Behavior and Defaults. Aruba M3MK1, 7024, 7240, 620, 7280, 650, ArubaOS 6.5.3.x, 3200
Add to My manuals1162 Pages
advertisement
Chapter 45
Behavior and Defaults
Topics in this chapter include: n n n n
Understanding Mode Support on page 1097
Understanding Basic System Defaults on page 1099
Understanding Default Management User Roles on page 1107
Understanding Default Open Ports on page 1110
Understanding Mode Support
Most ArubaOS features are supported in all forwarding modes. However, there are a some features that are not supported in one or more forwarding modes. Campus APs do not support split-tunnel forwarding mode and the decrypt-tunnel forwarding mode does not support TKIP Counter measure management on campus
APs or remote APs.
describes the features that are not supported in each forwarding mode.
ArubaOS 6.5.3.x
| User Guide Behavior and Defaults | 1097
Table 273: Features not Supported in Each Forwarding Mode
Forwarding Mode
Split Tunnel Mode on Remote APs
Feature Not Supported
AirGroup
AppRF
Bandwidth based CAC
Broadcast-filter
DHCP Fingerprinting
Dynamic Multicast Optimization
IGMP Proxy Mobility
Layer-2 Mobility
Layer-3 Mobility
Mobile IP
Named VLAN
Station blacklist by ACL action
TKIP countermeasure management
Video over Mesh
VLAN pooling
Voice over Mesh
WebCC
1098 | Behavior and Defaults ArubaOS 6.5.3.x | User Guide
Forwarding Mode
Bridge Mode on Campus APs or Remote APs
Feature Not Supported
AirGroup
AppRF
Automatic Voice Flow Classification
Bandwidth based CAC
Broadcast filter
Captive Portal
DHCP enforcement
DHCP fingerprint
Dynamic Multicast Optimization
Firewall – Alcatel NOE Support
Firewall – SIP / SCCP / RTP / RTSP Voice Support
H.323 ALG
IGMP Proxy Mobility
Layer 3 Mobility
Lync SDN API
Management: Voice client statistics
Management: Voice client troubleshooting
Management: Voice-specific views
Mobile IP
Named VLAN
NOE ALG
Power save: Drop wireless multicast traffic
Power save: Proxy ARP (global)
Power save: Proxy ARP (per-SSID)
Power save: Wireless battery boost
RADIUS CoA
Rate Limiting for broadcast / multicast
SCCP ALG
SIP ALG
SIP: CAC enforcement enhancements
SIP: Delay measurement
SIP: Phone number awareness
SIP: R-Value computation
SIP: SIP authentication tracking
Station blacklist
Station blacklist by an ACL action
SVP ALG
TKIP countermeasure management
Video over Mesh
Vocera ALG
Voice over Mesh
Voice protocol monitoring / reporting
WebCC
XML-API
Understanding Basic System Defaults
The default administrator user name is admin , and the default password is also admin . The ArubaOS software includes several predefined network services, firewall policies, and roles.
Network Services
lists the predefined network services and their protocols and ports.
ArubaOS 6.5.3.x
| User Guide Behavior and Defaults | 1099
Table 274: Predefined Network Services
Name Protocol Port(s) svc-pop3 svc-adp svc-noe svc-noe-oxo svc-dns svc-msrpc-tcp svc-rtsp svc-http svc-vocera svc-nterm svc-sip-udp svc-papi svc-ftp svc-natt svc-svp svc-dhcp svc-snmp-trap svc-smb-tcp svc-https svc-ike svc-l2tp svc-syslog svc-pptp svc-telnet svc-sccp svc-tftp svc-sip-tcp svc-kerberos tcp udp
119 udp tcp udp udp udp tcp tcp tcp tcp udp udp udp tcp udp tcp udp udp udp tcp tcp udp udp tcp tcp udp
110
8200
32512
5000
53
135 139
554
80
5002
1026 1028
5060
8211
21
4500
0
2000
69
5060
88
1701
514
1723
23
67 68
162
445
443
500
1100 | Behavior and Defaults ArubaOS 6.5.3.x | User Guide
Name svc-gre svc-smtp svc-smb-udp svc-esp svc-bootp svc-snmp svc-icmp svc-ntp svc-msrpc-udp svc-ssh svc-h323-tcp svc-h323-udp svc-http-proxy1 svc-http-proxy2 svc-http-proxy3 svc-sips svc-v6-dhcp svc-v6-icmp any
Protocol tcp tcp udp tcp udp icmp udp udp gre tcp udp esp udp tcp tcp tcp udp icmp any
Policies
The following are predefined policies.
Table 275: Predefined Policies
Predefined Policy ip access-list session allowall any any any permit
Port(s)
0
0
8080
8888
5061
546 547
0
25
445
0
67 69
161
0
123
135 139
22
1720
1718 1719
3128
Description
An "allow all" firewall rule that permits all traffic.
ArubaOS 6.5.3.x
| User Guide Behavior and Defaults | 1101
Predefined Policy ip access-list session control user any udp 68 deny
any any svc-icmp permit
any any svc-dns permit
any any svc-papi permit
any any svc-cfgm-tcp permit
any any svc-adp permit
any any svc-tftp permit
any any svc-dhcp permit
any any svc-natt permit
Description
Controls traffic - Apply to untrusted wired ports in order to allow Aruba APs to boot up.
NOTE: In most cases wired ports should be made
"trusted" when attached to an internal network.
ip access-list session captiveportal user alias mswitch svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088
Enables Captive Portal authentication.
1. Any HTTPS traffic destined for the controller will be
NATed to port 8081, where the captive portal server will answer.
2. All HTTP traffic to any destination will be NATed to the controller on port 8080, where an HTTP redirect will be issued.
3. All HTTPS traffic to any destination will be NATed to the controller on port 8081, where an HTTP redirect will be issued.
4. All HTTP proxy traffic will be NATed to the controller on port 8088.
NOTE: In order for captive portal to work properly, DNS must also be permitted. This is normally done in the
"logon-control" firewall rule.
ip access-list session cplogout user alias mswitch svc-https dst-nat 8081 ip access-list session vpnlogon any any svc-ike permit any any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit
Used to enable the captive portal "logout" window. If the user attempts to connect to the controller on the standard HTTPS port (443) the client will be NATed to port
8081, where the captive portal server will answer. If this rule is not present, a wireless client may be able to access the controller's administrative interface.
This policy permits VPN sessions to be established to any destination. IPsec (IKE, ESP, and L2TP) and PPTP (PPTP and GRE) are supported.
ip access-list session ap-acl any any udp 5000 any any udp 5555 any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-snmp-trap permit user any svc-ntp permit
This is a policy for internal use and should not be modified. It permits APs to boot up and communicate with the controller.
1102 | Behavior and Defaults ArubaOS 6.5.3.x | User Guide
Predefined Policy ip access-list session validuser any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session icmp-acl any any svc-icmp permit ip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session dns-acl any any svc-dns permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session guest ip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session svp-acl any any svc-svp permit queue high user host 224.0.1.116 any permit
Description
This firewall rule controls which users will be added to the user-table of the controller through untrusted interfaces.
Only IP addresses permitted by this ACL will be admitted to the system for further processing. If a client device attempts to use an IP address that is denied by this rule, the client device will be ignored by the controller and given no network access. You can use this rule to restrict foreign IP addresses from being added to the user-table.
This policy should not be applied to any user role, it is an internal system policy.
Use for Vocera VoIP devices to automatically permit and prioritize Vocera traffic.
Permits all ICMP traffic.
Use for SIP VoIP devices to automatically permit and prioritize all SIP control and data traffic.
Permits all HTTPS traffic.
Permits all DNS traffic.
The default pre-authentication role that should be used by all wireless clients. Prohibits the client from acting as a
DHCP server. Permits all ICMP, DNS, and DHCP. Also permits IPsec NAT-T (UDP 4500). Remove NAT-T if not needed.
This policy can be used to source-NAT all traffic. Because no NAT pool is specified, traffic that matches this policy will be source NATed to the IP address of the controller.
Use for Cisco Skinny VoIP devices to automatically permit and prioritize VoIP traffic.
Permits all TFTP traffic.
This policy is not used.
Permits all DHCP traffic. If DHCP is not allowed, clients will not be able to request or renew IP addresses.
Permits all HTTP traffic.
Use for Spectralink VoIP devices to automatically permit and prioritize Spectralink Voice Protocol (SVP).
ArubaOS 6.5.3.x
| User Guide Behavior and Defaults | 1103
Predefined Policy ip access-list session noe-acl any any svc-noe permit queue high ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ipv6 access-list session v6-control user any udp 68 deny any any svc-v6-icmp permit any any svc-v6-dhcp permit any any svc-dns permit any any svc-tftp permit ipv6 access-list session v6-icmp-acl any any svc-v6-icmp permit ipv6 access-list session v6-https-acl any any svc-https permit ipv6 access-list session v6-dhcp-acl any any svc-v6-dhcp permit ipv6 access-list session v6-dns-acl any any svc-dns permit ipv6 access-list session v6-allowall any any any permit ipv6 access-list session v6-http-acl any any svc-http permit ipv6 access-list session v6-tftp-acl any any svc-tftp permit ipv6 access-list session v6-logon-control user any udp 68 deny any any svc-v6-icmp permit any any svc-v6-dhcp permit any any svc-dns permit
Description
Use for Alcatel NOE VoIP devices to automatically permit and prioritize NOE traffic.
Use for H.323 VoIP devices to automatically permit and prioritize H.323 traffic.
Provides equivalent functionality to the "control" policy, but for IPv6 clients.
Permits all ICMPv6 traffic.
Permits all IPv6 HTTPS traffic.
Permits all IPv6 DHCP traffic.
Permits all IPv6 DNS traffic.
Permits all IPv6 traffic.
Permits all IPv6 HTTP traffic.
Permits all IPv6 TFTP traffic.
Provides equivalent functionality to the "logon-control" policy, but for IPv6 clients.
Validuser and Logon-control ACLs
Default firewall rules for both the validuser and logon-control ACLs prevent malicious users from ip spoofing source addresses the default firewall rule in the validuser ACL causes the packet to be dropped.
A client with the correct source address can send traffic to the below networks as a destination IP address. To deny traffic, the default firewall rule added to logon-control ACL denies traffic to the reserved addresses from user with the logon role.
The following networks can be blocked by the default firewall rules in both the validuser and logon-control
ACLs: n n
Network packets where the source address of the network packet is defined as being on a broadcast network (source address == 255.255.255.255)
Network packets where the source address of the network packet is defined as being on a multicast network (source address = 224.0.0.0 – 239.255.255.255)
1104 | Behavior and Defaults ArubaOS 6.5.3.x | User Guide
n n n n
Network packets where the source address of the network packet is defined as being a loopback address
(127.0.0.1 through 127.255.255.254)
Network packets where the source or destination address of the network packet is a link-local address
(169.254.0.0/16)
Network packets where the source or destination address of the network packet is defined as being an address “reserved for future use” as specified in RFC 5735 for IPv4; (240.0.0.0/4)
Network packets where the source or destination address of the network packet is defined as an
“unspecified address”(::/128) or an address “reserved for future definition and use”(addresses other than
2000::/3) as specified in RFC 3513 for IPv6. The IPv6 “an unspecified address”(::/128) is currently being checked in datapath and the packet is dropped. This is the default behavior and you can view the logs by enabling firewall enable-per-packet-logging configuration.
Roles
The following are predefined roles.
If you upgrade from a previous ArubaOS release, your existing configuration may have additional or different predefined roles. The information in this section only describes the predefined roles for this release.
Table 276: Predefined Roles
Predefined Role system-role ap-role
session-acl control
session-acl ap-acl system-role stateful-dot1x system-role sys-ap-role user-role authenticated
session-acl allowall
ipv6 session-acl v6-allowall user-role cpbase user-role default-iap-userrole user-role default-via-role user-role default-vpn-role
session-acl allowall
ipv6 session-acl v6-allowall user-role denyall
Description
This is an internal role and should not be edited.
Can This Role be
Deleted? (Yes/No)
No
This is an internal role used for Stateful 802.1X. It should not be edited.
This is a limited role applied to Aruba APs to allow the AP to boot up and terminate on the controller.
This is a default role that can be used for authenticated users. It permits all IPv4 and IPv6 traffic for users who are part of this role.
No
No
No
This is a role for cpbase.
Yes
This is a default user role for IAPs. This role is applied to GRE tunnel between IAP and controller, thus also applied to all CL2 users, which are created in the controller.
No
No This is a default user role for VIA users.It is referenced as default in the default VIA
Authentication profile.
This is the default role used for VPN-connected clients. It is referenced in the default "aaa authentication vpn" profile.
No
This role blocks all traffic to and from the user.
Yes
ArubaOS 6.5.3.x
| User Guide Behavior and Defaults | 1105
Predefined Role user-role guest
session-acl http-acl
session-acl https-acl
session-acl dhcp-acl
session-acl icmp-acl
session-acl dns-acl
ipv6 session-acl v6-http-acl
ipv6 session-acl v6-https-acl
ipv6 session-acl v6-dhcp-acl
ipv6 session-acl v6-icmp-acl
ipv6 session-acl v6-dns-acl user-role guest-logon captive-portal default session-acl logon-control session-acl captiveportal user-role <ssid>-guest-logon captive-portal default session-acl logon-control session-acl captiveportal user-role logon session-acl logon-control session-acl captiveportal session-acl vpnlogon
ipv6 session-acl v6-logoncontrol user-role <ssid>-logon session-acl control session-acl captiveportal session-acl vpnlogon
Description
Can This Role be
Deleted? (Yes/No)
This is a default role for guest users. It permits only HTTP, HTTPS, DHCP, ICMP, and DNS for the guest user. To increase security, a "deny" rule for internal network destinations could be added at the beginning.
No
This role is used as the pre-authentication role for guest SSIDs. It allows control traffic such as
DNS, DHCP, and ICMP, and also enables captive portal.
No
This role is only generated when creating a new
WLAN using the WLAN Wizard. The WLAN Wizard creates this role when captive portal is enabled.
This is the initial role that a guest will be placed in prior to captive portal authentication. By using a different guest logon role for each SSID, it is possible to enable multiple captive portal profiles with different customization.
Yes
This is a user role that is normally applied to a user prior to authentication. This applies to wired users and non-802.1X wireless users.
The role allows certain control protocols such as
DNS, DHCP, and ICMP, and also enables captive portal and VPN termination/pass through. The logon role should be edited to provide only the required services to a pre-authenticated user.
For example, VPN pass through should be disabled if it is not needed.
No
This role is only generated when creating a new
WLAN using the WLAN Wizard. The WLAN Wizard creates this role when captive portal is enabled and a PEFNG license is installed. This is the initial role that a client will be placed in prior to captive portal authentication. By using a different logon role for each SSID, it is possible to enable multiple captive portal profiles with different customization.
Yes
1106 | Behavior and Defaults ArubaOS 6.5.3.x | User Guide
Predefined Role user-role <ssid>captiveportal-profile
Description
Can This Role be
Deleted? (Yes/No)
When utilizing the WLAN Wizard and you do not have a PEF NG installed and you are configuring an Internal or Guest WLAN with captive portal enabled, the controller creates an implicit user role with the same name as the captive portal profile, <ssid>-captiveportal-profile.
This implicit user role allows only DNS and DHCP traffic between the client and network and directs all HTTP or HTTPS requests to the captive portal.
You cannot directly modify the implicit user role or its rules. Upon authentication, captive portal clients are allowed full access to their assigned
VLAN. Once the WLAN configuration is pushed to the controller, the WLAN wizard will associate the new role with the initial user role that you specify in the AAA profile. This role will not be visible to the user in the WLAN wizard.
This role can be applied to voice devices in order to automatically permit and prioritize all VoIP protocols.
Yes
Yes user-role voice
session-acl sip-acl
session-acl noe-acl
session-acl svp-acl
session-acl vocera-acl
session-acl skinny-acl
session-acl h323-acl
session-acl dhcp-acl
session-acl tftp-acl
session-acl dns-acl
session-acl icmp-acl
Understanding Default Management User Roles
The ArubaOS software includes predefined management user roles.
If you upgrade from a previous ArubaOS release, your existing configuration may have different management roles.
The information in this section only describes the predefined management roles for this release.
Table 277: Predefined Management Roles
Predefined Role root
Permissions
This role permits access to all management functions (commands and operations) on the controller.
read-only This role permits access to CLI show commands or WebUI monitoring pages only.
guest-provisioning This role permits access to configuring guest users in the controller’s internal database only. This user only has access via the WebUI to create guest accounts; there is no CLI access.
Guest-provisioning tasks include creating or generating the user name and password for a guest account as well as configuring when the account expires.
ArubaOS 6.5.3.x
| User Guide Behavior and Defaults | 1107
Predefined Role location-api-mgmt
Permissions
This role permits access to location API information and the CLI; however, you cannot use any CLI commands. This role does not permit access to the WebUI.
Using a third-party location appliance, you can gather information about the location of 802.11 stations.
To log in to the controller using a third-party location appliance, enter: http[s]://<ipaddress>[:port]/screens/wms/wms.login.
You are prompted to enter your username and password (for example, the username and password associated with the location API management role). Once authenticated, you can use an API call to request location information from the controller, for example: http[s]://<ipaddress>[:port]/screens/wms/wms.cgi?opcode=wlm-getspot&campus-name=<campus id>&building-name<building id>&mac=<client1>,<client2>....
network-operations
1108 | Behavior and Defaults ArubaOS 6.5.3.x | User Guide
Predefined Role network-operations
(continued)
Permissions
Monitoring > Network > All Access PointsMonitoring
> Network > All Wired Access Points
You can view the reports created by the following CLI commands: n DB:opcode=monitor-summary n n
DB:opcode=cr-load
DB:opcode=wlm-search&class=probes&start n n
DB:opcode=wlm-search&class=amii
DB:opcode=monitor-get-all-gps&status=any n show ap-group n show vlan status
Monitoring > Controller > Controller Summary
You can view the reports created by the following CLI commands: n show switches n show switches summary
Monitoring > Controller > Air Monitors
You can view the reports created by the following CLI commands: n show wlan-ap start *
Monitoring > Controller > Clients
You can view the reports created by the following CLI commands: n show ip mobile host n n n n n n n n show ip mobile trail {<ipaddr> | <macaddr>}
<span class="CLI">show ap essid</span> show esi servers show esi ping show esi parser stats show private port status * show vlan show port stats n n n show spanning-tree interface fastethernet
<slot>/<module>/<port> show interface fastethernet <slot>/<module>/<port> counters clear counters fastethernet <slot>/<module>/<port> n show snmp trap-queue <page>
Monitoring > Controller > Clients > Packet CaptureMonitoring
> Controller > Clients > LocateMonitoring
> Controller > Clients > Debug
You can view the reports created by the following CLI commands: n aaa user debug mac
Monitoring > Controller > Clients > Disconnect
You can view the reports created by the following CLI commands: n stm kick-off-sta <macaddr> n aaa user logout <ipaddr>
ArubaOS 6.5.3.x
| User Guide Behavior and Defaults | 1109
Predefined Role network-operations
(continued) standard
Permissions
Monitoring > Controller > Clients > Blacklist
You can view the reports created by the following CLI commands: n stm add-blacklist-client <macaddr> n aaa user delete {<ipaddr> | all | mac <macaddr> | name
<username> | role <role>}
Monitoring > Controller > Blacklist Clients
You can view the reports created by the following CLI commands: n stm remove-blacklist-client <macaddr>
Monitoring > Controller > External Services Interface
You can view the reports created by the following CLI commands: n show esi groups n n show esi servers show esi ping n show esi parser stats
Monitoring > Controller > Ports
You can view the reports created by the following CLI commands: n show model-switch-internal * n n show slots show private port status * n show vlan
Monitoring > Controller > Inventory
You can view the reports created by the following CLI commands: n show keys
Monitoring > WLAN
You can view the reports created by the following CLI commands: n DB:opcode=get-permissions n n n show switches summary
Monitoring > Voice
You can view the reports created by the following CLI commands: n show ap association voip-only n show ap active voip-only n n show voice call-counters show voice client status n
DB:opcode=cr-load show switches n n n show voice call-quality show voice call-density show voice call-cdrs show voice call-perf
This role has root privileges but cannot make changes to the management users.
The purpose of creating this new role is to prevent changes to the local account from externally authenticated management user.
Understanding Default Open Ports
By default, Aruba controllers and access points treat ports as untrusted. However, certain ports are open by default only on the trusted side of the network. These open ports are listed in
1110 | Behavior and Defaults ArubaOS 6.5.3.x | User Guide
Table 278: Default (Trusted) Open Ports
Port
Number
17
21
22
23
53
67
68
69
80
123
161
443
500
514
1144
1701
Protocol
TCP
TCP
TCP
TCP
UDP
UDP
UDP
UDP
TCP
UDP
UDP
TCP
UDP
UDP
RTLS
UDP
Where Used controller
Description
This is used for certain types of VPN clients that accept a banner (QOTD). During normal operation, this port will only accept a connection and immediately close it.
controller controller
AP and controller controller
AP (and controller if
DHCP server is configured)
AP (and controller if
DHCP server is configured) controller
AP and controller controller
AP and controller controller
SSH
Telnet is disabled by default but the port is still open.
Internal domain.
DHCP server.
DHCP client.
TFTP
Used for remote packet capture where the capture is saved on the access point. Provides access to the WebUI on the controller.
NTP
SNMP. Disabled by default.
controller controller
Access points controller
Used internally for captive portal authentication (HTTPS) and is exposed to wireless users. A default self-signed certificate is installed in the controller. Users in a production environment are urged to install a certificate from a well known CA such as Verisign. Self-signed certs are open to man-in-the-middle attacks and should only be used for testing.
Required for VIA : During the initializing phase, VIA uses
HTTPS connections to perform trusted network and captive portal checks against the controller. It is mandatory that you enable port 443 on your network to allow VIA to perform these checks.
ISAKMP
Syslog
Open only when the RTLS feature is enabled
L2TP
ArubaOS 6.5.3.x
| User Guide Behavior and Defaults | 1111
Port
Number
1723
2300
Protocol
TCP
TCP
3306
4343, 443
TCP
TCP
4500
8080
8081
8082
8083
8088
8200
8211
8888
UDP
TCP
TCP
TCP
TCP
TCP
UDP
UDP
TCP
Where Used controller controller controller controller controller controller controller controller controller controller controller controller controller
Description
PPTP
Internal terminal server opened by telnet soe command.
Remote wired MAC lookup.
HTTPS.Both port 4343 and 443 are supported. If port
4343 is used it redirects to port 443. If port 443 is used it continues to connect using this port. A default self-signed certificate is installed in the controller. Users in a production environment are urged to install a certificate from a well known CA such as Verisign. Self-signed certs are open to man-in-the-middle attacks and should only be used for testing sae-urn
Required for VIA : During the initializing phase, VIA uses
HTTPS connections to perform trusted network and captive portal checks against the controller. It is mandatory that you enable port 4500 on your network to allow VIA to perform these checks.
Used internally for captive portal authentication (HTTPproxy). This port is not exposed to wireless users.
Used internally for captive portal authentication (HTTPS).
Not exposed to wireless users. A default self-signed certificate is installed in the controller. Users in a production environment are urged to install a certificate from a well known CA such as Verisign. Self-signed certs are open to man-in-the-middle attacks and should only be used for testing.
Used internally for single sign-on authentication (HTTP).
Not exposed to wireless users.
Used internally for single sign-on authentication (HTTPS).
Not exposed to wireless users.
For internal use.
The Aruba Discovery Protocol (ADP)
For internal use.
Used for HTTP access.
1112 | Behavior and Defaults ArubaOS 6.5.3.x | User Guide
advertisement
Related manuals
advertisement