Aruba Solution Exchange

L2 GRE to DMZ controller with Captive Portal SSID

L2 GRE to DMZ controller with Captive Portal SSID

 

Summary

This solution creates a captive portal SSID where the guest traffic is tunneled from an internal controller(s) to a headend controller which in most cases is installed in the DMZ​. The tunnel is made using an L2 GRE tunnel. This solution generates configuration for both the internal controller(s) and the DMZ controller(s). The SSID configuration will be created for the internal controller(s) and the captive portal configuration will be created for the DMZ controller(s).

This solution allows you to specify either an internal captive portal hosted on the controller or an external captive portal such as ClearPass Guest. Additionally, the solution allows the guests to be authenticated using the controller's internal database or by using a specified RADIUS server such as ClearPass Policy Manager.

This solution template will generate the following configuration:

  • An Open System or Pre Shared Key SSID on the internal Aruba Mobility Controller(s).
  • A VLAN with IP address for the guest users.
  • L2 GRE tunnel between the internal and DMZ controller.
  • Optionally, NAT can be enabled to avoid any additional routing configuration.
  • A DHCP server scope for guest users.
  • A pre-authentication (i.e. initial / logon) role that allows DNS + DHCP* and allows the captive portal server IP to allow the initial redirect. For all other requests, the role will destination NAT so the clients get redirected to the captive portal page. *The role allows DHCP requests but denies DHCP offers) to prevent any station to become a DHCP server.
  • A post authentication role to assign guest users after successful authentication. The sample role allows DHCP, DNS, HTTP, and HTTPS traffic.
  • A user in the internal user database for testing if an external RADIUS server is not selected.
  • A new AP Group. You need to provision an AP into this group or assign the new Virtual AP created by this solution into your existing AP Group.

Platform Tested

Aruba Mobility Controller 3400 running AOS 6.2.1.1 build 38111

Apple iPad 3 version 6.0.1

Windows XP SP2

 

Licensing

Access Point and PEF Licenses needed by this solution template.

 

Lab Topology

 

References

AOS Guest Access App Note

Version History
Revision #:
1 of 1
Last update:
‎09-17-2014 02:09 PM
Updated by:
 
Contributors
Tags (1)
Comments
w.ullah@bmc.com.sa

Thanks cjoseph,

 

In our case we don't have captive portal. We have 802.1x EAP-SIM authentication.

 

As i uderstood from the artical you sent to me, in our case Internal Controllers are Airport Master and Local Controllers. On Airport master they have already configured groups and in that groups just i will add my SSID Profile, then the Airport APs will start to broadcast our SSID as well. 

 

Lets assume if a user try to associate with our EAP-SIM SSID, the user authentication traffic will first hit the DMZ controller via GRE over IPSec tunnel. Now further i am confused

 

1. Once they reach to DMZ what will happened? 

2. Where should i configure the Radius Server Group either on DMZ Controllers or Airport Master Controller or Airport Local Controllers. 

 

 

w.ullah@bmc.com.sa

Another thing where the sessions will be terminated? on DMZ Controller or Internel Controllers (Airport master or Locals).

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.