ArubaOS and Controllers

Reply
Contributor I
Posts: 54
Registered: ‎06-19-2009

Gre Tunnels transporting captive portal

Hi, we have 13 sites with controllers at each site. Each site has a captive portal using LDAP authentication. Currently, all the portal clients use nat through the local controller, then through our network out to the internet.
I would like to have all the captive portals transported via gre tunnel to our DMZ(linux).

Any suggestions appreciated.

jason
Aruba Employee
Posts: 509
Registered: ‎07-03-2008

Re: Gre Tunnels transporting captive portal

I'm assuming this is for guest access, hence the need to put the user traffic out in a DMZ? When you say "linux," I assume you want to terminate the GRE tunnels to a Linux box sitting in the DMZ?

I do something similar, but with a central captive portal (an Aruba controller) in a DMZ, so I'll try to extrapolate that in to how I'd go about this. I haven't tested this or anything, I'm just throwing out an idea...this would certainly need to be vetted in a lab.

1. Create a new vlan and subnet for the guest network on all the controllers and on the Linux box. All the guests would be part of this new subnet. Give each controller's VLAN interface an IP address in that new subnet

2. Create trusted layer 2 GRE tunnel interfaces on the controllers and the Linux box. Assign those GRE tunnels to your new VLAN.

3. Configure "ip cp-redirect-address" on each controller to be the IP address of the new VLAN interface.

4. Setup a DHCP scope on the Linux box for the new subnet, the gateway is the Linux box's guest vlan address. You need to think about DNS services as well. DNS forwarding on the Linux box?

5. Put the guest SSID in the new VLAN on each controller

6. Your current initial role policies are most likely ok, except make sure your initial role allows DHCP, redirect DNS to the GRE tunnel, and make sure it allows the user to access the new CP IP address of the controller.

7. Change your default role's policy to redirect all traffic you want to permit up the GRE tunnel.

Colin or Andy may come up with something better, but it's something to think about.
Guru Elite
Posts: 20,561
Registered: ‎03-29-2007

Other side of the tunnel


Hi, we have 13 sites with controllers at each site. Each site has a captive portal using LDAP authentication. Currently, all the portal clients use nat through the local controller, then through our network out to the internet.
I would like to have all the captive portals transported via gre tunnel to our DMZ(linux).

Any suggestions appreciated.

jason




Jason,

Probably just as important as creating the tunnel is what is on the other side of the tunnel. If you create a tunnel from each Aruba controller to transport users back to a DMZ, users are authenticated by each individual controller and they get their IP addresses and traffic is routed by your DMZ equipment. This would mean that each controller at each site would have to have a user database for the users it would like to authenticate, or be locals to a master that has a user database. The other way would be to deploy an Aruba Controller in the DMZ, terminate the tunnels on that and authenticate all of your users at your Aruba DMZ controller. That would mean that there is a central device or repository for users and policies for your entire guest infrastructure. Your captive portal and guest infrastructure could be unified and you would just have to worry about getting traffic to the device. You could do it either way, depending on where you want users authenticated, and your administrative boundaries. A post about tunneling user traffic from Aruba Controllers to an Aruba Controller in a DMZ is here: http://airheads.arubanetworks.com/vBulletin/showthread.php?t=1485


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: