ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 14
Registered: ‎10-17-2008

Printing on Captive Portal

We have a guest network running with the captive portal configuration. This is working fine with both wireless and a few wired connections, but we're trying to add a new twist and I'm hoping someone can point out what I seem to be missing.

Some of our guests need the capability to print while connected to the network. We have re-purposed a printer, and assigned it a static IP on the guest network. From a wired station on that network I have no problem accessing the printer. Over wireless or from the controller itself, I cannot consistently ping the printer - probably safer to say cannot ping as I get a response to 1 of 50 ping requests.

I have added a policy to allow traffic to and from that specific host, which has not changed the behavior.
Guru Elite
Posts: 21,561
Registered: ‎03-29-2007

Best Guess


We have a guest network running with the captive portal configuration. This is working fine with both wireless and a few wired connections, but we're trying to add a new twist and I'm hoping someone can point out what I seem to be missing.

Some of our guests need the capability to print while connected to the network. We have re-purposed a printer, and assigned it a static IP on the guest network. From a wired station on that network I have no problem accessing the printer. Over wireless or from the controller itself, I cannot consistently ping the printer - probably safer to say cannot ping as I get a response to 1 of 50 ping requests.

I have added a policy to allow traffic to and from that specific host, which has not changed the behavior.




Check your default gateway and subnet mask on the controller, guest hosts and printer to ensure that they match, is my best guest. If the controller cannot ping the device, you have very little hope of the wireless clients reaching it either....


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba Employee
Posts: 455
Registered: ‎04-02-2007

Re: Printing on Captive Portal

Are you sure it isn't the printer? Having worked on firmware for large multi-function printer/copier/fax devices from a very large and well respected manufacturer I can tell you the networking in those devices was less than robust. You might try placing a different device on that segment with the same IP and see if the problem is still present.

-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
Occasional Contributor II
Posts: 14
Registered: ‎10-17-2008

Re: Printing on Captive Portal

The routing on the controller looks correct:
- Controller default gateway is set to "direct" internet connection, for guest network.
- Routes configured for all secure/internal networks
- "Secure" clients use an internal gateway for their routes
- Guest clients, including printer, use the controllers guest network interface for their default gateway
- Guest network is defined on controller as directly attached network

I'm not convince it is not an issue with the printer. However, wired guest hosts receive addresses in the same range as the wireless guest hosts, and they can ping the printer. The primary difference is that the wired hosts are not tunnelling back to the controller.

Double-checking the interface configuration, I think I found part of the problem. I have 3 ethernet ports configured on the controller: a trunk for the secure network connections, a port connected to the guest network, and a port that connects to the internet for the guest network. The trunk and the internet side are both marked as "trusted", while the internal guest is not. While this configuration is working, I'm not sure it is correct. What would be the downside to making the guest side trusted? And should I un-trust the internet side? It connects to a PIX firewall, and not directly to the internet.
Aruba Employee
Posts: 509
Registered: ‎07-03-2008

Re: Printing on Captive Portal

So, on the "guest" port of the controller, do you have some external switch connected to that port where all your wired guests and the printer get connected to?
Occasional Contributor II
Posts: 14
Registered: ‎10-17-2008

Re: Printing on Captive Portal

Both the secure trunk and guest network ports connect to an infrastructure switch. Neither of the guest VLANs, internal or external, are allowed on the trunk. This was based on recommendations provided during installation.
Aruba Employee
Posts: 509
Registered: ‎07-03-2008

Re: Printing on Captive Portal

Ok, so, it makes sense then at the wired guests can communicate with the printer, they're on the same L2 switch and the controller has nothing to do with their direct communications.

I don't know your specific configuration, but if you followed the typical Aruba guest design, both the initial and default roles would be configured to disallow guest-to-guest communications. You said you added a policy to allow anyone to communicate to that printer, but the only other thing I can think of is it's something to do with a policy within a role.

If you want, perhaps you could post (or PM) a sanitized copy of your relevant config items and we could have a look.
Occasional Contributor II
Posts: 14
Registered: ‎10-17-2008

Re: Printing on Captive Portal

Thanks for the replies, it turned out to be a policy issue after all. Well, two actually. Since I was still testing whether the new policy was working, I had not added it to the initial role yet - which is why the controller could not ping the printer. As for the authenticated guests, I'm not sure why it mattered but I moved the new policy up two spots in the role and it is working now. The new policy was already above the only deny rule in the role that would have blocked it, so it's still a bit of a mystery.
Guru Elite
Posts: 21,561
Registered: ‎03-29-2007

Debugging

Chris,

You would do "show datapath session table " on the controller to see if it is being denied......

You could also do "show acl hits" to see if your moved up firewall policy is being used.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: