Controllerless Networks

Hi,

The situation is that I have a controller in my network and IAPs are outside by my customers. So I need to use VPN to connect IAP to the controller as an end point.

What do I need to configure (on the controller) to use the guest self-registration for this customers ? Is it possible ?

Thanks

Dimitri

You can create VPN tunnel from IAP to Controller with 6.2 OS version. You may find detailed configuration guide in the User Guides. Once the VPN is UP and running you can configure the IAP to use external captive portal that is CP Guest in this case.

Ok thanks.

So if I configure the captive portal with IP on the IAP, it will use it and not the portal of the controller ? Right ?

Dimitri

If you use the IP of the CP Guest then it will use that one.

Ok thanks.

Now my controller version is 6.1.3.6. Do I need to upgrade to 6.2 ?

What is the difference between IPSec and GRE ? What's the best to use ?

Thanks

Dimitri

Yes, to terminate the Instant VPN you need to use 6.2 OS version on the controller.

If you choose GRE tunnel then the packets are sent and received without encryption, while with IPSec the packets are encrypted.

Can I simply upgrade my version ? Where can I find the 6.2 ?

Thanks

Dimitri

You can find it on the support.arubanetworks.com site (look for Early Deployment subfolder in the ArubaOS folder). You should read the release notes before upgrading. If the controller is in production environment then you may contact your local Aruba SE to ask about this.

I am back to you because I don’t understand everything.

What I need is : IAP opens a VPN tunnel to the controller so I can access the ClearPass server with the IAP which is outside my network (I do this because I can’t open ports in my customer’s router). The IAP has a fixed IP (determine by my customer network) and users get IP by the router.

So on the IAP VPN :

Controller

• Primary host : IP of my controller

Routing

• Destination : IP of my internal network
• Gateway : IP of my controller

DHCP Server

• Here is the point that I don't know how to configure.

Sorry, I am really new in networks so I need some helps to go on the right way.

Thanks

Dimitri

It depends on how you want to use it. The User Guide details each option.

For example one way is to use centralize L2 access. In this case you need to do the following:

• create a VLAN on the controller
• assign an IP address to this VLAN interface
• configure a dhcp pool for this VLAN
• on the IAP you assign this VLAN to the SSID and choose centralized L2 access with this VLAN ID on the VPN configuartion screen.

With this configuration your client associates to the IAP and get the IP address from the controller. You may need to use src-nat on the controller side - it depends on your network.

Hope it helps, let me know if it works or not.

Thanks but I am a bit lost.

So what I would like to do is : IAP opens a tunnel to the controller so it can access the subnet where ClearPass server is. The IAP doesn't need to get IP from the controller because it already has one from the network.

Here is what I have configured in the VPN page of the IAP :

• Protocol : GRE
• Host : IP of my controller
• Destination : subnet where are my CP server and the controller
• Gateway : IP of my controller (public or internal ?)
• No DHCP server

I am right or not ?

Thanks

Dimitri

Do you want to use GRE (and not IPSec)? If so then you have to create the GRE tunnel manually on the controller.

The gateway IP should be the same as the one you use for the VPN host address. The DHCP server is for the clients not the IAP itself.

If you will attach a network topology with IP addresses I will try to help in the configuration itself.

I don't really which one to use, any advice ?

Here is a little sketch of my network topology :

Short update.

VPN tunnel (IPsec) between IAP105 and Aruba 3200 is up (VPN status : Up in the IAP and Show iap table up for the IAP in the controller). And now I'd like that when using the Guest SSID, it connects to the ClearPass Server thru the VPN tunnel and user can authentificate with the self-registration of ClearPass Guest.

Is there something special to configure ? Guest networks is already configured in the IAP and works into the lab (with no need of VPN).

Thanks

Dimitri

So the IAP + CP Guest already works, great. Also good to hear that the VPN is UP.

Next step would be to set up the routing at the VPN config. You need to configure the route at least to the subnet of the CP server, the gateway address should be the same as the one used as the VPN host address. You can test the connection by logging into the CLI of the IAP and trying to ping the CP server (assuming you are not blocking ICMP along the route).

If the route is OK you need to configre the DHCP server. You can use the centralized L2 access as I mentioned in a previous post. If it is set your client should get IP address from the controller and the traffic should be redirected to the CP guest server.

You need to configure the route at least to the subnet of the CP server, the gateway address should be the same as the one used as the VPN host address : done

You can test the connection by logging into the CLI of the IAP and trying to ping the CP server (assuming you are not blocking ICMP along the route) : I can ping the controller and ClearPass but I don't know if it is thru the VPN or not.

If the route is OK you need to configre the DHCP server. You can use the centralized L2 access as I mentioned in a previous post. If it is set your client should get IP address from the controller and the traffic should be redirected to the CP guest server : I am not sure of understanding this part. You mean that the controller (Aruba 3200) will provide an IP address to the client inside my network ? This is only to reach the CP server ?

---

@Boxcar wrote:

 

You can test the connection by logging into the CLI of the IAP and trying to ping the CP server (assuming you are not blocking ICMP along the route) : I can ping the controller and ClearPass but I don't know if it is thru the VPN or not.

---

Do you have IP connection from the IAP to the CP server without the VPN? If you are not sure about this login to the CLI of the IAP and start a ping to the CP address and for testing purposes remove the IAP from the local database on the controller and see what happens.

---

@Boxcar wrote:

 

If the route is OK you need to configre the DHCP server. You can use the centralized L2 access as I mentioned in a previous post. If it is set your client should get IP address from the controller and the traffic should be redirected to the CP guest server : I am not sure of understanding this part. You mean that the controller (Aruba 3200) will provide an IP address to the client inside my network ? This is only to reach the CP server ?

---

In this case try to use Local mode:

Do you have IP connection from the IAP to the CP server without the VPN ?

Yes I have.

Local Subnet...

Can you give me more explanations or an example, it's still a bit misty for me.

Thanks for your help.

Dimitri

If you have connection why do you want to use VPN at all? You can simply create a Guest SSID with external Captive Portal. There is an example of configuration for this in the Instant User Guide.

I can connect without VPN in my lab (IAP is not in the same subnet but still in the lab) but as I need to put the IAP to a customer outside my network, so I need to use VPN.

I see. If your VPN is UP and you set correctly the routing the traffic should be routed via the VPN (you may check this on the logs of your upstream devices or packet capture etc.). For DHCP you should choose Local mode, I guess. Just use a network subnet you like and the Instant should take care of NAT and routing. Frankly speaking I have only tested the Centralized L2 mode but this should work fine according to the User Guide.

Ok thanks.

Currently I can see that radius of ClearPass Policy Manager receive the public IP of the IAP and not its internal one. Is it normal in the case of a VPN tunnel ?

Dimitri

I'm afraid that it's not.

You should try to create a test network, which simulates the real world environment and configure the IAP + CP that way.

Can you please summarize what is working at the moment at what is not?

Here is the summarize :

• IAP + ClearPass working fine without VPN
• VPN status is UP in the IAP
• VPN status is UP in the controller for the related IAP
• DHCP Server : not configured in the VPN Tunneling of the IAP (as the Aruba support told me)
• DHCP Server : local configuration as you asked me to try

Dimitri