Remote Networking

Reply
Occasional Contributor II

Split tunnel with captive portal

Hello.

I've been told by my Aruba SE that the new RN (Remote Networking) software will support split tunneling even with captive portal.
I'm using an A800 with PEF and RAP licenses and trying with RAP-5WN and RAP-2 ap's.
I'm following the 3.3.2.x-rn-3.1 User guide in the chapter regarding Setting up Captive portal.
Have my RAP-5WN and RAP-2 provisioned with Remote AP and have a SSID up with captive portal.

But for some reason the captiveportal will not show...
The pre login role is set to normal logon-control and captiveportal policy.


I think the problem is the virtual ap forward mode is set to split-tunnel. But according to your User guide this is right.

When I set the virtual ap forward mode to tunnel, then the captive portal is coming up fine. But then no split tunnel..

Any suggestions?

Here is the pre-login role:
(Aruba800) #show rights split-cp-logon

Derived Role = 'split-cp-logon'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 45/0
Max Sessions = 65535

Captive Portal profile = cp-split

access-list List
----------------
Position Name Location
-------- ---- --------
1 logon-control
2 captiveportal

logon-control
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 user any udp 68 deny Low
2 any any svc-icmp permit Low
3 any any svc-dns permit Low
4 any any svc-dhcp permit Low
5 any any svc-natt permit Low
captiveportal
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 user controller svc-https dst-nat 8081 Low
2 user any svc-http dst-nat 8080 Low
3 user any svc-https dst-nat 8081 Low
4 user any svc-http-proxy1 dst-nat 8088 Low
5 user any svc-http-proxy2 dst-nat 8088 Low
6 user any svc-http-proxy3 dst-nat 8088 Low

Expired Policies (due to time constraints) = 0

(Aruba800) #


Here is the the vap

(Aruba800) #show wlan virtual-ap vap-guest-split

Virtual AP profile "vap-guest-split"
------------------------------------
Parameter Value
--------- -----
Virtual AP enable Enabled
Allowed band all
SSID Profile ssid-guest-split
VLAN 1
Forward mode split-tunnel
Deny time range N/A
Mobile IP Enabled
HA Discovery on-association Disabled
DoS Prevention Disabled
Station Blacklisting Enabled
Blacklist Time 3600 sec
Authentication Failure Blacklist Time 3600 sec
Fast Roaming Disabled
Strict Compliance Disabled
VLAN Mobility Disabled
AAA Profile aaa-guest-split
Remote-AP Operation standard
Drop Broadcast and Multicast Disabled
Convert Broadcast ARP requests to unicast Disabled
Band Steering Disabled

(Aruba800) #

and here is the authenticated user role:

(Aruba800) #show rights guest-split

Derived Role = 'guest-split'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 47/0
Max Sessions = 65535


access-list List
----------------
Position Name Location
-------- ---- --------
1 split-rules

split-rules
-----------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 any any svc-dhcp permit Low
2 any any any route src-nat Low

Expired Policies (due to time constraints) = 0

(Aruba800) #
Guru Elite

Split Tunnel


Hello.

I've been told by my Aruba SE that the new RN (Remote Networking) software will support split tunneling even with captive portal.
I'm using an A800 with PEF and RAP licenses and trying with RAP-5WN and RAP-2 ap's.
I'm following the 3.3.2.x-rn-3.1 User guide in the chapter regarding Setting up Captive portal.
Have my RAP-5WN and RAP-2 provisioned with Remote AP and have a SSID up with captive portal.

But for some reason the captiveportal will not show...
The pre login role is set to normal logon-control and captiveportal policy.


I think the problem is the virtual ap forward mode is set to split-tunnel. But according to your User guide this is right.

When I set the virtual ap forward mode to tunnel, then the captive portal is coming up fine. But then no split tunnel..

Any suggestions?

Here is the pre-login role:
(Aruba800) #show rights split-cp-logon

Derived Role = 'split-cp-logon'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 45/0
Max Sessions = 65535

Captive Portal profile = cp-split

access-list List
----------------
Position Name Location
-------- ---- --------
1 logon-control
2 captiveportal

logon-control
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 user any udp 68 deny Low
2 any any svc-icmp permit Low
3 any any svc-dns permit Low
4 any any svc-dhcp permit Low
5 any any svc-natt permit Low
captiveportal
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 user controller svc-https dst-nat 8081 Low
2 user any svc-http dst-nat 8080 Low
3 user any svc-https dst-nat 8081 Low
4 user any svc-http-proxy1 dst-nat 8088 Low
5 user any svc-http-proxy2 dst-nat 8088 Low
6 user any svc-http-proxy3 dst-nat 8088 Low

Expired Policies (due to time constraints) = 0

(Aruba800) #


Here is the the vap

(Aruba800) #show wlan virtual-ap vap-guest-split

Virtual AP profile "vap-guest-split"
------------------------------------
Parameter Value
--------- -----
Virtual AP enable Enabled
Allowed band all
SSID Profile ssid-guest-split
VLAN 1
Forward mode split-tunnel
Deny time range N/A
Mobile IP Enabled
HA Discovery on-association Disabled
DoS Prevention Disabled
Station Blacklisting Enabled
Blacklist Time 3600 sec
Authentication Failure Blacklist Time 3600 sec
Fast Roaming Disabled
Strict Compliance Disabled
VLAN Mobility Disabled
AAA Profile aaa-guest-split
Remote-AP Operation standard
Drop Broadcast and Multicast Disabled
Convert Broadcast ARP requests to unicast Disabled
Band Steering Disabled

(Aruba800) #

and here is the authenticated user role:

(Aruba800) #show rights guest-split

Derived Role = 'guest-split'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 47/0
Max Sessions = 65535


access-list List
----------------
Position Name Location
-------- ---- --------
1 split-rules

split-rules
-----------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 any any svc-dhcp permit Low
2 any any any route src-nat Low

Expired Policies (due to time constraints) = 0

(Aruba800) #




- Does the user get an IP address in split tunnel mode?
- Can the user resolve DNS in split tunnel mode?
- Can the user ping the controller's IP address in split tunnel mode?
- Can the user reach the IP cp-redirect address in split tunnel mode? http://airheads.arubanetworks.com/vBulletin/showthread.php?t=543


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: Split tunnel with captive portal


- Does the user get an IP address in split tunnel mode?
- Can the user resolve DNS in split tunnel mode?
- Can the user ping the controller's IP address in split tunnel mode?
- Can the user reach the IP cp-redirect address in split tunnel mode? http://airheads.arubanetworks.com/vBulletin/showthread.php?t=543




Yes, the user get an ip address in split tunnel mode
No, can't resolve dns in split tunnel mode
Yes, the user can ping the controller's IP adress in split tunnel mode
N/A, we haven't specified an IP cp-redirect address.

Cannot understand why dns is not available. When user is in pre-login state, then the role is split-cp-logon and al neccessary policies are then in tunnel mode as stated earlier.
Guru Elite

Resolving DNS

To see what traffic the user is passing, you should do a "show datapath session ap-name while the user is doing an NSLOOKUP to see where the traffic is going.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: Split tunnel with captive portal

Resolving dns:

Looks like dns is getting through. 10.10.0.40 is the client and 10.0.0.50 and 10.0.0.52 is the DNS servers.

I will try one thing. That is the remote ap is in our production network and the client is in your lab network. Both using the same DNS servers.

So I will try to take the remote ap back to my home and try again later today. Update on that tomorrow.


(Aruba800) #show datapath session ap-name RAP-5WN table

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
I - Deep inspect, U - Locally destined

Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- -----
10.0.0.52 10.10.0.40 17 53 1630 0 0 0 0 dev16 14 FY
10.0.0.50 10.10.0.40 17 53 1631 0 0 0 0 dev16 a FY
10.0.0.50 10.10.0.40 17 53 1629 0 0 0 0 dev16 1e FY
212.89.49.20 172.17.41.44 17 4500 4500 0 0 0 0 dev4 985 FC
172.17.41.10 172.17.41.255 17 138 138 0 0 0 0 dev4 b FDYC
10.0.0.50 10.10.0.40 17 53 1632 0 0 0 0 dev16 0 FY
10.10.0.40 10.0.0.50 17 53814 53 0 0 0 1 dev16 44 FCI
10.10.0.40 10.0.0.52 17 53814 53 0 0 0 1 dev16 3f FCI
10.0.0.52 10.10.0.40 17 53 53814 0 0 0 1 dev16 3f FY
10.0.0.50 10.10.0.40 17 53 53814 0 0 0 1 dev16 44 FY
172.17.41.44 212.89.49.20 17 4500 4500 0 0 0 0 dev4 985 F
10.0.0.50 10.10.0.40 17 53 57249 0 0 0 1 dev16 8d FY
10.0.0.52 10.10.0.40 17 53 57249 0 0 0 1 dev16 88 FY
00:0B:86:66:0E:11 0806 0 0 0 0 local 3f F
10.10.0.40 10.0.0.50 17 1632 53 0 0 0 0 dev16 0 FCI


10.10.0.40 10.0.0.50 17 1631 53 0 0 0 0 dev16 b FCI
10.10.0.40 10.0.0.50 17 1629 53 0 0 0 0 dev16 1f FCI
10.10.0.40 10.0.0.52 17 1630 53 0 0 0 0 dev16 15 FCI
10.10.0.40 10.0.0.52 17 57249 53 0 0 0 1 dev16 89 FCI
10.10.0.40 10.0.0.50 17 57249 53 0 0 0 1 dev16 8e FCI
172.17.41.89 239.255.255.250 17 52539 1900 0 0 0 0 dev4 3b FDC
Aruba Employee

Re: Split tunnel with captive portal

CP requires a valid DNS response so the browser will even attempt the port 80 call (which is where the redirection happens.)

One thing you can try is typing in an IP address into the browser address bar, which skips DNS and forces a port 80 call....many times you'll get CP page then, which proves out the DNS point.
Occasional Contributor II

Re: Split tunnel with captive portal

I tried with ip directly, same issue.
Also tried with https://securelogin.arubanetworks.com. Same issue.

Well. Its working with virtual ap forward mode tunnel.
But not with forward mode split tunnel.

There is no difference in those two forward modes in regards to the pre-login role.
Alle rules in the logon-control policy and the captiveportal policy is with "permit" statement which means" tunnel the traffic."


UPDATE: I just tried to add the allowall policy (any any any permit) on top of the pre-login role. Same issue.
So this means that there must be other issues here. Its working fine in tunnel mode. I cannot understand why "any any any permit" rule will not work while in virtual ap forward mode split tunnel.. Everything should then be tunnel back to the controller.
Frequent Contributor I

missing rule

Erm... based on the config...

split-rules
-----------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 any any svc-dhcp permit Low
2 any any any route src-nat Low

Seems that u are missing one rule (any internal any permit) between rule 1 and 2...

Michael
Contributor II

Re: Split tunnel with captive portal


I tried with ip directly, same issue.
Also tried with https://securelogin.arubanetworks.com. Same issue.

Well. Its working with virtual ap forward mode tunnel.
But not with forward mode split tunnel.

There is no difference in those two forward modes in regards to the pre-login role.
Alle rules in the logon-control policy and the captiveportal policy is with "permit" statement which means" tunnel the traffic."


UPDATE: I just tried to add the allowall policy (any any any permit) on top of the pre-login role. Same issue.
So this means that there must be other issues here. Its working fine in tunnel mode. I cannot understand why "any any any permit" rule will not work while in virtual ap forward mode split tunnel.. Everything should then be tunnel back to the controller.




hi guy
any update? because I have same issue in aruba200
I can ping the www.google.com but I can not be redirecred cp page.
Contributor II

Re: Split tunnel with captive portal


Erm... based on the config...

split-rules
-----------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 any any svc-dhcp permit Low
2 any any any route src-nat Low

Seems that u are missing one rule (any internal any permit) between rule 1 and 2...

Michael




I don't think we should add this rule if no traffice need to transmit to corp.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: