custom Error Page for Web Access Blocked by AppRF Policies

Creating a List of Error Page URLs

Configuring ACL Rules to Redirect Blocked HTTP Websites to a Custom Error Page URL

Configuring ACL Rules to Redirect Blocked HTTPS Websites to a Custom Blocked Page URL

Configuring User Roles

Creating a User Role

In the Instant UI

In the CLI

Assigning Bandwidth Contracts to User Roles

In the Instant UI

In the CLI:

Configuring Machine and User Authentication Roles

In the Instant UI

In the CLI

Configuring Derivation Rules

Understanding Role Assignment Rule

RADIUS VSA Attributes

MAC-Address Attribute

Roles Based on Client Authentication

DHCP Option and DHCP Fingerprinting

Creating a Role Derivation Rule

In the Instant UI

In the CLI

Understanding VLAN Assignment

Vendor-Specific Attributes

VLAN Assignment Based on Derivation Rules

User Role

VLANs Created for an SSID

Configuring VLAN Derivation Rules

In the Instant UI

In the CLI

Using Advanced Expressions in Role and VLAN Derivation Rules

Configuring a User Role for VLAN Derivation

Creating a User VLAN Role

Assigning User VLAN Roles to a Network Profile

Related manuals

Aruba

ArubaOS 6.5.2.0

Pronto Networks

TVV-PN-CPP-A-1422

Aruba

7280

Aruba

RAP-155

Aruba

Instant in AirWave 8.0