ArubaOS and Controllers

Reply
Contributor II
Posts: 39
Registered: ‎01-16-2010

Wired MUX w/ Captive Portal

Currently I have a wired captive portal system that's built on top of http://netreg.sourceforge.net/. (For those of you that aren't familiar with that system it uses DHCP classes to either give a registered or unregistered IP address to a client based on MAC address. Unregistered devices are then restricted so they can only access a captive portal. Once they authenticate their MAC address is added to the list of registered devices. After the new DHCP renewal, they will get a registered IP and be permitted access to the network.) I'd like to replace that system with MUX functionality in the Aruba controller. This environment is used only for guests, so all users would end up in the same role. As a result, I don't need to dedicate a single port per user and I plan to use L2 switches to consolidate multiple users onto a single MUX port. We currently have an M3 controller with a 10Gb link that I'd like to use for this. I've been told I can do this using the untrusted VLAN function present in 3.4.2.0. (This M3 is also used to terminate a large number of APs.)

The users will connect to a switch on vlan 517. Before they can go anywhere they should be required to authenticated against a captive portal. Once authenticated they should wind up effectively on VLAN 551. How do I make this work? Thus far my attempts haven't been at all successful.

(I've attached a diagram that hopefully will help explain what I'm trying to do.)
Guru Elite
Posts: 20,002
Registered: ‎03-29-2007

netreg

How alot of users do netreg is make your router (not Aruba) the default gateway for clients on VLAN 551. Do an IP helper-address on your router to that netreg DHCP server. The router will have a production IP address which will be the default gateway for authorized clients. The router will ALSO have a secondary interface, which will be for users that need to register.

The users that are already registered, they will get a valid VLAN 551 address from the DHCP server and valid default gateway and they will be done. The users that are NOT registered, will get a bogus address; the client's default gateway is that secondary address on your router. That client will open a browser and the DNS address they receive will ALWAYS give them the address of the netreg system. When they regster and re-DHCP, they will then get a production address.

Does that make sense?
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Contributor II
Posts: 39
Registered: ‎01-16-2010

Re: Wired MUX w/ Captive Portal


How alot of users do netreg is make your router (not Aruba) the default gateway for clients on VLAN 551. Do an IP helper-address on your router to that netreg DHCP server. The router will have a production IP address which will be the default gateway for authorized clients. The router will ALSO have a secondary interface, which will be for users that need to register.

The users that are already registered, they will get a valid VLAN 551 address from the DHCP server and valid default gateway and they will be done. The users that are NOT registered, will get a bogus address; the client's default gateway is that secondary address on your router. That client will open a browser and the DNS address they receive will ALWAYS give them the address of the netreg system. When they regster and re-DHCP, they will then get a production address.

Does that make sense?




I think I failed at explaining properly. Your description above sounds pretty similar to what I'm already doing. I'm trying to get rid of that extra server by utilizing the MUX functionality within the Aruba controllers.
Guru Elite
Posts: 20,002
Registered: ‎03-29-2007

Extra Server

Which server do you mean?

You will need the netreg server to add the mac addresses to the netreg database, right? Unless you have another way of adding registered mac addresses to that database, you will certainly need it. You can certainly authenticate users via Aruba without the netreg server, but you will not be able to add their mac addresses to a database that the DHCP server will need to decide what range of addresses to give users.

If you don't need the "netreg" functionality, you would just make VLAN 551 untrusted on the Aruba controller and authenticate wired users when they come on. They will still have their VLAN 551 address before and after they authenticate, except their role will change accordingly after they authenticate.

Is this what you are talking about?
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Contributor II
Posts: 39
Registered: ‎01-16-2010

Re: Wired MUX w/ Captive Portal


Which server do you mean?

You will need the netreg server to add the mac addresses to the netreg database, right? Unless you have another way of adding registered mac addresses to that database, you will certainly need it. You can certainly authenticate users via Aruba without the netreg server, but you will not be able to add their mac addresses to a database that the DHCP server will need to decide what range of addresses to give users.




Let me try to start this explanation over - Right now I have a wireless network that's setup with a captive portal. A user connects to it, gets an IP on VLAN 551, but can't get anywhere until they've authenticated against the captive portal. This is what I'd like to emulate on the wired network. The vast majority of my guests already use the wireless network, so I only have a few guest wired ports around. Since they are scattered between closets and are all in the same role, I'd like to use a single port with a L2 cloud between it and the users. This appears to be supported based on my reading the of the design guides and user guides, but I can't make it work.
Guru Elite
Posts: 20,002
Registered: ‎03-29-2007

Untrusted

So, to replicate what you are doing, place the wired port on the controller on the same VLAN(551) as the wireless users and make vlan 551untrusted. That is all you need to do.

The controller, if it is not routing users, will have to be a layer-2 bump between your wired ports and the router that is doing the routing. If the controller IS the default gateway for vlan 551, you're done.

What have you tried, so we can narrow it down?
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Contributor II
Posts: 39
Registered: ‎01-16-2010

Re: Wired MUX w/ Captive Portal


So, to replicate what you are doing, place the wired port on the controller on the same VLAN(551) as the wireless users and make vlan 551untrusted. That is all you need to do.

The controller, if it is not routing users, will have to be a layer-2 bump between your wired ports and the router that is doing the routing. If the controller IS the default gateway for vlan 551, you're done.

What have you tried, so we can narrow it down?




The Aruba controller is not the default gateway for 551. That's handled by a separate device. So it just needs to be an L2 bump. How do I make it do that given that traffic inbound and outbound would both be on the same VLAN? It seems to me that traffic would simply bypass the controller and go directly to the default gateway. This is why I thought I needed a separate vlan to get the traffic to the controller which it would then bridge to 551 with appropriate filtering for the captive portal.
Guru Elite
Posts: 20,002
Registered: ‎03-29-2007

Layer2 Bump

So you will need two physical connections on the Aruba controller to your infrastructure:

The Aruba will have to sit physically between all the wired desktop switches and that router that is the default gateway. If you have a situation that does not physically allow that, give the Aruba controller an IP address on what VLAN, and manipulate DHCP so that the Aruba controller is the default gateway on that VLAN. Change your routing so that your infrastructure points to the management IP address of the Aruba controller for that VLAN. Make that VLAN untrusted on the Aruba controller on that interface (you must be running ArubaOS 3.4.1 to use the "untrusted VLAN feature"):

(config) #interface gigabitethernet 1/2
(config-if)#switchport mode access
(config-ip)#switchport access vlan 517
(config-if)#no trusted
(config-if)#no trusted vlan 517


Your client traffic will then be forced through the Aruba Controller, and interrogated by the captive portal.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Contributor II
Posts: 39
Registered: ‎01-16-2010

Re: Wired MUX w/ Captive Portal


So you will need two physical connections on the Aruba controller to your infrastructure:

The Aruba will have to sit physically between all the wired desktop switches and that router that is the default gateway. If you have a situation that does not physically allow that, give the Aruba controller an IP address on what VLAN, and manipulate DHCP so that the Aruba controller is the default gateway on that VLAN. Change your routing so that your infrastructure points to the management IP address of the Aruba controller for that VLAN. Make that VLAN untrusted on the Aruba controller on that interface (you must be running ArubaOS 3.4.1 to use the "untrusted VLAN feature"):

(config) #interface gigabitethernet 1/2
(config-if)#switchport mode access
(config-ip)#switchport access vlan 517
(config-if)#no trusted
(config-if)#no trusted vlan 517


Your client traffic will then be forced through the Aruba Controller, and interrogated by the captive portal.




Following these directions (and trying a few things) I was able to get it working. My current setup is thus:

1. Client plugs into a port on VLAN517.
2. There is a L2 cloud between the client and the controller.
3. The only exit from VLAN517 is via a port on the Aruba controller. That port is configured as such:

interface gigabitethernet 1/0
description "GE1/0"
no trusted vlan 1-4094
switchport access vlan 551
no spanning-tree

4. I have enabled "Enable Wired Access Concentrator Server" on the controller and set my AAA profile for wired access.

At this point it appears to be working. Thanks for the help.
MVP
Posts: 485
Registered: ‎04-03-2007

Re: Wired MUX w/ Captive Portal

Jeff,

That's great that you have this working by making the controller essentially "inline" for that vlan. I'm curious if you'd run into a situation wherein you couldn't make the controller be inline since that is not always scalable for a large installation. I believe my suggestion below would work, but I welcome critique from readers:

- Users connect to switchports on vlan 517
- No virtual interface for 517 exists (either on router or controller)
- one physical connection to the controller, trunked with vlans 517 (untrusted), 551 (trusted), and whatever other vlans you need.
- aaa wired profile assigns user-role
- user-role puts users in vlan 551
- router configured as default-gateway for vlan 551 with appropriate helper-addresses

Thus, users are placed onto 517 which L2 forwards to the controller as untrusted traffic. The controller applies its configured wired policy and assigns the defined user-role, which in turn puts traffic into vlan 551. Traffic flows as predicted to default-gateway for vlan 551, the router.
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Search Airheads
Showing results for 
Search instead for 
Did you mean: