Controllerless Networks

Hello everyone,

I'm facing an misunderstanding how IAP VPN work.

I have a multiple site topology (MPLS) with multiples IAP Clusters, all managed by Airwave (DC).

I've deployed an employee SSID facing a ClearPass (DC) for 802.1x authentication.

I'd like to deploy a guest SSID, encapsulates this SSID into a tunnel to a mobility controller (7005) located in DC.

DHCP server would be a VM in the same guest-network (only present on DC).

Guests would be managed by Clearpass Guest. (but that's another step)

I've setup my controller just like many others posts on this forum.

Added my m@c into my whitelist rap, allowed-all my iap branches etc.

I've setup through my Airwave, a Aruba-GRE VPN type that points to my controller.

I can see my IAP using 'show iap table'

I can see my tunnels up using 'show crypto isakmp sa'

Problem is ... what's next?

As far I understand I would have to configure a new SSID (eg: 33), type Employee, static VLAN assignment and configure a DHCP Centralized Scope (L2) and assign VLAN 33.

I tried doing that, and ... it doesn't work.

Thing is I don't really know where I could check what's wrong.

I tried connecting a new laptop on this guest network, 0 incoming packets.

I keep those documents opened but still haven't figured it out how to make it work :

- Aruba Instant VRD (2016)

- ArubaOS User Guide

- Aruba Instant User Guide

Well, it seems I needed time to write it down and see where it was faulty.

VPN is established between VC/AP to my Mobility Controller (DC).

I understood how to hook traffic into this tunnel.

I'm getting closer to my goal.

I tried to have an (employee type) corporate SSID, with 802.1x security, linked to ClearPass so that I can authenticate user&machine against AD.

This part is pretty much 'easy', single VLAN assignment, clearpass server defined as radius servers. This is now working.

Guest is still getting much more complicated.

I would like to isolate guest network.

A dedicated SSID, matching the guest-vlan so it goes into the tunnel to Mobility Controller.

The thing is : How to make it managed/intercepted by Clearpass captive portal ?

It might be a dumb question but as soon as I configure this SSID as 'Employee' type, I can't specify any external captive portal.

As far as I understannd I would have to setup this security SSID as WPA2 Enterprise, 802.1x and then setup to my CPPM ? But ... this guest vlan doesn't have a direct access to CPPM.

And even though I can access from this guest-vlan to CPPM, as soon as I get an IP from DHCP (external server, DC), I'm not even intercepted by CP-Guest.

I was wondering then how you guys handle your guest network ?

Hi,

If you have F5 then you can use F5  (public or private ip/host name)  for clearpass guest captive portal, here you need to allow F5 ip address/DNS host name(Insted of clearpass)  in IAP guest ssid pre-auth role. To work this, You need to create appropriate VIP policy in F5 for Guest user vlan so guest will redirec clearpass captive portal page through F5 .

Regards,

Milind Y 

Hello guys,

I'm experiencing some weird issues and I would like to know what do you think about these issues.

I did all my test as overrides on a VC.

I deleted all overrides and planned to deploy the tested setup on the [main].

I added the route into routing-table like : 172.16.33.0/24 (vlan 33, guest, dc) via 10.0.13.230 (mobility controller, dc).

I've configured DHCP Centralized L2 Scope, Routing table, applied the configuration. Split tunnel enabled.

I'm on the site 10.0.10.0/24, once the VPN get up, local connection to AP is lost. (tunnel established between 10.0.10.110 and 10.0.13.230), can't ping 10.0.10.110 anymore.

Hi , 

I thought, you dont want to allow clearpass in guest network. Can you upload logical diagram of your network so it will be usful to understand your query.

Regards,

Milind Yashwantrao

Yeah sure.

Here's the logical topology.

Configuration is the same for both IAP (managed by Airwave).

When I add Site1-IAP1 mac-address into whitelist-db rap on controller, the tunnel goes UP.

And I loose connectivity from my CORP-PC to IAP.

Same configuration on Site2-IAP1 and it works.

I thought there might an unseen override, or a mismatch somewhere but no.

I thought about split-tunnel, if it was enable or not.

Both have :

ip dhcp VL33-CL2
server-type Centralized,L2
server-vlan 33

routing-profile
route 172.16.33.0 255.255.255.0 10.0.13.230

And the problem I have with guest is :

Guest PC associates with SSID-Guest.

SSID-Guest is a 'Guest' type SSID.

Network-assigned : CL2-VL33 (vlan 33)

Route: 172.16.33.0 is reached through 10.0.13.230

There is a Aruba VPN between IAP (10.0.10.110, 10.0.20.110) and Controller (10.0.13.230).

IP-Helper (redirecting a DHCP server on a VM in 10.0.13.x) is setup on mobility controller.

I do get an IP address (172.16.33.X/24, Gateway: 172.16.33.254 etc.)

SSID is setup to use captive portal located in 172.16.33.227 (which is virtual-ip/alias/NAT to Clearpass 10.0.13.227)

I get intercepted by Clearpass Guest captive portal.

I configured a sponsor confirmation, once confirmation is done.

When I click on login, there is no authentication records on Clearpass Access tracker.

I made it work only once, but then I got stuck in a redirecting loop.

But that would be another problem, my main problem is ... How can I experience two different behaviors while I have the same deployed configuration.

Hello,

I was wondering how could I debug this?

Should I just open a case with Aruba?

Yes.