Controllerless Networks

Reply
Occasional Contributor I

DNS intercept not working on our guest SSID

We have 2 SSID's one of which is an onboarding ssid which has a bunch of access rules and an enforced external captive portal. 

 

On our unfiltered SSID the dns requests for captiveportal-login.<ourdomain>.com get intercepted and resolve. On our onboarding ssid the dns requests to the captiveportal-login<ourdomain>.com just dont resolve

 

Obviously we need it to resolve as the external captive portal needs to be able to tell the AP's to allow the client to access the wireless. 

 

Perhaps we have it setup wrong - should we be using walled gardens rather than access rules for this? We are using cloudpath as our external captive portal. Ideally when the user is authenticated the access rules will stop applying

 

thanks!

Frequent Contributor II

Re: DNS intercept not working on our guest SSID

Do you have an L3 interface on the controller for the vlan associated to SSID where DNS resolution is not working?

JayBee
ACDX | ACCX| CCIE (RnS/SP,DC) | ACCP | ACMP | ACSA | ACMA | JNCIS | JNCIA
If the provided solution resolves your issue, please mark it as accepted solution to help others.
Occasional Contributor I

Re: DNS intercept not working on our guest SSID

We have instant AP's so no controller. In saying that, how do I check for an L3 interface?

 

For what its worth, both SSID's are across all access points. They are on separate vlans and ip ranges but thats about it for differences other than the access rules

Frequent Contributor II

Re: DNS intercept not working on our guest SSID

Since it is working for one SSID, I am assuming you have correct captive portal cert installed on the IAP.

 

For the initial role of non-redirecting SSID, are you allowing that role DNS access. If yes, probably worth checking if that is allowed to the correct DNS server (both SSIDs can be using different DNS servers).

JayBee
ACDX | ACCX| CCIE (RnS/SP,DC) | ACCP | ACMP | ACSA | ACMA | JNCIS | JNCIA
If the provided solution resolves your issue, please mark it as accepted solution to help others.
Occasional Contributor I

Re: DNS intercept not working on our guest SSID

Yes we are allowing DNS and normal web requests work. Both SSID's go to the same dns controllers. We are allowing DNS requests on the access rules

 

Here's an interesting addition: pinging setmeup.arubanetworks.com works for both SSID's (resolves to 10.0.8.11)

 

Pinging captiveportal-login.<mydomain> on the working SSID resolves to 172.31.98.1. On the non working it doesnt resolve at all. Is the 172.31.x.x ip a common ip with aruba? This is not one of our internal ip address ranges

 

 

Frequent Contributor II

Re: DNS intercept not working on our guest SSID

OK.. So the 172.31.x.x subnet is IAP magic VLAN subnet. You will get an IP address from this subnet if your DHCP setting say "Virtual Controller Assigned".

 

Can you check the IAP captive portal certificate for me? Who is the issuer for it?

JayBee
ACDX | ACCX| CCIE (RnS/SP,DC) | ACCP | ACMP | ACSA | ACMA | JNCIS | JNCIA
If the provided solution resolves your issue, please mark it as accepted solution to help others.
Occasional Contributor I

Re: DNS intercept not working on our guest SSID

Appreciate the help so far!

 

The certificate I actually loaded in myself today and only because I couldn't get either SSID to respond to the default securelogin.arubanetworks.com entry. It's a wildcard publicly signed cert by comodo. Expires in 2021 and we use it for a range of other services as well

 

The clients on the guest SSID that doesn't work probably cannot access the CRL lists due to the access control. I wouldn't have thought that would have affected pings though

Occasional Contributor I

Re: DNS intercept not working on our guest SSID

Also, both SSID's get ip address from the same dhcp server. Both are also set to network assigned

Frequent Contributor II

Re: DNS intercept not working on our guest SSID

If you have a wildcard cert, setmeup.arubanetworks.com/securelogin.arubanetworks.com will become irelavent. Just make sure the redirect to captiveportal-login.yourdomain.com

 

DNS servers doesnt need to resolve captiveportal-login.yourdomain.com

JayBee
ACDX | ACCX| CCIE (RnS/SP,DC) | ACCP | ACMP | ACSA | ACMA | JNCIS | JNCIA
If the provided solution resolves your issue, please mark it as accepted solution to help others.
Frequent Contributor II

Re: DNS intercept not working on our guest SSID

Just to add, are you using ClearPass for guest portal?

 

If you are using a wildcard cert, on the ClearPass web login config you should use "captiveportal-login.domain.com" for the address field

JayBee
ACDX | ACCX| CCIE (RnS/SP,DC) | ACCP | ACMP | ACSA | ACMA | JNCIS | JNCIA
If the provided solution resolves your issue, please mark it as accepted solution to help others.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: