ArubaOS and Controllers

Reply
Contributor I
Posts: 54
Registered: ‎06-19-2009

cp-redirect

Hi, I have a layser 2 gre tunnel between to sites using aruba3200 controllers. Each controller has 1 port on it that is associated with the vlan that gets transported. My question is the client keeps getting redirected to the captive porta even though it is on a differrent vlan ? And the tunnel and physical ports are trusted?

thx jason
Guru Elite
Posts: 21,512
Registered: ‎03-29-2007

Initial Role

What is the client's initial role and what are the firewall rules in it?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 54
Registered: ‎06-19-2009

Inital role

Hi, when the port is trusted what is the initial role ? I know when it is not trusted the logon role is the default.
jason
Aruba Employee
Posts: 119
Registered: ‎05-16-2007

Re: cp-redirect

When the port is trusted, there is no initial-role. Since the port is trusted, the concept of a role is not applied.
Contributor I
Posts: 54
Registered: ‎06-19-2009

Inital role

Hi, why does my client keep on getting redirected to the captive portal? What is really strange is that I have a different site with the same configuration, that works.

jason
Aruba Employee
Posts: 119
Registered: ‎05-16-2007

Re: cp-redirect

There are various items that can be untrusted. The physical port, the tunnel interface itself, or, as of 3.4 code, the VLAN can also be untrusted.

If you're plugged into a wired port and are getting the captive portal, then somewhere you have an untrusted port or interface and you're being put into the logon role.

Care to share your interface configs here?
Contributor I
Posts: 54
Registered: ‎06-19-2009

Re: cp-redirect

Hi, here they are.

GE 1/2 is up, line protocol is up
Hardware is Gigabit Ethernet, address is 00:0B:86:61:2E:B7 (bia 00:0B:86:61:2E:B7)
Description: GE1/2 (RJ45 Connector)
Encapsulation ARPA, loopback not set
Configured: Duplex ( AUTO ), speed ( AUTO )
Negotiated: Duplex (Full), speed (100 Mbps)
MTU 1500 bytes, BW is 100 Mbit
Last clearing of "show interface" counters 0 day 8 hr 53 min 13 sec
link status last changed 0 day 8 hr 51 min 18 sec
39614 packets input, 1902469 bytes
Received 15523 broadcasts, 0 runts, 0 giants, 0 throttles
0 input error bytes, 0 CRC, 0 frame
15059 multicast, 24091 unicast
20300 packets output, 1306778 bytes
0 output errors bytes, 0 deferred
0 collisions, 0 late collisions, 0 throttles
This port is TRUSTED

(Aruba3200) (config) #show interface gigabitethernet 1/2 switchport

Name: GE1/2
Switchport: Enabled
Administrative mode: static access
Operational mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Access Mode VLAN: 32 (VLAN0032)
Trunking Native Mode VLAN: 1 (Default)
Trunking Vlans Enabled: NONE
Trunking Vlans Active: NONE

(Aruba3200) (config) #show interface tunnel 51

Tunnel 51 is up line protocol is up
Description: Tunnel Interface
Source 1x.5.20.4 (Loopback)
Destination 1x.1.20.4
Tunnel mtu is set to 1500
Tunnel is a Layer2 GRE TUNNEL
Tunnel is Trusted
Inter Tunnel Flooding is enabled
Tunnel keepalive is enabled
Tunnel keepalive interval is 10 seconds, retries 3
Heartbeats sent 0, Heartbeats lost 0
Tunnel is down 0 times
tunnel vlan 32
Aruba Employee
Posts: 119
Registered: ‎05-16-2007

Re: cp-redirect

I meant the configs themselves. I do note that your show outputs prove that the physical interface is trusted. And the tunnel interface is trusted (what is on the other end of this tunnel interface?)

But, are the vlans trusted?

You should see a part in your config like this:
interface fastethernet 1/0
description "FE1/0"
trusted
trusted vlan 1-4094

The part in bold is what we need to verify....
Contributor I
Posts: 54
Registered: ‎06-19-2009

Inital role

Hi, I do not see 'trusted vlan 1-4094' in either of my switch configurations.

jason
Guru Elite
Posts: 21,512
Registered: ‎03-29-2007

show user

Something must be untrusted or have an ACL in it for the user to get the captive portal.

- Connect the client. When you get the Captive portal, go on the command-line of each controller and type "show user-table verbose".

When you do that it will say what the AAA profile of each is.


Also, type "show interface tunnel (x)" on each side to make sure the tunnels are trusted. In the configuration, when the tunnel configuration does not say "Trusted", it is untrusted.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base