AAA, NAC, Guest Access & BYOD

How to setup GRE Tunnel between Aruba Controller and CPPM for captive portal redirection

You might have a requirement where on an Aruba wireless network the guest subnet does not  have direct access to CPPM (Clearpass Policy Manager), and you want the guest users to see the captive portal page hosted on CPPM. You can achieve that requirement by setting up a GRE tunnel between CPPM and the Aruba Controller.


In this method the HTTP/HTTPS traffic from the guest users in the initial role to CPPM, would be sent via the GRE tunnel on the Aruba Controller and CPPM returns that traffic through the same GRE tunnel.

This solution has been tested and found to be working on CPPM version 6.5.6 and AOS version however it should work the same way in other versions also.





These are the configuration steps involved in setting up the GRE tunnel between CPPM and the Aruba Controller

1) CPPM Tunnel Interface Configuration can be done by navigating to Administration >> Server Manager >> Server Configuration, and clicking on the CPPM node and navigating to Network Tab and clicking on "Create Tunnel" as shown below

Once we click on Create Tunnel you would see the following fields as shown below, the text inside the image explains the purpose of the field


Once creating a GRE tunnel is done we need to create a route on CPPM as shown below

2) IP route Setup from appadmin CLI on CPPM

network ip add gre1 -i 1000 -d <client subnet> -g
INFO - Added route for destination=
<client subnet> via=
INFO - New ip rule created with the id = 1000

where you need to specify the client subnet and the gateway is the CPPM tunnel interface inner IP address. 

One more important point to remember is to make sure that id of the route you add should be above the other routes. Just make sure you give an id number that lands it above the other ip routes

3) Controller configuration

Tunnel Interface configuration

interface tunnel 1
description "Tunnel Interface to CPPM"
tunnel mode gre ip
ip address
tunnel source vlan <id>
tunnel destination <CPPM IP>

where tunnel 1 is the id of the tunnel and the tunnel destination is the CPPM IP address. The source vlan id is the VLAN interface that has connectivity from controller to the CPPM. is the tunnel interface inner IP on the Controller.

You should also setup a route on the controller to send any traffic to the CPPM tunnel inner IP address via the Controller tunnel inner IP address which can allow you to ping the tunnel interfaces and check connectivity.

ip route 

IP access list configuration for the Client's Initial Role

access-list List
Position  Name                         Type     Location
--------  ----                         ----     --------
1         global-sacl                  session
2         apprf-CPPM-GRE-CP-Role-sacl  session
3         GRE-Tunnel-CPPM              session
4         logon-control                session
5         captiveportal                session

where GRE-Tunnel-CPPM has the rules as follows. The logon-control and captiveportal have the default rules allowing the client to grab an IP address, allowing DNS and performing captive portal redirects. etc.

Priority  Source  Destination    Service    Application  Action             TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------    -------    -----------  ------             ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    <CPPM IP>  svc-http                redirect tunnel 1                           Low                                                           4
2         user    <CPPM IP> svc-https               redirect tunnel 1                           Low                                                           4

The Captive portal profile that would be assigned to the initial role on the Aruba Controller should be pointing directly at the CPPM IP/hostname for the login page http://<CPPM IP/hostname>/guest/gre-login.php

Once all this configuration and you have the other requisites for Captive portal working like DNS etc., you should see that the client would be able to redirect to CPPM and access the web page hosted on CPPM without having direct connectivity to the controller.

Please note that this configuration chooses as the ClearPass GRE tunnel inner IP and as the Controller GRE tunnel inner IP. You are free to choose the IP addresses of your choice.



To verify that this is working you can do a Packet Capture on CPPM or the Aruba controller and you should be able to see GRE packets flow between CPPM and the controller.

You will see from the PCAP that a client subnet that does not have direct connectivity to the CPPM would be seen as the source IP with CPPM as the destination. CPPM would also respond with its IP as the source and the destination would be the client IP. This communication is made possible via the GRE tunnel.  

Version History
Revision #:
2 of 2
Last update:
‎03-01-2017 03:10 AM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.