Allowing Aruba Central Cloud Guest Portal URL/Ports needed on Cisco ASA Firewall

smacey · ‎06-23-2021

I'm attempting to implement Aruba Central's Cloud Guest feature as we replaced our Cisco APs with Arubas, I've been battling this issue with Aruba Support for a while and they still beileve it's an issue with our Cisco ASA Firewall and their websites not getting through:

US-1	nae1.cloudguest.central.arubanetworks.com	TCP port 2083 TCP port 443
nae1-elb.cloudguest.central.arubanetworks.com	TCP port 443
US-2	naw2.cloudguest.central.arubanetworks.com	TCP port 2083 TCP port 443
naw2-elb.cloudguest.central.arubanetworks.com	TCP port 443

Whats interesting here is that I'm able to get the Cloud Guest Splash screen to come up, get the option to input my email (for verification to sign on to the Guest WiFi network configured) get the code sent, and I'm able to input the code and have it get accepted but it redirects back to the Guest Splash sign in stating login error- even though it accepted the code

Here is the Wireshark packet capture I took during the whole process.

So ultimately I'm not sure what changes to make on the firewall to get this to work, anyone with a Cisco/Aruba environment that could chime in would be helpful

Sheraz.Salim · ‎06-23-2021

First thing first Cisco is the best you should not have moved to Aruba. Cisco wireless is solid than any other vendor.

it would be great if you can show the relevant firewall configuration and the pcap file.

looking into your photo the one you have uploaded there are Connection Rest and Retransmission. Is 192.168.11.34 is your firewall? how the logical setup is configured?

please do not forget to rate.

smacey · ‎06-23-2021

I'll go ahead and disagree with that sentiment, while it was no easy task going from a total in house WLC environment to strictly cloud IAPs and total implementation of that- it's been fairly seamless since, following additional troubleshooting, Aruba Cloud Guest needs port 2083 open to communicate and authenticate (for some reason) and I attempted to create an ACL for that TCP service - Network object, Inside, and also Outside rules - didn't seem to work, the guest Network is on the 112 Vlan , the Firewall is not on 11.34 not sure where wireshark pulled that from, our Firewall is on 192.168.100.3 and .4 respectively.

I don't really like the idea of sharing the pcap file, unfortunately.

I do know that it is tied to 2083 because attempting to reach Aruba's cloud domain using the telnet cmd command fails to connect on 112 subnet, yet on the 102 main workstations subnet its able to.

We have the guest network locked down for obvious reasons so ultimately it might not even be feasible to further open this port, but I couldn't find which rule in the Firewall would cause this to begin with. It would be nice to get it to work.

Sheraz.Salim · ‎06-23-2021

Fair comment I respect the decision made to move another vendor.

as you can’t share the file or firewall configuration. I would suggest check if the right nat rules a hitting for this interesting traffic. Also check if your interested traffic hitting the right ACL.

you can also capture the traffic on firewall.make sure while you troubleshoot get the syslog too it will give you a more robust insight what is happening.

Also considering open a TAC case of you have a cisco support.

please do not forget to rate.