05-17-2017 08:17 AM - edited 05-17-2017 09:36 AM
I'm facing an misunderstanding how IAP VPN work.
I have a multiple site topology (MPLS) with multiples IAP Clusters, all managed by Airwave (DC).
I've deployed an employee SSID facing a ClearPass (DC) for 802.1x authentication.
I'd like to deploy a guest SSID, encapsulates this SSID into a tunnel to a mobility controller (7005) located in DC.
DHCP server would be a VM in the same guest-network (only present on DC).
Guests would be managed by Clearpass Guest. (but that's another step)
I've setup my controller just like many others posts on this forum.
Added my m@c into my whitelist rap, allowed-all my iap branches etc.
I've setup through my Airwave, a Aruba-GRE VPN type that points to my controller.
I can see my IAP using 'show iap table'
I can see my tunnels up using 'show crypto isakmp sa'
Problem is ... what's next?
As far I understand I would have to configure a new SSID (eg: 33), type Employee, static VLAN assignment and configure a DHCP Centralized Scope (L2) and assign VLAN 33.
I tried doing that, and ... it doesn't work.
Thing is I don't really know where I could check what's wrong.
I tried connecting a new laptop on this guest network, 0 incoming packets.
I keep those documents opened but still haven't figured it out how to make it work :
- Aruba Instant VRD (2016)
- ArubaOS User Guide
- Aruba Instant User Guide
05-18-2017 02:45 PM
Well, it seems I needed time to write it down and see where it was faulty.
VPN is established between VC/AP to my Mobility Controller (DC).
I understood how to hook traffic into this tunnel.
I'm getting closer to my goal.
I tried to have an (employee type) corporate SSID, with 802.1x security, linked to ClearPass so that I can authenticate user&machine against AD.
This part is pretty much 'easy', single VLAN assignment, clearpass server defined as radius servers. This is now working.
Guest is still getting much more complicated.
I would like to isolate guest network.
A dedicated SSID, matching the guest-vlan so it goes into the tunnel to Mobility Controller.
The thing is : How to make it managed/intercepted by Clearpass captive portal ?
It might be a dumb question but as soon as I configure this SSID as 'Employee' type, I can't specify any external captive portal.
As far as I understannd I would have to setup this security SSID as WPA2 Enterprise, 802.1x and then setup to my CPPM ? But ... this guest vlan doesn't have a direct access to CPPM.
And even though I can access from this guest-vlan to CPPM, as soon as I get an IP from DHCP (external server, DC), I'm not even intercepted by CP-Guest.
I was wondering then how you guys handle your guest network ?
05-18-2017 11:23 PM - edited 05-18-2017 11:24 PM
If you have F5 then you can use F5 (public or private ip/host name) for clearpass guest captive portal, here you need to allow F5 ip address/DNS host name(Insted of clearpass) in IAP guest ssid pre-auth role. To work this, You need to create appropriate VIP policy in F5 for Guest user vlan so guest will redirec clearpass captive portal page through F5 .
05-22-2017 12:00 PM
I'm experiencing some weird issues and I would like to know what do you think about these issues.
I did all my test as overrides on a VC.
I deleted all overrides and planned to deploy the tested setup on the [main].
I added the route into routing-table like : 172.16.33.0/24 (vlan 33, guest, dc) via 10.0.13.230 (mobility controller, dc).
I've configured DHCP Centralized L2 Scope, Routing table, applied the configuration. Split tunnel enabled.
I'm on the site 10.0.10.0/24, once the VPN get up, local connection to AP is lost. (tunnel established between 10.0.10.110 and 10.0.13.230), can't ping 10.0.10.110 anymore.
05-22-2017 10:49 PM
I thought, you dont want to allow clearpass in guest network. Can you upload logical diagram of your network so it will be usful to understand your query.
05-24-2017 05:09 PM
Here's the logical topology.
Configuration is the same for both IAP (managed by Airwave).
When I add Site1-IAP1 mac-address into whitelist-db rap on controller, the tunnel goes UP.
And I loose connectivity from my CORP-PC to IAP.
Same configuration on Site2-IAP1 and it works.
I thought there might an unseen override, or a mismatch somewhere but no.
I thought about split-tunnel, if it was enable or not.
Both have :
ip dhcp VL33-CL2
route 172.16.33.0 255.255.255.0 10.0.13.230
And the problem I have with guest is :
Guest PC associates with SSID-Guest.
SSID-Guest is a 'Guest' type SSID.
Network-assigned : CL2-VL33 (vlan 33)
Route: 172.16.33.0 is reached through 10.0.13.230
There is a Aruba VPN between IAP (10.0.10.110, 10.0.20.110) and Controller (10.0.13.230).
IP-Helper (redirecting a DHCP server on a VM in 10.0.13.x) is setup on mobility controller.
I do get an IP address (172.16.33.X/24, Gateway: 172.16.33.254 etc.)
SSID is setup to use captive portal located in 172.16.33.227 (which is virtual-ip/alias/NAT to Clearpass 10.0.13.227)
I get intercepted by Clearpass Guest captive portal.
I configured a sponsor confirmation, once confirmation is done.
When I click on login, there is no authentication records on Clearpass Access tracker.
I made it work only once, but then I got stuck in a redirecting loop.
But that would be another problem, my main problem is ... How can I experience two different behaviors while I have the same deployed configuration.