Understanding Basic System Defaults

The default administrator user name is admin, and the password should be set up during the initial setup dialog. The ArubaOS software includes several predefined network services, firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policies, and roles.

Predefined Network Services

The following table lists the predefined network services and their protocols and ports.

Table 1: Predefined Network Services

Name

Protocol

Port(s)

svc-dhcp

udp

67 68

svc-snmp-trap

udp

162

svc-smb-tcp

tcp

445

svc-https

tcp

443

svc-ike

udp

500

svc-l2tp

udp

1701

svc-syslog

udp

514

svc-pptp

tcp

1723

svc-telnet

tcp

23

svc-sccp

tcp

2000

svc-tftp

udp

69

svc-sip-tcp

tcp

5060

svc-kerberos

udp

88

svc-pop3

tcp

110

svc-adp

udp

8200

svc-noe

udp

32512

svc-noe-oxo

udp

5000

svc-dns

udp

53

svc-msrpc-tcp

tcp

135 139

svc-rtsp

tcp

554

svc-http

tcp

80

svc-vocera

udp

5002

svc-nterm

tcp

1026 1028

svc-sip-udp

udp

5060

svc-papi

udp

8211

svc-ftp

tcp

21

svc-natt

udp

4500

svc-svp

119

0

svc-gre

gre

0

svc-smtp

tcp

25

svc-smb-udp

udp

445

svc-esp

esp

0

svc-bootp

udp

67 69

svc-snmp

udp

161

svc-icmp

icmp

0

svc-ntp

udp

123

svc-msrpc-udp

udp

135 139

svc-ssh

tcp

22

svc-h323-tcp

tcp

1720

svc-h323-udp

udp

1718 1719

svc-http-proxy1

tcp

3128

svc-http-proxy2

tcp

8080

svc-http-proxy3

tcp

8888

svc-sips

tcp

5061

svc-v6-dhcp

udp

546 547

svc-v6-icmp

icmp

0

any

any

0

Predefined Policies

The following table lists predefined policies.

Table 2: Predefined Policies

Predefined Policy

Description

ip access-list session allowall

any any any permit

An "allow all" firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. rule that permits all traffic.

ip access-list session control

user any udp 68 deny

any any svc-icmp permit

any any svc-dns permit

any any svc-papi permit

any any svc-cfgm-tcp permit

any any svc-adp permit

any any svc-tftp permit

any any svc-dhcp permit

any any svc-natt permit

Controls traffic - Apply to untrusted wired ports in order to allow Aruba APs to boot up.

NOTE: In most cases wired ports should be made "trusted" when attached to an internal network.

ip access-list session captiveportal

user alias mswitch svc-https dst-nat 8081

user any svc-http dst-nat 8080

user any svc-https dst-nat 8081

user any svc-http-proxy1 dst-nat 8088

user any svc-proxy2 dst-nat 8088
user any svc-http-proxy3 dst-nat 8088

Enables captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication.

1. Any HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. traffic destined for the managed device will be routed through NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. to port 8081, where the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. server will answer.

2. All HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. traffic to any destination will be routed through NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. to the managed device on port 8080, where an HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. redirect will be issued.

3. All HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. traffic to any destination will be routed through NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. to the managed device on port 8081, where an HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. redirect will be issued.

4. All HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. proxy traffic will be routed through NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. to the managed device on port 8088.

NOTE: In order for captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. to work properly, DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. must also be permitted. This is normally done in the "logon-control" firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. rule.

ip access-list session cplogout

user alias mswitch svc-https dst-nat 8081

 

Used to enable the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. "logout" window. If the user attempts to connect to the managed device on the standard HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. port (443) the client will be routed through NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. to port 8081, where the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. server will answer. If this rule is not present, a wireless client may be able to access the managed device's administrative interface.

ip access-list session vpnlogon

any any svc-ike permit

any any svc-esp permit

any any svc-l2tp permit

any any svc-pptp permit

any any svc-gre permit

This policy permits VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. sessions to be established to any destination. IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. (IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard., ESP, and L2TP Layer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations. ) and PPTP Point-to-Point Tunneling Protocol. PPTP is a method for implementing virtual private networks. It uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets. (PPTP Point-to-Point Tunneling Protocol. PPTP is a method for implementing virtual private networks. It uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets. and GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network.) are supported.

ip access-list session ap-acl

any any udp 5000 5555
any any svc-gre permit
any any svc-syslog permit
any user svc-snmp permit
user any svc-snmp-trap permit
user any svc-ntp permit

This is a policy for internal use and should not be modified. It permits APs to boot up and communicate with the managed device.

ip access-list session validuser

any any any permit

This firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. rule controls which users will be added to the user table of the managed device through untrusted interfaces. Only IP addresses permitted by this ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. will be admitted to the system for further processing. If a client device attempts to use an IP address that is denied by this rule, the client device will be ignored by the managed device and given no network access. You can use this rule to restrict foreign IP addresses from being added to the user-table.

This policy should not be applied to any user role, it is an internal system policy.

ip access-list session vocera-acl

any any svc-vocera permit queue high

Use for Vocera VoIP Voice over IP. VoIP allows transmission of voice and multimedia content over an IP network. devices to automatically permit and prioritize Vocera traffic.

ip access-list session icmp-acl

any any svc-icmp permit

Permits all ICMP Internet Control Message Protocol. ICMP is an error reporting protocol. It is used by network devices such as routers, to send error messages and operational information to the source IP address when network problems prevent delivery of IP packets. traffic.

ip access-list session sip-acl

any any svc-sip-udp permit queue high

any any svc-sip-tcp permit queue high

Use for SIP Session Initiation Protocol. SIP is used for signaling and controlling multimedia communication session such as voice and video calls. VoIP Voice over IP. VoIP allows transmission of voice and multimedia content over an IP network. devices to automatically permit and prioritize all SIP Session Initiation Protocol. SIP is used for signaling and controlling multimedia communication session such as voice and video calls. control and data traffic.

ip access-list session https-acl

any any svc-https permit

Permits all HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. traffic.

ip access-list session dns-acl

any any svc-dns permit

Permits all DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. traffic.

ip access-list session logon-control

user any udp 68 deny

any any svc-icmp permit

any any svc-dns permit

any any svc-dhcp permit

any any svc-natt permit

The default pre-authentication role that should be used by all wireless clients. Prohibits the client from acting as a DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  server. Permits all ICMP Internet Control Message Protocol. ICMP is an error reporting protocol. It is used by network devices such as routers, to send error messages and operational information to the source IP address when network problems prevent delivery of IP packets., DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element., and DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. . Also permits IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.-T (UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. 4500). Remove NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.-T if not needed.

ip access-list session srcnat

user any any src-nat

This policy can be used to source-NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. all traffic. Because no NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. pool is specified, traffic that matches this policy will be routed through source NAT Source NAT changes the source address of the packets passing through the router. Source NAT is typically used when an internal (private) host initiates a session to an external (public) host. to the IP address of the managed device.

ip access-list session skinny-acl

any any svc-sccp permit queue high

Use for Cisco Skinny VoIP Voice over IP. VoIP allows transmission of voice and multimedia content over an IP network. devices to automatically permit and prioritize VoIP Voice over IP. VoIP allows transmission of voice and multimedia content over an IP network. traffic.

ip access-list session tftp-acl

any any svc-tftp permit

Permits all TFTP Trivial File Transfer Protocol. The TFTP is a software utility for transferring files from or to a remote host. traffic.

ip access-list session guest

This policy is not used.

ip access-list session dhcp-acl

any any svc-dhcp permit

Permits all DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  traffic. If DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  is not allowed, clients will not be able to request or renew IP addresses.

ip access-list session http-acl

any any svc-http permit

Permits all HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. traffic.

ip access-list session svp-acl

any any svc-svp permit queue high

user host 224.0.1.116 any permit

Use for Spectralink VoIP Voice over IP. VoIP allows transmission of voice and multimedia content over an IP network. devices to automatically permit and prioritize Spectralink Voice Protocol.

ip access-list session noe-acl

any any svc-noe permit queue high

Use for Alcatel NOE New Office Environment. NOE is a proprietary VoIP protocol designed by Alcatel-Lucent Enterprise. VoIP Voice over IP. VoIP allows transmission of voice and multimedia content over an IP network. devices to automatically permit and prioritize NOE New Office Environment. NOE is a proprietary VoIP protocol designed by Alcatel-Lucent Enterprise. traffic.

ip access-list session h323-acl

any any svc-h323-tcp permit queue high

any any svc-h323-udp permit queue high

Use for H.323 VoIP Voice over IP. VoIP allows transmission of voice and multimedia content over an IP network. devices to automatically permit and prioritize H.323 traffic.

ipv6 access-list session v6-control

user any udp 68 deny

any any svc-v6-icmp permit

any any svc-v6-dhcp permit

any any svc-dns permit

any any svc-tftp permit

Provides equivalent functionality to the "control" policy, but for IPv6 clients.

ipv6 access-list session v6-icmp-acl

any any svc-v6-icmp permit

Permits all ICMPv6 traffic.

ipv6 access-list session v6-https-acl

any any svc-https permit

Permits all IPv6 HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. traffic.

ipv6 access-list session v6-dhcp-acl

any any svc-v6-dhcp permit

Permits all IPv6 DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  traffic.

ipv6 access-list session v6-dns-acl

any any svc-dns permit

Permits all IPv6 DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. traffic.

ipv6 access-list session v6-allowall

any any any permit

Permits all IPv6 traffic.

ipv6 access-list session v6-http-acl

any any svc-http permit

Permits all IPv6 HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. traffic.

ipv6 access-list session v6-tftp-acl

any any svc-tftp permit

Permits all IPv6 TFTP Trivial File Transfer Protocol. The TFTP is a software utility for transferring files from or to a remote host. traffic.

ipv6 access-list session v6-logon-control

user any udp 68 deny

any any svc-v6-icmp permit

any any svc-v6-dhcp permit

any any svc-dns permit

Provides equivalent functionality to the "logon-control" policy, but for IPv6 clients.

Validuser and Logon-control ACLs

Default firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. rules for both the validuser and logon-control ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. prevent malicious users by blocking self-assigned IPs.

A client with the correct source address can send traffic to the below networks as a destination IP address. The default firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. rules deny traffic FROM the reserved addresses.

The following networks can be blocked by the default firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. rules in both the validuser and logon-control ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port.:

Network packets where the source address of the network packet is defined as being on a broadcast network (source address == 255.255.255.255)

Network packets where the source address of the network packet is defined as being on a multicast network (source address = 224.0.0.0 – 239.255.255.255)

Network packets where the source address of the network packet is defined as being a loopback address (127.0.0.1 through 127.255.255.254)

Network packets where the source or destination address of the network packet is a link-local address (169.254.0.0/16)

Network packets where the source or destination address of the network packet is defined as being an address “reserved for future use” as specified in RFC Request For Comments. RFC is a commonly used format for the Internet standards documentss. 5735 for IPv4; (240.0.0.0/4)

Network packets where the source or destination address of the network packet is defined as an “unspecified address”(::/128) or an address “reserved for future definition and use”(addresses other than 2000::/3) as specified in RFC Request For Comments. RFC is a commonly used format for the Internet standards documentss. 3513 for IPv6. The IPv6 “an unspecified address”(::/128) is currently being checked in datapath and the packet is dropped. This is the default behavior and you can view the logs by enabling firewall enable-per-packet-logging configuration.

Predefined Roles

The following table lists predefined roles.

 

If you upgrade from a previous ArubaOS release, your existing configuration may have additional or different predefined roles. The information in this section only describes the predefined roles for this release.

