We had to get a little more granular in ours because we had user table entries 
with our gateway addresses get populated in the user table that caused outages 
in those network segments.  Yes, that's right, there was a client MAC address 
with an gateway IP address that brought down that network segment.  Uggh.  Be 
careful and inclusive when setting this up!


Colleen Szymanik

Sr. Network Engineer

ISC Networking & Telecommunications
University of Pennsylvania

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ryan Holland
Sent: Friday, December 09, 2011 11:32 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Odd issue with Aruba wireless...

If I may stem off Stan's post, please plan well if you also have remote APs. 
The remote AP is a VPN user first and requires specific policies in the 
'validuser' ACL as well. In addition to DHCP, Secure PAPI, NAT-T, and L2TP 
could also be required.

==========
Ryan Holland
Network Engineer, Wireless
Office of the Chief Information Officer
The Ohio State University
614-292-9906   holland....@osu.edu<mailto:holland....@osu.edu>

Submit a Kudos to an OCIO 
employee!<http://www.surveygizmo.com/s/514095/giveociokudos>

On Dec 9, 2011, at 11:09 AM, Brooks, Stan wrote:


For all the Aruba users out there, I thought that a config example and 
explanation fo the validuser ACL might be helpful.  Here is the snippet of our 
config (somewhat sanitized) for those that are interested:

netdestination validwirelessnetworks !# List your wireless client subnets here
 network 10.16.0.0 255.255.0.0
 network 10.18.0.0 255.255.0.0
!
netdestination arubacontrollers !# List your wireless controller mgmt addresses 
or networks here
 network <redacted>
!

ip access-list session validuser
 any any svc-dhcp permit  !# Needed for passing initial DHCP requests
 alias validwirelessnetworks any any permit
!

Note there is an implied deny all after the last entry in the validuser ACL, so 
anything not listed is denied.  If you are using Mesh APs, you may need 
additional statements to allow their traffic - talk with your Aruba Support 
staff for details.


-> Stan Brooks - CWNA/CWSP
     Emory University
     University Technology Services
     404.727.0226
AIM/Y!/Twitter: WLANstan
          MSN: wlans...@hotmail.com<mailto:wlans...@hotmail.com>
   GoogleTalk: wlans...@gmail.com<mailto:wlans...@gmail.com>

________________________________________
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] 
on behalf of Osborne, Bruce W 
[bosbo...@liberty.edu<mailto:bosbo...@liberty.edu>]
Sent: Friday, December 09, 2011 8:04 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Odd issue with Aruba wireless...

You really need to setup your validuser ACL. The default configuration is not 
meant for a production environment.

We recently had an issue because our deny based validuser ACL had not been 
updated when the network topology changed, adding additional subnets. some user 
had our webmail server's address, so webmail did not work for user on that 
wireless controller.

For the short term, we have added additional denies, but we will move to a 
permit based validuser over Christmas break.

A permit based validuser ACL is Aruba's current recommendation.

Bruce Osborne
Network Engineer
IT Network Services

(434) 592-4229

LIBERTY UNIVERSITY
40 Years of Training Champions for Christ: 1971-2011

-----Original Message-----
From: Jeff Kell [mailto:jeff-k...@utc.edu]<mailto:[mailto:jeff-k...@utc.edu]>
Sent: Thursday, December 08, 2011 3:06 PM
Subject: Re: Odd issue with Aruba wireless...

Our "validuser" isn't customized (other than denying 169.254).  We do not do a 
lot of filtering, but were setup to suppress broadcast/multicast between 
wireless clients (as you can probably tell, I'm not the Aruba detail 
configuration wizard).

The final packet captures that helped identify the real issue were only seeing 
broadcasts from the router, or broadcasts from the local client (ARPing the 
router gateway address).  It appears that the broadcast traffic that should 
have been echoed out to the wired side simply stopped.

Jeff

On 12/8/2011 2:57 PM, Colleen Szymanik wrote:

We saw similar issues.  User table entries had usernames associated with our 
DNS servers.  We did a great deal of debugging with traces, Aruba TAC and other 
customer discussions.  We have validuser ACL entries setup to prevent all this. 
 It seems that occasionally devices can echo packets and inject into the user 
table.  Without protections such as validuser, it could cause connectivity 
issues depending on the role these entries receive.  The cleanest thing we've 
seen done is to define variables with all your validuser entries as a white 
list and everything else should be denied.

Colleen Szymanik
Sr. Network Engineer
ISC Networking & Telecommunications
University of Pennsylvania

-----Original Message-----
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]<mailto:[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]>
 On Behalf Of Brooks, Stan
Sent: Wednesday, December 07, 2011 3:45 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Odd issue with Aruba wireless...

Jeff -

Besides the "only affects Win7" comment, this sounds like it could be an Aruba 
"validuser" ACL issue.  If you've modified that ACL from the default of allow 
all IP addresses, it would block all but the specific allowed addresses.  The 
symptoms are user gets a valid IP address from DHCP, then all their traffic it 
blocked because their IP is not in the validuser ACL.  I get bit by that 
problem every time I add a subnet can forget to add it to the list of valid 
networks in our validuser ACL.  Just a thought...

-> Stan Brooks - CWNA/CWSP
     Emory University
     University Technology Services
     404.727.0226
AIM/Y!/Twitter: WLANstan
          MSN: wlans...@hotmail.com<mailto:wlans...@hotmail.com>
   GoogleTalk: wlans...@gmail.com<mailto:wlans...@gmail.com>

________________________________________
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] 
on behalf of Jeff Kell
[jeff-k...@utc.edu<mailto:jeff-k...@utc.edu>]
Sent: Wednesday, December 07, 2011 2:36 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Odd issue with Aruba wireless...

Having a strange issue with our wireless today... wondered if it rings any 
bells...
seems to just be affecting Win7...

Clients associate with access points fine, but shows "limited internet 
connectivity".

Mouse-over wireless icon and it shows "unidentified network" (same in network 
and sharing center); although list of SSIDs shows the same expected SSID as 
Connected.

Client RADIUS works fine (verified controller and radius server), dropped on 
production role.

DHCP transaction is normal, request received and ACKed.

Wireless router shows MAC address in expected vlan, and ARP entry shows 
expected IP address with the MAC.

"ipconfig /all" shows correct IP, mask, gateway, DNS, and DHCP servers.  No 
stray IPv6 or tunnel adapters.

"route print" shows all expected correct entries for wireless.  No stray IPv6 
(other than loopback and link-local).  Default points to default gateway IP.

"arp -a" does *NOT* show an entry for the default gateway, and client is unable 
to "ping" the default gateway.

I'm baffled :)

Jeff

**********
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

________________________________

This e-mail message (including any attachments) is for the sole use of the 
intended recipient(s) and may contain confidential and privileged information. 
If the reader of this message is not the intended recipient, you are hereby 
notified that any dissemination, distribution or copying of this message 
(including any attachments) is strictly prohibited.

If you have received this message in error, please contact the sender by reply 
e-mail message and destroy all copies of the original message (including 
attachments).

**********
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


--
BEGIN-ANTISPAM-VOTING-LINKS
------------------------------------------------------

Teach CanIt if this mail (ID 1304211894) is spam:
Spam:        https://antispam.osu.edu/b.php?i=1304211894&m=065787d35db4&c=s
Not spam:    https://antispam.osu.edu/b.php?i=1304211894&m=065787d35db4&c=n
Forget vote: https://antispam.osu.edu/b.php?i=1304211894&m=065787d35db4&c=f
------------------------------------------------------
END-ANTISPAM-VOTING-LINKS

********** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Reply via email to