Configure Captive portal in a layer2 deployment

Aruba Employee
Question   What is the use of firewall allow-tri-session and how is it is useful in implementing Captive portal authentication in a Layer 2 Deployment.
Environment   In most scenarios we expect a Layer3 VLAN for Captive portal authentication to work for clients as we expect controller to have Layer3 reachability to the clients. In this article, it describes about how to get Captive Portal working on L2 Deployment

 

Captive portal is a layer3 authentication method. In order to make it work in a layer 2 deployment environment, we need to make sure the controller have layer3 reachability to the client. This can be achieved by 2 ways:
 
1 configure an IP address on the client vlan(this is not a layer2 deployment in some sort. However, since this IP is not the client default gateway, the packet is still pass through the controller. It still layer2 from datapath perspective) When the controller send out the syn-ack, it knows that the client is reachable locally and will do ARP and sent out the packet.
 
2 enable ‘firewall allow-tri-session’ command.

 
 
The client is on vlan y. the controller doesn’t have an IP address for vlan y interface. The controller has an IP address on vlan z and it’s the vlan that will do routing between controller and router.
 
Without the ‘firewall allow-tri-session’ command:
1 client do the dns lookup and resolve the IP.
2 the client send out the SYN packet to the resolved IP. The packet reach the controller through GRE tunnel. The controller will reply with ‘SYN-ACK’ on behalf of the real destination. Since the controller doesn’t have an IP on the client vlan, the controller will do route lookup and send out the packet to the router on vlan z
3 on the router, it has the client vlan y and controller vlan z. so the router will do route lookup, find the client is on it’s local vlan y, then it will ARP. The ARP reach the controller, controller send it to the client (since it’s a bcast). Client reply, controller send it back to the router. The router will know in order to reach the client, the packet should be sent to the controller but on vlan y.
4 the controller receives the packet. Since the controller doesn’t allow the tri-session(not sure how to explain this here. Could because the controller will only allow session to be initiated by the user not from the internet so it will drop it), it will drop the packet.
 
Here’s the example of the ‘show datapath session table ‘ output:
10.168.121.207 is the client IP address. 4.2.2.2 is the dns server IP. 10.168.15.20 is the switchip
 
(c1-10) #show datapath session table 10.168.121.207
 
Datapath Session Table Entries
------------------------------
 
Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
 
  Source IP     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination Flags
--------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- -----
10.168.121.207  4.2.2.2         17   1096  53     0    0    0   1   tunnel 9    FC
66.199.187.182  10.168.121.207  6    80    2168   0    0    0   0   3/0         FDC
4.2.2.2         10.168.121.207  17   53    1096   0    0    0   1   tunnel 9    F
10.168.15.20    10.168.121.207  6    8080  2168   0    0    0   1   tunnel 9    S
10.168.121.207  66.199.187.182  6    2168  80     0    0    0   0   tunnel 9    NYC
 
 
With the ‘firewall allow-tri-session’ command
The difference is once the controller receives the packet from the router, it will encapsulate the packet in GRE and send to the client.
Here’s the show datapath session table’ output:
 
(c1-10) (config) #show datapath session table 10.168.121.207
 
Datapath Session Table Entries
------------------------------
 
Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
 
  Source IP     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination Flags
--------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- -----
207.17.137.229  10.168.121.207  6    80    2177   0    0    0   1   local       F
10.168.121.207  10.168.15.20    6    2177  8080   0    0    0   1   local       FY
10.168.121.207  10.168.15.20    6    2178  443    0    0    0   1   tunnel 9    FNC
10.168.121.207  4.2.2.2         17   1096  53     0    0    0   1   tunnel 9    FC
4.2.2.2         10.168.121.207  17   53    1096   0    0    0   1   tunnel 9    F
10.168.15.20    10.168.121.207  6    443   2178   0    0    0   1   tunnel 9    FS
10.168.15.20    10.168.121.207  6    8080  2171   0    0    0   0   local       FDYC
10.168.15.20    10.168.121.207  6    8080  2177   0    0    0   1   tunnel 9    FS
10.168.121.207  207.17.137.229  6    2177  80     0    0    0   1   tunnel 9    FNC

Version history
Revision #:
2 of 2
Last update:
‎07-02-2014 03:25 PM
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: