AP Firewall rules - routing takes place at L3 switch - restrict access to LAN

  • 1
  • Question
  • Updated 2 years ago
BYOD firewall rule
I have my AP230s setup with a single SSID using Windows 2012 radius (NAP) authentication.   Radius is set to assign my vlan.   My APs are connected to my L3 switch (Dell PC 6248P).  I am using Windows DHCP which is on my desktop & server vlan.  I have 2 radius rules one for Domain computers which assigns them to vlan 1011 and one for BYOD (non-domain device, but using domain user credentials) assigned to vlan 1012.   For my Domain computers I want them to have full access to my LAN - routing is correctly taking place for these users.

For my BYOD devices - I need help.  I want them to have internet access, and possibly limited access to some services on my lan, but for the moment I would like to limit to internet only.   I tried applying the Guest user firewall rules to my BYOD user group (which should be selected by radius attribute).  My BYOD devices get the correct vlan (via radius)  but I don't think they are being assigned to a user group - going to default.   the users show user profile attribute "0".

Radius is set to Filter-id: 11, tunnel-type: VLAN, Tunnel-Medium-Type: 802, Tunnel-Pvt-Group-ID: 1012
User groups are set to use standard attribute 11 filter-id.

Ok - what am I missing on the User profile assignement?
Will AP Firewall rules work for me?
My default gateway is in the private ip address space and therefore according to the guest AP firewall rule would be denied.   Do I just need to add a rule above that permits traffice to and from this IP address?

Thank you.
Photo of Fredrick Zilz

Fredrick Zilz

  • 8 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of Erik Gunnarsson

Erik Gunnarsson

  • 38 Posts
  • 6 Reply Likes
If you change your RADIUS reply in the NPS to return this values instead:
tunnel-type: GRE
Tunnel-Medium-Type: IP
Tunnel-Pvt-Group-ID: (attribute id of userprofile)

Then aerohive will match the userprofile instead of VLAN.
That way you could have different firewalls on different UserProfiles

Normaly your clients don't have the default gateway as destination address in their IP packets. (traffic within the subnet use layer2 addresses)
Maybe some applications tries to ping the default gateway to see if they have network connection, but normally you don't have to open it in the firewall for traffic to be working.
Photo of Fredrick Zilz

Fredrick Zilz

  • 8 Posts
  • 0 Reply Likes
Ok, I resolved part of my own question.  I was mixing the old and the new method.  I switched to using the old method setting radius to Tunnel-Medium-Type: IP-4, Tunnel-Pvt-Group-ID: 10 for my domain computers and 11 for my BYOD systems.  I then set my user profiles to match and assigned the vlan there.

All appears to be working and the firewall rules seem to be applied .  

I am having one strange issue.   Both full access domain computers and BYOD devices can browse the internet -so DNS is working even though it is currently set to my internal DNS.   However, if I do an nslookup for an internal site - this fails for both my full access and BYOD devices.   Why would they get DNS from my internal DNS servers for external sites but not for internal sites?   
Photo of Erik Gunnarsson

Erik Gunnarsson

  • 38 Posts
  • 6 Reply Likes
Does it make any difference if you use FQDN when you try with internal names?
Have you verified that it's the internal DNS your client gets?
(Edited)
Photo of Fredrick Zilz

Fredrick Zilz

  • 8 Posts
  • 0 Reply Likes

Thank you Erik.  Still working on this, but found the root of my problem.  My routing is not setup right from my L3 switch to my router.  I just need to figure out how to fix it without taking down my network - it looks like a late night job.   It worked when my network was less complex but needs to be fixed now.