Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

A simple guest wifi setup, that's not so simple.

This thread has been viewed 3 times

  • 1.  A simple guest wifi setup, that's not so simple.

    Posted May 29, 2015 01:07 PM

    Aruba 7010 controller - ArubaOS version that came with the device

    3 - AP 205's

    1 - Comcast cable modem

     

    Trying to setup just a quick, easy, no captive portal, guest wifi.

     

    Cable Modem connected to Port 14 - IP is 10.1.10.1

    Port 1,2,3 connected to 3 AP 205's

     

    Plugged everything into the Aruba controller, booted it up. Had a laptop connected to port 13 for the initial setup. Laptop received the dhcp lease from the controller just fine. Going through the initial setup wizard, I setup the following:

     

    Controller IP - 10.1.5.254 (VLAN 100 Interface)

    VLAN 100 - 10.1.5.254 Interface IP (DHCP Server enabled - 10.1.5.0/24, default gateway 10.1.5.254)

    VLAN 200 - 10.1.10.11 Interface IP

    No captive portal, guest have direct access to internet

    Default Route is 10.1.10.1 (Cable Modem connected to port 14)

    All Ports trusted

    Inter VLAN routing is enabled.

    All 3 access points find the controller and are provisioned with the default profile (Guest-WiFi SSID)

     

    I tried with both android, and apple devices. I can get them to connect to the access points just fine. They get the DHCP ip's from the controller (10.1.5.0/24 network), but cannot get any access outside of the Aruba controller.

     

    Using SSH - I can remote into the Aruba controller and ping the cable modem (10.1.10.1). I can do a trace route to an external IP 75.75.75.75 and it works. DNS resolution works from the controller as well.

     

    Doing a ping from a client connected to an AP, i can ping the internal interface (10.1.5.254) and I can ping the external interface (10.1.10.11). But I can't ping anything past that.

     

    I am stumped, as far as I can tell it should work, but the Aruba controller is not routing traffic from VLAN 100 to VLAN 200... What am I missing?

     

    Thanks!

     

    Chris

     

     

     

     

     

     


    #AP205


  • 2.  RE: A simple guest wifi setup, that's not so simple.

    EMPLOYEE
    Posted May 29, 2015 01:10 PM

    What role are the users being assigned?



  • 3.  RE: A simple guest wifi setup, that's not so simple.

    Posted May 29, 2015 01:16 PM

    I do not, the Comcast cable modem is setup for NAT from 10.1.10.0/24 network to the external IP that we are assigned.

     

    This is for a Comcast business class connection if that matters...

     

    The role is guest.



  • 4.  RE: A simple guest wifi setup, that's not so simple.
    Best Answer

    Posted May 29, 2015 04:56 PM

    Figured out what the issue was. The Cable modem was set to NAT 10.1.10.x network to the external IP. But not our guest wifi network 10.1.5.x. Routing was working, but clients were not able to get out due to the lack of translation.

     

    I enabled Source NAT on the internal VLAN 100, and voila! Everything is working as it should.

     

    Thank you all for your help!

     

    Chris