Protal
Anfos Sin
I currnelty have pre-authentication Role with specific policies to allow services from tehse IP addesses but deny access to other Networks(subnets). And a post-authenticaiton Role with specific policies that are setup teh same way.
The Local controller IP addresses are allowed for dns, http, https) (priority 1) and Deny access policies below for corporate networks(subnets). I was told that I should design it the opposite way. To deny all communication and only allow access to the controllers and to the bare minimal for Guest access. When I tried adding a deny all rule to teh policy teh Captive protal di dnto work.
You cannot deny everything and then allow the desired traffic. In Aruba (or almost all ACL structures) as soon as you hit the first match, rest of the statements are not evaluated. So, if you have deny any any at the top, the conditions below it will never be evaluated.
Thats the beauty of Aruba! You won't create it for individual network, rather for a user role. If a role type if guest, you can apply your policies to the role and assing it to as many SSIDs you want.
According to my manager it can be done; but, I do not know how with the Aruba technology. Should I put in a rule that allows DNS from any source and make that rule a priority just like the controler IP address rules are a prioroty?
So what your manager is saying is technically achievable but it is always the othe way around, i.e. allow desired traffic and then deny everything. If you are denying everything, any allow statement after that will never be evaluated. Statements are always evaluated top to bottom.
I was told by Aruba Support and it is true that for post authetication policies one wil need a permit any, any, any rule at the bottom for the policy (in the post auth role). That permit rule is required because if I remove it then no internet or anything (ssh, apps on the phone) will work at all.
I even added a few any-source, any-destination, - Service-http(& https) - permit in place of the any permit rule and that did not help. The captive portal needed the any, any, any, permit rule. Is there anything else I can try?
What I did before was add a couple of 'network deny' rules above the any, any, any permit rule. But that was before I found out that we have hundreds of different network subnets. Is there a better way to protect our network in the post authenticated role?