Table 3: Predefined Roles

Predefined Role

Description

user-role ap-role

session-acl control

session-acl ap-acl

This is an internal role and should not be edited.

user-role default-vpn-role

session-acl allowall

ipv6 session-acl v6-allowall

This is the default role used for VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.-connected clients. It is referenced in the default "aaa authentication vpn" profile.

user-role voice

session-acl sip-acl

session-acl noe-acl

session-acl svp-acl

session-acl vocera-acl

session-acl skinny-acl

session-acl h323-acl

session-acl dhcp-acl

session-acl tftp-acl

session-acl dns-acl

session-acl icmp-acl

This role can be applied to voice devices in order to automatically permit and prioritize all VoIP Voice over IP. VoIP allows transmission of voice and multimedia content over an IP network. protocols.

user-role guest

session-acl http-acl

session-acl https-acl

session-acl dhcp-acl

session-acl icmp-acl

session-acl dns-acl

ipv6 session-acl v6-http-acl

ipv6 session-acl v6-https-acl

ipv6 session-acl v6-dhcp-acl

ipv6 session-acl v6-icmp-acl

ipv6 session-acl v6-dns-acl

This is a default role for guest users. It permits only HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands., HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection., DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. , ICMP Internet Control Message Protocol. ICMP is an error reporting protocol. It is used by network devices such as routers, to send error messages and operational information to the source IP address when network problems prevent delivery of IP packets., and DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. for the guest user. To increase security, a "deny" rule for internal network destinations could be added at the beginning.

user-role guest-logon

captive-portal default

session-acl logon-control

session-acl captiveportal

This role is used as the pre-authentication role for guest SSIDs Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.. It allows control traffic such as DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element., DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. , and ICMP Internet Control Message Protocol. ICMP is an error reporting protocol. It is used by network devices such as routers, to send error messages and operational information to the source IP address when network problems prevent delivery of IP packets., and also enables captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users..

user-role <ssid>-guest-logon

captive-portal default

session-acl logon-control

session-acl captiveportal

This role is only generated when creating a new WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. using the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. Wizard. The WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. Wizard creates this role when captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. is enabled. This is the initial role that a guest will be placed in prior to captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication. By using a different guest logon role for each SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network., it is possible to enable multiple captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profiles with different customization.

user-role stateful-dot1x

This is an internal role used for Stateful 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority.. It should not be edited.

user-role authenticated

session-acl allowall

ipv6 session-acl v6-allowall

This is a default role that can be used for authenticated users. It permits all IPv4 and IPv6 traffic for users who are part of this role.

user-role logon

session-acl logon-control

session-acl captiveportal

session-acl vpnlogon

 ipv6 session-acl v6-logon-control

This is a system role that is normally applied to a user prior to authentication. This applies to wired users and non-802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. wireless users.

The role allows certain control protocols such as DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element., DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. , and ICMP Internet Control Message Protocol. ICMP is an error reporting protocol. It is used by network devices such as routers, to send error messages and operational information to the source IP address when network problems prevent delivery of IP packets., and also enables captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. and VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. termination or pass through. The logon role should be edited to provide only the required services to a pre-authenticated user. For example, VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. pass through should be disabled if it is not needed.

user-role <ssid>-logon

session-acl control

session-acl captiveportal

session-acl vpnlogon

This role is only generated when creating a new WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. using the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. wizard. The WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. wizard creates this role when captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. is enabled and a PEFNG Policy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license is installed. This is the initial role that a client will be placed in prior to captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication. By using a different logon role for each SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network., it is possible to enable multiple captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profiles with different customization.

user-role <ssid>-captiveportal-profile

When utilizing the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. Wizard and you do not have a PEF Policy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. NG installed and you are configuring an Internal or Guest WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. with captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. enabled, the managed device creates an implicit user role with the same name as the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile, <ssid>-captiveportal-profile.

This implicit user role allows only DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. and DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  traffic between the client and network and directs all HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. or HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. requests to the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.. You cannot directly modify the implicit user role or its rules. Upon authentication, captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. clients are allowed full access to their assigned VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.. Once the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. configuration is pushed to the managed device, the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. wizard will associate the new role with the initial user role that you specify in the AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile. This role will not be visible to the user in the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. wizard.

sys-ap-role

This role is for the AP to come with and it has ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. related to AP termination.

default-iap-user-role

This role is for the users coming from IAP VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnel.

denyall

This role will deny the user from terminating on the managed device.