01-13-2012 09:04 AM
We are in the midst of deploying Amigopod throughout our company. We have an issue with DNS and not sure how to go about it. We currently have firewall policies set on our Aruba controllers. We want non-domain machines (guests) to connect to the associated Amigopod SSID, open up a browser, get redirected to Amigopod server, which then redirects to captive portal, the user authenicates and then has access to the web. All works well, however.. we want the "Guests" to not have any internal access to the network (which they dont).
When the user connects to the SSID and launches a browser, it lauches and the user sees the IP address of the Amigopod server. So we created a firewall policies on the Aruba Controller which src.nat's DNS requests to our internal DNS server. We dont want the user to see the IP address of the Amigopod (even though they can just do an nslookup, its just neater).. ok, so everything works that way..however, we also need internal machines to access the guest network as well. but the guest network is using public DNS..and cant resolve. so its either use IP address and everyone can access, or use FW policies with DNS option and only non-domain machines can access. HELP!?
01-13-2012 09:19 AM
how about putting internal users on guest into a different role (based on login) and use the reverse of the trick you are using to hide the internal IP from the guests, in other words, dst-nat internal users to internal DNS post authentication?
01-13-2012 09:25 AM
Hey Austin it's pasquale from Leviton, were are using your DNS trick to get the host name resolved once on the guest network. None of our internal systems get portal prompt when connecting to guest network. (Rodger posted above)
01-13-2012 09:34 AM
Hey Pasquale, I knew this sounded familiar! Was just typing an email about some follow-up I had for you.
If Internal users connect to the guest SSID, they should get the same subnet and DNS server information guests are getting, correct, so they should get the portal page unless your internal PCs have a proxy set and it is not set to fail through in case it can't reach proxy, could this be the case? Try turning off your proxy to see if you at least get the portal.