Configuring Polices and Access Control on Microbranch

Configuring Microbranch for Roles, Aliases, Denylisting, Custom blocked URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet., Intra VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. allowlist, and Firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. Settings. It has the following six procedures:

For enhanced security in teleworker deployments, Aruba recommends the following procedures:

Configuring User Roles and Access Rules for Microbranch

Every client in the Aruba Central network is associated with a user role, which determines the client’s network privileges, the frequency of re-authentication, and the applicable bandwidth contracts. You can use ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. rules to either permit or deny data packets passing through the AP. You can also limit packets or bandwidth available to a set of user roles by defining access rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses. For more information on access rules, refer Configuring Roles and Policies on APs for User Access Control.

To create a user role, complete the following steps:

  1. In the Aruba Central app, set the filter to a Microbranch group that contains at least one AP.
  2. The dashboard context for a group is displayed.

  3. Under Manage, click Devices > Access Points.
  4. Click the Config icon.
    The Microbranch group configuration page is displayed.
  5. Click Security > Polices & Access Control.
    The Polices & Access Control page is displayed.
  6. Click Roles.
  7. In the Roles table, click +.
  8. In the Add Role window, enter a name for the new role in Roles, and then click OK.
  9. To add a Rule, click the + icon in the Rules table.
  10. Under Access Rules, configure the following access rule parameters:
  11. Click OK.
  12. Click Save.

Configuring Network Aliases for Microbranch

Aliases allow you to name your network ports, protocols, and services in a simple yet understandable way. When configuring multiple ACLs, you can use a common alias instead of providing details of the network ports, protocols, and services each time.

A network alias defines a TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. , UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received., or IP protocol and a list or range of ports supported by that service. You can use a network alias when specifying a network service for multiple session ACLs.

To configure a network alias for a Microbranch group, complete the following steps:

  1. In the Aruba Central app, set the filter to a Microbranch group that contains at least one AP.
  2. The dashboard context for a group is displayed.

  3. Under Manage, click Devices > Access Points.
  4. Click the Config icon.
    The Microbranch group configuration page is displayed.
  5. Click Security > Polices & Access Control.
    The Polices & Access Control page is displayed.
  6. Click Aliases.
  7. In the Aliases pane, click + to add a new network alias and configure the following parameters.
    • Name—Enter a name of the network alias.
    • Description—Enter description text for the alias.
    • Items—Click the + icon to add destination The following types are available
      • If Host IP type is selected, enter IP address.
      • If Host Name type is selected, enter Domain/Host name.
      • If Host VLAN Offset is selected, enter Host VLAN and VLAN Offset.
      • If Network VLAN is selected, enter Network VLAN.
      • If Network is selected, enter Network Prefix and Network Mask.
      • If IP Range is selected, enter Start IP address and End IP Address.
  8. Click OK.
  9. Click Save.

Denylisting AP Clients of Microbranch

The client denylisting denies connection to the denylisted clients. When a client is denylisted, it is not allowed to associate with an access point (AP) in the network. If a client is connected to the network when it is denylisted, a deauthentication message is sent to force client disconnection.

Denylisting Clients Manually

Manual denylisting adds the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of a client to the denylist. These clients are added into a permanent denylist. These clients are not allowed to connect to the network unless they are removed from the denylist.

To add a client to the denylist manually, complete the following steps:

  1. In the Aruba Central app, set the filter to a Microbranch group that contains at least one AP.
  2. The dashboard context for a group is displayed.

  3. Under Manage, click Devices > Access Points.
  4. Click the Config icon.
    The Microbranch group configuration page is displayed.
  5. Click Security > Polices & Access Control.
    The Polices & Access Control page is displayed.
  6. Click the Denylisting.
  7. Under Manual Denylisting, click + and enter the MAC address of the client to be denylisted.
  8. Click OK.
  9. Click Save.

To delete a client from the manual denylist, select the MAC Address of the client under the Manual Denylisting, and then click the delete icon.

For the denylisting to take effect, you must enable the denylisting option when you create or edit the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile. Go to WLANs > Security > Advanced Settings and enable the Denylisting option. For more information, see Configuring General > Advanced Settings for a WLAN SSID Profile.

Denylisting Clients Dynamically

The clients can be denylisted dynamically when they exceed the authentication failure threshold or when a denylisting rule is triggered as part of the authentication process.

When a client takes time to authenticate and exceeds the configured failure threshold, it is automatically denylisted by an AP.

In session firewall based denylisting, an ACL rule automates denylisting. When the ACL rule is triggered, it sends out denylist information and the client is denylisted.

To configure the denylisting duration, complete the following steps:

  1. In the Aruba Central app, set the filter to a Microbranch group that contains at least one AP.
  2. The dashboard context for a group is displayed.

  3. Under Manage, click Devices > Access Points.
  4. Click the Config icon.
    The Microbranch group configuration page is displayed.
  5. Click Security > Polices & Access Control.
    The Polices & Access Control page is displayed.
  6. Click the Denylisting.
  7. Under Dynamic Denylisting, enter the following information:
    1. For Auth Failure Denylist Time, enter the duration after which the clients that exceed the authentication failure threshold must be denylisted.
    2. For Policy Enforcement Firewall, enter the duration after which the clients can be denylisted due to an ACL rule trigger.
  8. Click Save.

You can configure a maximum number of authentication failures by the clients, after which a client must be denylisted. For more information on configuring maximum authentication failure attempts, see Configuring General > Advanced Settings for a WLAN SSID Profile.
To enable session-firewall-based denylisting, select the Denylist check box in the Access Rule page during the WLAN SSID profile creation. For more information, see Configuring Network Service ACLs.

Configuring Custom Blocked URLs for Microbranch AP Clients

You can create a list of URLs to be blocked for Microbranch AP clients.

To create a list of URLs to be blocked, complete the following steps:

  1. In the Aruba Central app, set the filter to a Microbranch group that contains at least one AP.
  2. The dashboard context for a group is displayed.

  3. Under Manage, click Devices > Access Points.
  4. Click the Config icon.
    The Microbranch group configuration page is displayed.
  5. Click Security > Polices & Access Control.
    The Polices & Access Control page is displayed.
  6. Click the Custom Blocked URL.
  7. Under Custom Blocked Page URL table, click + and enter the URL to block.
  8. Repeat the procedure to add more URLs. You can add up to 8 URLs to the list of blocked web pages.
  9. Click OK.

Configuring Intra VLAN Traffic Allowlist for Microbranch

The Intra VLAN Traffic Allowlist is a global allowlist for all wired networks and WLAN SSIDs configured with the feature. For servers to serve the network, you must add them to Intra VLAN Traffic Allowlist using their IP or MAC address. When you configure wired servers with their IP address or MAC address, the AP allows client traffic to the destination MAC addresses.

Configuring a Wired Server with the IP Address

To configure a wired server with the IP address, complete the following steps:

  1. In the Aruba Central app, set the filter to a Microbranch group that contains at least one AP.
  2. The dashboard context for a group is displayed.

  3. Under Manage, click Devices > Access Points.
  4. Click the Config icon.
    The Microbranch group configuration page is displayed.
  5. Click Security > Polices & Access Control.
    The Polices & Access Control page is displayed.
  6. Click the IntraVLAN Allowlist.
  7. In the Wired Server IP table, click + and enter the IP address of the server.
  8. Click OK.
  9. Click Save.

To edit a wired server, select the IP address of the wired server in the Wired Server IP window, and then click the edit icon. To delete a wired server, select the IP address of the wired server in the Wired Server IP window, and then click the delete icon.

Configuring a Wired Server with the MAC Address

To configure a wired server with the MAC address, complete the following steps:

  1. In the Aruba Central app, set the filter to a Microbranch group that contains at least one AP.
  2. The dashboard context for a group is displayed.

  3. Under Manage, click Devices > Access Points.
  4. Click the Config icon.
    The Microbranch group configuration page is displayed.
  5. Click Security > Polices & Access Control.
    The Polices & Access Control page is displayed.
  6. Click the IntraVLAN Allowlist.
  7. In the Wired Server MAC window, click + and enter the MAC address of the server.
  8. Click OK.
  9. Click Save Settings.

To edit a wired server, select the IP address of the wired server in theWired Server MAC window, and then click the edit icon. To delete a wired server, select the IP address of the wired server in the Wired Server MAC window, and then click the delete icon.

Configuring Firewall Parameters for Microbranch

APs support an enhanced inbound firewall for the traffic that flows into the network through the uplink ports of an access point (AP).

To configure the firewall rules, complete the following steps:

  1. In the Aruba Central app, set the filter to a Microbranch group that contains at least one AP.
  2. The dashboard context for a group is displayed.

  3. Under Manage, click Devices > Access Points.
  4. Click the Config icon.
    The Microbranch group configuration page is displayed.
  5. Click Security > Polices & Access Control.
    The Polices & Access Control page is displayed.
  6. Click the Firewall Settings.
  7. In the Access Rule section, click the + icon.
    The Inbound Firewall page is displayed.
  8. In the Inbound Firewall page, enter the following information as described below:

    Table 1: Inbound Firewall Rule Configuration Parameters

    Parameter

    Description

    Service

    Select a service from the list of available services. You can allow or deny access to any or all of the services based on your requirement:

    Any—Access is allowed or denied to all services.

    Custom—Customize the access based on available options such as TCP, UDP, and other options. If you select the TCP or UDP options, enter appropriate port numbers. If the Other option is selected, ensure that an appropriate ID is entered.

    Action

    Select any of following actions:

    Select Allow to allow user access based on the access rule.

    Select Deny to deny user access based on the access rule.

    Select Destination-NAT to allow making changes to the destination IP address and the port.

    Select Source-NAT to allow making changes to the source IP address. The destination NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. and source NAT Source NAT changes the source address of the packets passing through the router. Source NAT is typically used when an internal (private) host initiates a session to an external (public) host. actions apply only to the network services rules.

    Source

    Select any of the following options:

    From all sources—Traffic from all sources is either allowed, denied, or the IP address is translated at the source or the destination as defined in the rule.

    From a particular host—Traffic from a particular host is either allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the IP address of the host.

    From a network—Traffic from a particular network is either allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the IP address and netmask of the source network.

    From a network alias—Traffic from a particular network alias is either allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the Source Alias of the source network.

    Destination

    Select a destination option for the access rules for network services, applications, and application categories. You can allow or deny access to any the following destinations based on your requirements.

    To all destinations—Traffic for all destinations is allowed, denied, or the IP address is translated at the source or the destination as defined in the rule.

    To a particular server—Traffic to a specific server is allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the IP address of the destination server.

    Except to a particular server—Access is allowed or denied to servers other than the specified server. After selecting this option, specify the IP address of the destination server.

    To a network—Traffic to the specified network is allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the IP address and netmask for the destination network.

    To a network alias—Traffic to the specified network alias is allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the Network Alias for the destination network.

    Except to a network—Access is allowed or denied to networks other than the specified network. After selecting this option, specify the IP address and netmask of the destination network.

    To a Domain name—Traffic to the specified domain is allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the domain name in the Domain Name text box.

    To AP IP—Traffic to the specified AP is allowed.

    To AP IP all—Traffic to the all AP is allowed.

    To AP Network—Traffic to the specified AP network is allowed.

    To conductor IP—Traffic to the specified conductor AP or virtual controller is allowed.

    Log

    Select the Log check box if you want a log entry to be created when this rule is triggered. Aruba supports firewall-based logging function. Firewall logs on the APs are generated as security logs.

    Denylist

    Select the Denylist check box to denylist the client when this rule is triggered. The denylisting lasts for the duration specified in the Auth failure denylist time on the Denylisting tab of the Security window.

    Classify Media

    Select the Classify Media check box to classify and tag media on HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. traffic as voice and video packets.

    Disable scanning

    Select Disable scanning check box to disable ARM Adaptive Radio Management. ARM dynamically monitors and adjusts the network to ensure that all users are allowed ready access. It enables full utilization of the available spectrum to support maximum number of users by intelligently choosing the best RF channel and transmit power for APs in their current RF environment. scanning when this rule is triggered. The selection of Disable scanning applies only if ARM scanning is enabled.

    DSCP TAG

    Select the DSCP TAG check box to specify a DSCP Differentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. value to prioritize traffic when this rule is triggered. Specify a value within the range of 0–63. To assign a higher priority, specify a higher value.

    802.1p priority

    Select the 802.1p priority check box to specify an 802.1p priority. Specify a value between 0 and 7. To assign a higher priority, specify a higher value.

  9. Click Ok.
  10. Click Save.

    For all subnets Subnet is the logical division of an IP network., a deny rule is created by default as the last rule. If at least one rule is configured, the deny all rule is applied to the upstream traffic by default. The inbound firewall is not applied to traffic coming through the GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel.

Configuring Restricted Access to Corporate Network

You can configure restricted corporate access to block unauthorized users from accessing the corporate network. When restricted corporate access is enabled, corporate access is blocked from the uplink port of master AP, including clients connected to a slave AP.

To configure restricted corporate access, complete the following steps:

  1. In the Aruba Central app, set the filter to a Microbranch group that contains at least one AP.
  2. The dashboard context for a group is displayed.

  3. Under Manage, click Devices > Access Points.
  4. Click the Config icon.
    The Microbranch group configuration page is displayed.
  5. Click Security > Polices & Access Control.
    The Polices & Access Control page is displayed.
  6. Click the Firewall Settings.
  7. To restrict corporate access, turn on the Restrict Corporate Access toggle switch.
  8. Click Save.

Disabling Local Management of the AP and Managing the AP Through a Secured Tunnel

In teleworker deployments, it is recommended to turn off local management on the AP and manage it through the secured tunnel with the VPNC.

To disable local management of AP and manage through secured tunnel, complete the following steps:

  1. In the Aruba Central app, set the filter to a Microbranch group that contains at least one AP.
  2. The dashboard context for a group is displayed.

  3. Under Manage, click Devices > Access Points.
  4. Click the Config icon.
    The Microbranch group configuration page is displayed.
  5. Click Security > Polices & Access Control.
    The Polices & Access Control page is displayed.
  6. Click the Firewall Settings.
  7. Toggle the Tunnel Trusted switch to enable or disable the feature. Set it to enable to turn on trusted tunnel.
  8. Click Save.

 

Blocking Client Access to IP Addresses Reserved for the AP

For enhanced security in teleworker deployments, the access to IP addresses reserved for the AP must be restricted for clients. To disable client access to IP addresses reserved for the AP, add a deny all rule to active user roles using the apip-all alias as the destination IP address.

To block clients accessing the IP addresses reserved for the AP, complete the following steps:

  1. In the Aruba Central app, set the filter to a Microbranch group that contains at least one AP.
  2. The dashboard context for a group is displayed.

  3. Under Manage, click Devices > Access Points.
  4. Click the Config icon.
    The Microbranch group configuration page is displayed.
  5. Click Security > Polices & Access Control.
    The Polices & Access Control page is displayed.
  6. Click Roles.
  7. In the Roles table, click +.
  8. In the Add Role window, enter a name for the new role in Roles, and then click OK.
  9. To add a Rule, click the + icon in the Rules table.
  10. Under Access Rules, configure the following access rule parameters:
    1. Under Rule type, select Access Control.
    2. Select Network radio button.
    3. Select any from the Service drop-down menu.
    4. Select Deny from the Action drop-down menu.
    5. Select To AP IP all under Destination drop-down menu.
  11. Click OK.
  12. Click Save.