Aruba Instant & Cloud Wi-Fi

Reply
Contributor II
Posts: 47
Registered: ‎08-10-2014

IAP VPN, L3 DHCP-scope and central captive portal problem.

Hi,
we are having issues with LOCAL L3 dhcp scope, using IAP-VPN to central controller and reaching a guest registration on a central clearpass.

Our guest ssid is using the LOCAL L3 dhcp scope. Our vpn-routing table are routing the clearpass ip-address over the vpn. The problem is the enforce captive portal, that dont source-nat the ip when using dns like guest.customer.se, when using ip address it is getting sourced. See below acls from the enforce captive portal role.

 

So when we see the traffic in the controller with dns, the source ip is the local l3 scope.

When using the ip, the traffic is source-natted with the inner-ip of the IAP-VPN.

 

Also should I mention this problem is only when using enforce captive portal. All other traffic is souce-natted with the inner-ip of the IAP-VPN as it should.

 

 

Using ip:

ACL Name {A-GUEST:LAB-PRELOGON} Number {109}
1: any any 17 0-65535 8209-8211 P4
2: any 172.31.98.1 255.255.255.255 6 0-65535 80-80 PSD4
3: any 172.31.98.1 255.255.255.255 6 0-65535 443-443 PSD4
4: 192.168.10.0 255.255.255.0 10.10.10.26 255.255.255.255 6 0-65535 80-80 PS4
5: any 10.10.10.26 255.255.255.255 6 0-65535 80-80 P4
6: 192.168.10.0 255.255.255.0 10.10.10.26 255.255.255.255 6 0-65535 443-443 PS4 hits 3
7: any 10.10.10.26 255.255.255.255 6 0-65535 443-443 P4

 

Using DNS:

ACL Name {A-GUEST:LAB-PRELOGON} Number {109}
1: any any 17 0-65535 8209-8211 P4
2: any 172.31.98.1 255.255.255.255 6 0-65535 80-80 PSD4
3: any 172.31.98.1 255.255.255.255 6 0-65535 443-443 PSD4
4: 192.168.10.0 255.255.255.0 guest.aranya.se 6 0-65535 80-80 Pd4
5: any guest.aranya.se 6 0-65535 80-80 Pd4
6: 192.168.10.0 255.255.255.0 guest.aranya.se 6 0-65535 443-443 Pd4 hits 6
7: any guest.aranya.se 6 0-65535 443-443 Pd4
8: 192.168.10.0 255.255.255.0 10.10.10.26 255.255.255.255 6 0-65535 443-443 PS4
9: any 10.10.10.26 255.255.255.255 6 0-65535 443-443 P4
10: 192.168.10.0 255.255.255.0 8.8.8.8 255.255.255.255 17 0-65535 53-53 P4 hits 15

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: IAP VPN, L3 DHCP-scope and central captive portal problem.

Do you have anything configured in System --> Enterprise Domains screen?

 

 

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Contributor II
Posts: 47
Registered: ‎08-10-2014

Re: IAP VPN, L3 DHCP-scope and central captive portal problem.

Hi,

when i added the domain to the enterprise list it works if i am using internal dns.

Normally you dont want you guests to hit the internal dns. So then i cant resolve that record externally?

 

 

Any more ideas?

The problem is the none sourcenatting rule in the acl for Enforce captive portal.

 

 

 

 

Contributor II
Posts: 47
Registered: ‎08-10-2014

Re: IAP VPN, L3 DHCP-scope and central captive portal problem.

So we nearly have this exactly as we want now, by adding * to the enterprise domains. The Dist L3 can resolve internally domains. We switch to local dhcp scope for guest and its working if the clearpass is on private address. We have customer which are the owner of /16 pulblic network and running it internally.

Enforce captive portal refuses to push this traffic over the tunnel when we are using dns. We can ping the clearpass ip and we can use enforce captive portal using the ip-address but not the dns.

Search Airheads
Showing results for 
Search instead for 
Did you mean: