ArubaOS and Controllers

Reply
MVP
Posts: 748
Registered: ‎03-25-2009

Redirect guest users on local to vlan on master

Since our customer does not have a separate ISP for guests at some locations and would like to keep the guests separated from the corporate network, we'll need to implement some GRE sollution.

The idea was to keep it simple and make a GRE tunnel in between the master and local(s). Then configure captive portal on both the master and the local which would be identical other then the ip -cp-redirect address being either the masters or the locals depending on where the user entered the network.
Guest users on the masters wouldn't care for the GRE tunnel and guest users connecting on the local would be handled locally like the guest vlan would be attached there.

However.. when I configure both ends of the gre tunnel as trusted, I cannot get any traffic across.
Even before setting up a guest wlan, a simple test with a pc connected on an access port in the guest vlan on the master and another pc connected to an access port in the guest vlan on the local does not permit permit dhcp from the master to the local-client.

When setting the tunnel interface on the master to be untrusted I do receive an ip address from the master and can ping across the tunnel.
KB article 717 says the logon role gets applied to the port in this case, and speaks about editing it.
This off course complicates the design and I need to pay attention that changing this role doesn't change anything else in the network.

So, is there a way to change that logon role for the untrusted tunnel interface into an allow-all somewhere and would doing so have any downside to it that I'm not thinking of?
Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

Should Work

That should work, having both sides of the tunnel as trusted. Who is providing DHCP? Did you do the "tunnel vlan x" under the tunnel configuration to bridge the VLAN to the tunnel on both sides?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 748
Registered: ‎03-25-2009

Re: Redirect guest users on local to vlan on master




Ok, I'm thoroughly confused.
Was testing this with 3.4.1.1 controllers. Couldn't get the tunnel to work.
Aruba tech did a remote session, couldn't get it to work either. Aruba went to do some labwork, did another session and changed nothing but the trusted into untrusted on the master side of the tunnel interface and voila.. I could ping the other side.

Now I'm testing in the lab again since you say it should work and I can't get it to fail again. So I looked over yesterdays logs (I log everything) and I cannot see anything I did different yesterday. What difference could make it fail until the trust-> untrust change even?!

I only tried dhcp initially. Master was doing dhcp at the time. Switched to static ip addresses on the vlan I was trying to get through the tunnel for both the master and the local side after that. This is also what Aruba tech tested.

"tunnel vlan 2" certainly was set yes.. It appears about a dozen times in the logs :)

Off to downgrade to 3.4.1.1 now.. hopefully it breaks something.
Edit: now it appears unbreakable no matter what release it's in :(

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
MVP
Posts: 748
Registered: ‎03-25-2009

Re: Redirect guest users on local to vlan on master

ok, so I can't get my tunnel to not pass traffic when it's trusted anymore so time to get on with the config..

Got the config working without too much issues but 1 detail keeps bugging me.

Even when I change the captiveportal role so it dst nats to the ip address of the tunneled vlan (on the master controller) and I configure the local controller with a ip cp-redirect to the master's vlan 2 (the tunneled guest vlan), I will not get the captive portal page.

Only when I add an ip address to the local controllers side of the tunneled vlan and set the cp-redirect to this ip address does the guest user get the CP page served.Not sure if there is any downside to this, but it does mean each local will need an ip address and will handle the client. I was thinking to have the master handle everything. Details.. I know but anyone can explain the how and why exactly?
Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

What you have to do

How you have it configured NOW is EXACTLY what you need to do. ip cp-redirect should be the local controller and the local controller should do the authentication. The master should only be the "anchor" controller that serves up DHCP and passes traffic. The local controller is in charge of authentication in this scenario and the client shows up as a client on the local, just like it should.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: