Controller Based WLANs

Guest Clients unable to get captive portal page from Amigopod server
Deployment and Requirement:-
------------------------------------------
Amigopod server configured on internal network (Let`s say 10.x.x.x)
DSL router is configured and connected directly to the controller to carry the guest traffic (192.168.x.x) separately not exposing the Internal network.
 
Requirement is to have the client Gateway as a DSL modem outside and no src-nat will be done on the client subnet on the controller to access Amigopod server.
 
The main problem over here is that how do we route traffic back into amigopod server to get the captive portal page?
 
Environment : Typical environment of Guest users doing self registration or any user-authentication against the clear pass server.
 
Controller --> Core Switch ----> Amigopod server______  Corporate traffic
 |               1/0
 |1/1
 |_____DSL Router_______   Guest Traffic to Internet
 
Solution and Details:-
-----------------------------
Best way to achieve this is to configure the L3 GRE; basically policy based routing again this time GRE tunnel between Aruba controller and Amigopod server.
 
For E.g;- User host <Amigopod server> svc-http redirect tunnel 1
 
The above ACL need to be allowed on the initial role to access the amigopod server through the GRE tunnel.
 
Let`s say if its guest-logon role, it needs to configured in the below way.
-----------------------------------------------------------
user host <amigopod server ip> svc-http redirect tunnel 1
user host <amigopod server ip> svc-https redirect tunnel 1
user host <amigopod server ip> svc-icmp redirect tunnel 1
-----------------------------------------------------------
 
Also make sure we configure the L3 GRE on the controller
 
---------------------------------------------------------------------------
interface tunnel 1
tunnel mode gre ip
no shut down
trusted
ip address 1.1.1.2 255.255.255.255 (tunnel inner ip, address can be anything)
tunnel source vlan <id> ---> controller ip address
tunnel destination <amigopod server ip address>
----------------------------------------------------------------------------
 
ip route 1.1.1.1 255.255.255.255 1.1.1.2 --> this route to allow ping from amigopod
 
On the amigopod server, we may need to configure the same L3 gre tunnel
 
Go to Administrator> Network Setup> Network interfaces and configure the following
 
rtaImage.jpg
 
Activate on boot true ---> This will bring the tunnel up and running.
 
IP address 1.1.1.1 -----> inner ip address on the Amigopod server
netmask 255.255.255.255
tunnel type GRE
local innner address 1.1.1.1 --> this could be anything
local outer address <amigopod server ip>
peer inner address 1.1.1.2 --->controller tunnel ip set above
peer outer address <controller ip address >
------------------------------------------------------------------------------
Make sure tunnel is up on Amigopod and also on the controller.
 
On the controller " show datapath tunnel table | include <amigopod server-ip> show be showing up the protocol GRE 47 been formed between devices concurrrently increasing encrypts & decrypts.
ICMP to tunnel inner & outer ip  address of the amigopod server from controller would confirm if GRE tunnel is stable.
show ip interface brief will confirm the status of tunnel state up/down.
 
Also make sure we configure the Network interface route on Amigopod by below screen shot.
 
rtaImage (1).jpg
 
The only way to route Guest Users to access Amigopod is to build the L3 GRE between Aruba controller and Amigopod server as the src-nating the traffic will take the path of corporate subnet which will not meet the requirement and  moreover traffic wouldnt come back to access the Amigopod server as the client gateway is DSL router.

This solution is also useful in the case of scenario of multiple sites deployment of each office has a local DSL connection bridges the guest users to local DSL modem and build the GRE tunnel to central corporate office to get access to Amigopod server to get captive portal page.
 
Commands useful on the controller for troubleshooting
----------------------------------------------------------------------------
Make sure configuration on the controller has the required ACL`s for the user to get the CP page and make sure we allow the Amigopod server on the initial role.

To check GRE tunnel status & client traffic, find below.

Show ip interface brief
Show datapath tunnel table
Show ip route
Ping and traceroute
Show rights
Show acl hits role <initial role>
show datapath session table | include <ip address of the client>
nslookup to make sure DNS resolves.

On Amigopod:-
------------------
Verify L3 GRE tunnel configuration on right place.
Ping and traceroute to Guest VLAN interface on controller.
Version History
Revision #:
1 of 1
Last update:
‎07-04-2014 05:02 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.