Controllerless Networks

Reply
Contributor I

IAP - Guest Access and GRE Tunnel

Hi All,

 

I have a situation where I would like to deploy Instant access points at a small branch site. This branch site does not have direct to net access. Currently, at the larger branch sites, controllers are used and guest access (separate SSID/VLAN) is tunneled via GRE back to the HQ master controller DMZ.

 

Is this possible with Instant? I.e.. I need routing table functionality, where local management of the IAP and Corproate SSID with RFC1918 networks are routed locally at the branch site, but guest Internet access is tunneled via GRE back to a HQ master controller DMZ?

 

Regards,

 

Chris

 

Aruba

Re: IAP - Guest Access and GRE Tunnel

If you want to the IAPs to remain as IAPs and not convert them to Campus APs, then refer to Chapter 30 - VPN Configuration in the IAP 6.2.0.0-3.2 User Guide.  I don't have any specific experience with this, but this may suit your needs to tunnel traffic to a controller at HQ.

 

 

 

 

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Re: IAP - Guest Access and GRE Tunnel

I'd like to do this as well, but mainly to provide a decent captive portal page and guest provisioning capability, which the Instants lack.

 

In order to do that, I assume that I'd need to create the other end of the tunnel on the controller, with tunnel destination being <instant vc> and make it untrusted.

 

So if on the instant, the tunnel dhcp was L2 Centralised, Guest users on the instant will then fall into the logon role and be given the captive portal of the controller.  Is that correct?

 

Does this tunnel comsume a licence or count towards anything on the controller platform limits?

 

 


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com

Re: IAP - Guest Access and GRE Tunnel

ok, tried this with the traffic being tunnelled from the instant to the controller.

 

On the instant, make the ssid, employer with open and no captive portal.  Make the controller end untrusted and captive portal from the controller will be presented.

 

Only caveat is that you'll need to upload a server cert on the controller for captive portal with a different CN, otherwise the instant will intercept and hijack the dns response and then it won't open up.

 

:-)


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com

Re: IAP - Guest Access and GRE Tunnel

ok, so I've deployed this now and there has been some problems with the tunnels.  For the past few weeks it was fine, but now the cabling guys have finished and plugged the other APs in, it seemed to stop working.

 

Not strictly a topology change, but with the addition of more APs, the tunnels seems to break.

 

The only thing I could do is to reboot the APs and hope for the best tomorrow.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com

Re: IAP - Guest Access and GRE Tunnel

for reference if anyone is looking at this.

 

Make sure the Instants are on a completely different subnet to the controllers.

 

 


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
MVP

Re: IAP - Guest Access and GRE Tunnel

I'm trying this now in 6.3.1.1-4.0.0.0_40930 and am confused as to how I get the guest-SSID into the tunnel.

 

I've got the SSID set to employee and VLAN 100.

In controller based tunnels, I specify that the VLAN belongs to the tunnel.

In the iAP VPN setup that doesn't seem to be an option.

 

I'm sure it's obvious but I need a hint.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it

Re: IAP - Guest Access and GRE Tunnel

I've not tried it on that version, but the dhcp scope for your vlan 100 needs to be 'Centralised L2'.  In there you specify the vlan and coupled with the vlan setting in the ssid, this is what determines what vlan goes into the tunnel.  In the routing table for the VPN, this determines which traffic is routed into the tunnel, but for a guest ssid, it has to be all traffic.

 

If your intention is to use the controllers captive portal, you need to upload a custom cert to the controller.  Even though on the instants, you set it to employee ssid, the instant will intercept the traffic if it sees a request for 'securelogin.arubanetworks.com', and you'll get the portal for the instant.

 

Post back with how it goes.

 

:smileyhappy:

 

 


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
MVP

Re: IAP - Guest Access and GRE Tunnel

I have the SSID set thus:

Screenshot - 12022013 - 02:29:03 PM.png

and the tunnel (VPN) set so:

VPN Tunnel settings

I'm missing where else to set the VLAN for the tunnel.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it

Re: IAP - Guest Access and GRE Tunnel

ok, set the tunnel routing like this to send all traffic into the tunnel.

 

tunnel routing.jpg

 

In the DHCP scope, it should be centralised L2.

 

centralised dhcp.jpg

 

Is that how you have it?


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: