Security

Reply
Contributor I
Posts: 20
Registered: ‎08-10-2015

Aruba Instant and double WAN connection

Hello all,

 

in our scenario, we have a branch office with an internet connection and an MPLS connection to the HQ where Clearpass is installed. Knowing that the internet connection is on VLAN 2 and MPLS connection is on VLAN1, we would like to deploy a guest SSID where when you connect, you're able to reach the CPPM server an make the authentication (even with facebook) with a pre-auth role, and then the client will be hopped to the VLAN2 in order to be able to surf on internet.

 

Knowing that for certain clients VLAN hopping is not working great, how would you manage this situation?

We thought about clients natting on the AP or publishing the CPPM on internet.

 

Thank you.

Gabriel 

MVP
Posts: 4,081
Registered: ‎07-20-2011

Re: Aruba Instant and double WAN connection

This is why that setup is not working properly:
http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Can-I-return-a-different-user-Vlan-after-L3-Captive-portal-based/ta-p/245813
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor I
Posts: 20
Registered: ‎08-10-2015

Re: Aruba Instant and double WAN connection

[ Edited ]

victorfabian wrote:
This is why that setup is not working properly:
http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Can-I-return-a-different-user-Vlan-after-L3-Captive-portal-based/ta-p/245813

Hi Victor, thank you for the info.

 

Actually we thought to use the NAT way, so create another VLAN e source NAT all the client AP address to the CPPM HQ portal and data port.

 

Anyone has already implemented this scenario?

 

Gabriel

MVP
Posts: 4,081
Registered: ‎07-20-2011

Re: Aruba Instant and double WAN connection

The issue is that when you change the VLANX to VLANY and you are expecting the client to change IP address , the wireless client still thinks that it has the same IP address but once it registers is now on another VLAN.

To fully change the IP address the device will need to be rebooted.

If you can keep the client from changing IP address then you should be fine
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor I
Posts: 20
Registered: ‎08-10-2015

Re: Aruba Instant and double WAN connection

We tested the NAT scenario and it's working great. So a client is able to reach the corporate HQ network via MPLS (on a certain VLAN) for the authentication stuff and then able to surf on internet via the WAN connection (on another VLAN).

 

This obiously require an IP routing between the virtual controller IP address and the subnet/hosts that you want to reach.

 

Cheers,

Gabriel 

Search Airheads
Showing results for 
Search instead for 
Did you mean: