How to restrict client access when backup connection is active

  • 2
  • Question
  • Updated 5 years ago
  • Answered
Is it possible to only allow access to the backup connection (USB) for specific MAC addresses or clients? I.e. Full access to all clients when the primary connection is active, but limited connection when the primary connection is down.

The idea here is that we only want to allow critical clients to use the backup connection. All other clients would be down for while the primary connection is down.
Photo of Marc LeBlanc

Marc LeBlanc

  • 6 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 2
Photo of Brian Ambler

Brian Ambler

  • 245 Posts
  • 126 Reply Likes
Marc,

I don't claim to be an expert in policy based routing, but I thought about your question and I came up with a solution that should work.

You can define policy based routing rules on a Branch Router to determine to which interface different traffic is sent. The most direct way I would think to implement this to fit your needs was to use User Profiles, but there may be other options for you as well. I will cover the direct set up first, then how to shape clients on your network to fit this solution.

To start, create a new Routing Policy under [Network Policy] > Additional Settings > Router Settings > Routing Policy > New (+)" on the Network Policy assigned to your Branch Router. In this example I have two User Profiles assigned to my SSID; General_Access is assigned to any client that authenticates to the SSID while Preferred_Users is assigned to specific wireless clients. Using policy based routing you can specify the Primary and Backup forwarding action and I have created two rules which should cover your needs.

Example Routing Policy:


Here I have created two rules:
1) Source:User Profile(General_Access), Destination:Any, Forwarding Action:Primary WAN, Backup Forwarding Action:Drop
2) Source:User Profile(Preferred_Users), Destination:Any, Forwarding Action:Primary WAN, Backup Forwarding Action:USB
Rule one states that any users assigned to "General_Access" will be forwarded out the Primary WAN port (Eth0 in my case) but have their WAN bound traffic dropped should the BR fail over to the USB modem. Rule two simply states that should the BR fail over to the USB modem, any user assigned to "Preferred_Users" will have their WAN bound traffic forwarded to the USB modem instead of being dropped.

I have not tested this myself and while it should logically work I will gladly accept corrections to my proposed solution.

To set up your SSID to place certain clients in the Preferred_Users profile I will cover using Client Classification as it will more closely follow your request. Of course this could also be accomplished through RADIUS/802.1X or even PPSK groups.

Example Network Policy:


Here I have one SSID using RADIUS/802.1X authentication dropping to one of two User Profiles, General_Access or Preferred_Users. By default, any standard user who authenticates to this SSID does not have an attribute returned by my RADIUS server thereby placing them in the "General_Access" User Profile. However, I also have a second User Profile, "Preferred_Users" on this SSID; any user that authenticates to this SSID and meets the criteria laid out will be either redirected or placed in this User Profile. When using Client Classification to redirect users/clients to another User Profile, make sure to enable the "Enable user profile reassignment based on client classification rules" option when choosing your User Profiles when clicking "Add/Remove":



Next, select the default User Profile to which all of your clients will be receiving upon connecting to the SSID, in this case "General_Access". On this profile, expand the Client Classification Policy under Optional Settings and click the tick box for "Enable user profile reassignment based on client classification rules". Once this option is selected, you should see a field expand , clicking New will give you options to create reassignment rules based on MAC Address, Client OS type, etc. Here is where you will configure the client classification rules as you see fit.

Client Classification for Preferred_Users:


Here I have created three rules for three different wireless clients. If a client with a MAC address of aaaa:aaaa:aaaa, bbbb:bbbb:bbbb or cccc:cccc:cccc connect to this SSID, the will be reassigned to "Preferred_Users" using the client classification rules set here. You may also make redirections to any User Profile based on other metrics, but based on the description of your proposal, MAC Address seemed the most logical way to go.

So now any wireless client that connects to my SSID with any of the three above MAC addresses will be reassigned to the Preferred_Users profile, but we can also take advantage of another component in my configuration. Since I am using RADIUS/802.1X to authenticate my wireless users, all I need to do is specify that a certain user, group of users or machine(s) should return a specific attribute while authenticating (attribute 80 in my case) and they will be placed directly in the Preferred_Users profile as well.


Hope this helps
Photo of Marc LeBlanc

Marc LeBlanc

  • 6 Posts
  • 0 Reply Likes
Thanks for the very detailed answer Brian! I don't think I've ever seen such a thorough explanation anywhere else.

Is this method also possible for LAN clients? We're planning on having a home automation controller directly attached to the Aerohive via Ethernet. This would be one of the clients that would need to be a Preferred_User. However, all other LAN clients directly attached to the Aerohive (or behind a switch) would only have General_Access.

Thanks again for the great support!
Photo of Brian Ambler

Brian Ambler

  • 245 Posts
  • 126 Reply Likes
Hi Eric,

When you say "all other LAN clients directly attached to the Aerohive", are you referring to an AP, BR or Aerohive switch? Since you're previous post referred to a Branch Router I will give my response based on that platform, but correct me if I misread you.

I have been thinking about what you asked and I think I have come up with a solution that may or may not solve your dilemma for your wired clients. Our Branch Routers and SR series switches have the capability to perform primary MAC authentication on wired switchports, something that solves the problem trying to classify your wired clients. Using MAC/802.1X authentication on the switchport lets us assign an "Auth OK" and "Auth Fail" User Profile. This way we can perform MAC authentication on select wired clients to classify them as "Preferred Users" and let all other clients fail, placing them in the General Access User Profile.

Here is how I have drafted this up in my lab; I tested this earlier and it worked like a charm.


Expand your Branch Router or SR Switch template, select the ports on which you wish to configure MAC Authentication, then click configure.


This will present you with the ability to Choose Port Type for the selected ports, click New. On the Edit Port Types sections, give the new object a name, select Access as the Port Type, tick the checkbox next to "Primary authentication using ____", select "MAC", via "PAP" protocol. Make sure that your "User Profile Application Sequence" under Optional Settings is set to "MAC Authentication - LAN - CWP" and click Save.


After saving your new port type, make sure it is selected in "Choose Port type", then click OK.


You can create your RADIUS client object by clicking " and clicking New. Give the RADIUS client object a name, untick the checkbox for "Obtain an Aerohive RADIUS server address through DHCP options" which will present you with a series of fields to define your RADIUS server location and secret. Enter the Mgt0 IP address of your branch router, leave the Shared Secret fields blank and click Apply, then Save.


You can now assign your Default, Auth OK, and Auth Fail User Profiles:

Auth OK User Profile: Preferred_Users


Auth Fail User Profile: General_Access


You can then assign this Port Type to the Ethernet ports to which your preferred wired clients are connected on your Branch Router or SR switch.

If don't have a RADIUS server on your network to use for MAC authentication, you can easily set up your Branch Router to do this for you. Navigate to your Network Policy > Additional Settings > Router Settings > RADIUS Service and click New (+). Give this object a name, expand Database Settings, make sure Local Database is checked and click New (+) under "Available Local User Groups". give this object a name, select "RADIUS users" for the User Type, fill out the User Profile Attribute and VLAN ID you used on your Preferred_Users profile and click Save.


Once you have saved the new Local User Group, move it over from "Available Local User Groups" to Selected Local User Groups and save your RADIUS Server object.


Once your RADIUS Server object has been saved, make sure you select it in the RADIUS Service drop down box, then save your changes to Additional Settings.


Now that your RADIUS Server is set up, you need to create your local users so that MAC Auth can be performed when your preferred wired clients connect to your Branch Router or SR switch. To do this, navigate to "Configuration > Advanced Configuration > Authentication > Local Users" and click new. For each MAC auth "user" you create, be sure to select the Local User Group you created and tied to your Preferrec_Users profile and enter the MAC Address of your preferred wired clients in lowercase without delimeters.


Do this for as many preferred wired devices as you require.


Now the only caveat is that this will only work if your wired clients are connected to an Aerohive Branch Router or SR series switch. Unfortunately, if you have your wired clients connected to a third party switch to your Branch Router, this will not work as the BR will receive the MAC address of the far switchport instead of the wired client. But if you only have a few preferred wired clients you could set up 1-3 of the Ethernet ports on the Branch Router as Access ports with MAC auth to solve this problem (obviously if you own a SR series switch this should not be an issue).

Let me know if this doesn't solve your issue.
Photo of Brian Ambler

Brian Ambler

  • 245 Posts
  • 126 Reply Likes
Sorry Marc, I meant to address that response to you, not whoever Eric is :)

One more thing to note, if your configuration is working properly, you should see the following in your Client Monitor:

Preferred client connecting
05/02/2013 03:22:27 PM aaaaaaaaaaaa 08EA44XXXXXX Mars INFO (59)MAC auth is starting (at if=eth4)
05/02/2013 03:22:27 PM aaaaaaaaaaaa 08EA44XXXXXX Mars DETAIL (60)RADIUS: accepted user 'aaaaaaaaaaaa' through the NAS at 10.1.150.1.
05/02/2013 03:22:27 PM aaaaaaaaaaaa 08EA44XXXXXX Mars INFO (61)Open auth is starting (at if=eth4)
05/02/2013 03:22:27 PM aaaaaaaaaaaa 08EA44XXXXXX Mars BASIC (62)Authentication is successfully finished (at if=eth4)
05/02/2013 03:22:30 PM aaaaaaaaaaaa 08EA44XXXXXX Mars INFO (63)station sent out DHCP REQUEST message
05/02/2013 03:22:30 PM aaaaaaaaaaaa 08EA44XXXXXX Mars INFO (64)DHCP server sent out DHCP OFFER message to station
05/02/2013 03:22:30 PM aaaaaaaaaaaa 08EA44XXXXXX Mars INFO (65)station sent out DHCP REQUEST message
05/02/2013 03:22:30 PM aaaaaaaaaaaa 08EA44XXXXXX Mars INFO (66)DHCP server sent out DHCP ACKNOWLEDGE message to station
05/02/2013 03:22:30 PM aaaaaaaaaaaa 08EA44XXXXXX Mars BASIC (67)DHCP session completed for station
05/02/2013 03:22:30 PM aaaaaaaaaaaa 08EA44XXXXXX Mars BASIC (68)IP 10.1.100.100 assigned for station

Non-preferred client connecting:
05/02/2013 03:23:35 PM dddddddddddd 08EA44XXXXXX Mars INFO (72)MAC auth is starting (at if=eth4)
05/02/2013 03:23:35 PM dddddddddddd 08EA44XXXXXX Mars DETAIL (73)RADIUS: rejected user 'dddddddddddd' through the NAS at 10.1.150.1.
05/02/2013 03:23:35 PM dddddddddddd 08EA44XXXXXX Mars INFO (74)Open auth is starting (at if=eth4)
05/02/2013 03:23:35 PM dddddddddddd 08EA44XXXXXX Mars BASIC (75)Authentication is successfully finished (at if=eth4)
05/02/2013 03:23:36 PM dddddddddddd 08EA44XXXXXX Mars INFO (76)station sent out DHCP REQUEST message
05/02/2013 03:23:36 PM dddddddddddd 08EA44XXXXXX Mars INFO (77)DHCP server sent out DHCP ACKNOWLEDGE message to station
05/02/2013 03:23:36 PM dddddddddddd 08EA44XXXXXX Mars BASIC (78)DHCP session completed for station
05/02/2013 03:23:36 PM dddddddddddd 08EA44XXXXXX Mars BASIC (79)IP 10.1.100.101 assigned for station
Photo of Marc LeBlanc

Marc LeBlanc

  • 6 Posts
  • 0 Reply Likes
Thanks again for the help Brian. I finally got to trying out your great guides on my Aerohive branch router but I seem to be missing something. I hope I didn't send you on the wrong path with my questions.

The model number I have is the BR100.

My routing policy screen is different than what you show in your screenshots. As such, I can't configure it as you explained.



Please advise if this model can support my requirements. We may need to inquire about obtaining a BR200 model...

Thanks again,
Marc
Photo of Brian Ambler

Brian Ambler

  • 245 Posts
  • 126 Reply Likes
Sorry Marc, I should have mentioned that I configured the above policies on our 6.0r2a HiveManager. It looks like you are using HiveManager 5.1rX which does not support the primary/backup traffic forwarding introduced in 6.0. If you upgrade your HiveManager and BR100 to 6.0r2a you will be able to set the configuration as I have done, you do not need a BR200.
Photo of Marc LeBlanc

Marc LeBlanc

  • 6 Posts
  • 0 Reply Likes
Hi Brian,

Forgive my ignorance but how do I go about upgrading my HiveManager version? We're currently evaluating the product from Verizon...

This is the screen that I get when I click on the update software screen:



Thanks again for the prompt support!

Marc
Photo of Brian Ambler

Brian Ambler

  • 245 Posts
  • 126 Reply Likes
Hi Marc,

If you have a HMOL account you will need to open a support case to request that you be upgraded to version 6.0r2a. As an evaluator you are entitled to request assistance from our support team or through an Aerohive Partner. If you are in the US/Canada (which I assume you are due to your evaluating through Verizon) or Central/South America you may contact our ATAC team directly. Detailed information on how to contact Support can be found on our website.

A thread with detailed information on the 6.0r2a upgrade can be found here.
Photo of Marc LeBlanc

Marc LeBlanc

  • 6 Posts
  • 0 Reply Likes
Hi Brian,

I finally got my BR100 updated to the latest version and implemented everything you wrote up. Unfortunately, it doesn't seem like I configured my RADIUS server settings correctly since MAC Auth is going not through RADIUS. I reread through your steps many times and went through all the settings in my HiveManager...

Here's a snip of my client monitor log for my LAN client (should go in as preferred):

05/13/2013 09:37:39 PM aaaaaaaaaaaa 08EA44XXXXXX Hive INFO (0)MAC auth is starting (at if=eth1)
05/13/2013 09:37:48 PM aaaaaaaaaaaa 08EA44XXXXXX Hive INFO (1)Open auth is starting (at if=eth1)
05/13/2013 09:37:48 PM aaaaaaaaaaaa 08EA44XXXXXX Hive BASIC (2)Authentication is successfully finished (at if=eth1)
05/13/2013 09:37:52 PM aaaaaaaaaaaa 08EA44XXXXXX Hive INFO (3)station sent out DHCP DISCOVER message
05/13/2013 09:37:52 PM aaaaaaaaaaaa 08EA44XXXXXX Hive INFO (4)station sent out DHCP DISCOVER message
05/13/2013 09:37:52 PM aaaaaaaaaaaa 08EA44XXXXXX Hive INFO (5)DHCP server sent out DHCP OFFER message to station
05/13/2013 09:37:52 PM aaaaaaaaaaaa 08EA44XXXXXX Hive INFO (6)station sent out DHCP REQUEST message
05/13/2013 09:37:52 PM aaaaaaaaaaaa 08EA44XXXXXX Hive INFO (7)DHCP server sent out DHCP ACKNOWLEDGE message to station
05/13/2013 09:37:52 PM aaaaaaaaaaaa 08EA44XXXXXX Hive BASIC (8)DHCP session completed for station
05/13/2013 09:37:52 PM aaaaaaaaaaaa 08EA44XXXXXX Hive BASIC (9)IP 172.28.0.15 assigned for station

Thanks again,
Marc
Photo of Brian Ambler

Brian Ambler

  • 245 Posts
  • 126 Reply Likes
Hi Marc,

That looks correct to me, you can see that MAC auth is starting and finishing successfully (lines 0-2). If you look at my example above, you will see the same behavior.

Are your preferred clients not being place in the correct VLAN? If not, can you please post screenshots of the port configuration on your BR100?
Photo of Marc LeBlanc

Marc LeBlanc

  • 6 Posts
  • 0 Reply Likes
Hi Brian,

I don't see the RADIUS line in my log so it I can't tell if the MAC was accepted (Preferred) or rejected (General). I thought I found a screen in the HMOL at some point that showed what User Profile a client was assigned to. But I can't find it anymore.

This is the line from your log that I don't see in mine:

05/02/2013 03:22:27 PM aaaaaaaaaaaa 08EA44XXXXXX Mars DETAIL (60)RADIUS: accepted user 'aaaaaaaaaaaa' through the NAS at 10.1.150.1.

Here's my port configuration:



And my port type:

Photo of Brian Ambler

Brian Ambler

  • 245 Posts
  • 126 Reply Likes
Hi Marc,

My apologies for the long delay, I never was able to follow up with regards to this issue. Unfortunately this has reached the point that trying to work this issue further through the community would not be practical. If you have not done so already, I would recommend opening a support case with our ATAC team. For more details on reaching out to our support team please have a look at our website.

While we were unfortunately not able to resolve your issue online our ATAC team should be able to assist you further if this is still an issue.

Best regards,
Brian