Security

Reply
New Contributor
Posts: 3
Registered: ‎04-02-2014

Captive portal in different VLAN/Network for Aruba Instant

Hi,

I have a setup of 6 IAP-105 managed by a virtual controller. This role is assumed by one of the IAP by master election procedure. My management traffic is going thought VLAN = 1. My IAP have an IP address in 192.168.50.0/24 and his gateway is 192.168.50.1.

 

Beyon the IAP, I have a pair of routers in HSRP where only one is acting as DHCP server. They server 2 pools: 192.168.50.0/24 (VLAN 1) and 172.16.0.0/24 (VLAN 2)

 

I have setup 2 SSID:

 

- A SSID 1 for employees mapped to VLAN 1 with WPA2 authentication. Clientes get IP assigned correctly and have working navigation.
- A SSID 2 for guest mapped to VLAN 2 with Captive Portal. Here is my problem.

 

If I activate WPA2 (or no auth) on SSID 2, I have IP address and working navigation.
If I activate Captive Portal (withouth WPA2) on SSID, I have IP from DHCP but I never have captive portal and of course I have no traffic from client to router (just DNS queries).

In summary, my problem is that the IAP never shows the captive portal when SSID is mapped in another VLAN. I have read about assigning an IP to the IAP in the VLAN 2 but unfortunately, I dont't find this command in CLI Aruba Instant.


So, is there some workaround to activate Captive Portal in a VLAN/Network where the IAP has no adddress?

Thanks!

 

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: Captive portal in different VLAN/Network for Aruba Instant

Can users in VLAN 2 access the IAP's address (in VLAN1) using http/https? 

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
New Contributor
Posts: 3
Registered: ‎04-02-2014

Re: Captive portal in different VLAN/Network for Aruba Instant

I haven't tested all scenarios but I'm sure users in VLAN 2 can't:

 

- Access http in IAP real address.

- Ping VLAN2 gateway

- Ping VLAN1 gateway

 

If I turn on wireshark, I only see DNS packets.

 

Any suggestions?

New Contributor
Posts: 3
Registered: ‎04-02-2014

Re: Captive portal in different VLAN/Network for Aruba Instant

I have been doing some lab testing. I think the problem is related with DNS query. In my understanding, this is happening:

 

- IAP allow initial DNS query to webpage, for example google.com

- It intercept initital HTTP request and make a redirect to to securelogin.arubanetworks.om

- IAP intercetps the second DNS query to securelogin.arubanetworks.com and response with 172.31.98.1

- IAP answers to a HTTP request in 172.31.98.1 showing captive portal.

Someone could confirm this sequence?

Regards

 

 

MVP
Posts: 1,413
Registered: ‎11-30-2011

Re: Captive portal in different VLAN/Network for Aruba Instant

yes, that seems right korxo.

 

you still have this issue?

New Contributor
Posts: 1
Registered: ‎05-08-2013

Re: Captive portal in different VLAN/Network for Aruba Instant

[ Edited ]

see next post

Regular Contributor I
Posts: 190
Registered: ‎04-27-2009

Re: Captive portal in different VLAN/Network for Aruba Instant

hi

having same issue , trying to build up just 2 plain SSID's on an IAP 115 where one SSID is "standard" network assigned in an untagged VLAN where my client properly gets DHCP ip and also can access internet. that untagged vlan is just the AP management network.

so far so good, tried to add another SSID where i set "static" vlan assignment and on the physical port of the IAP there's a tagged VLAN serving DHCP and internet access aswell.

my wifi client gets DHCP ip in the tagged VLAN and only produces DNS queries , but no internet access.

the firewall which serves this untagged/tagged vlan on an interface is directly connected to the IAP . i wonder what else to configure on that plain factory default IAP . im just testing this setup for a customer and im more the controller-campus-AP guy and wonder why this kind of setup is not working for me.

 

wlan access-rule gast-100
 index 0
 rule any any match any any any permit

wlan access-rule default_wired_port_profile
 index 1
 rule any any match any any any permit

wlan access-rule wired-instant
 index 2
 rule masterip 0.0.0.0 match tcp 80 80 permit
 rule masterip 0.0.0.0 match tcp 4343 4343 permit
 rule any any match udp 67 68 permit
 rule any any match udp 53 53 permit

wlan access-rule mgmt-10
 index 3
 rule any any match any any any permit

wlan ssid-profile gast-100
 enable
 index 0
 type employee
 essid gast-100
 wpa-passphrase c5433dbc94f00815c693c0b32d3fc6b55ef69c813bd0df73
 opmode wpa2-psk-aes
 max-authentication-failures 0
 vlan 100
 rf-band all
 captive-portal disable
 dtim-period 1
 broadcast-filter arp
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 0
 max-clients-threshold 64

wlan ssid-profile mgmt-10
 enable
 index 1
 type employee
 essid mgmt-10
 wpa-passphrase 505d05e04c46f9c69e332fddb07cb5506055226abf614873
 opmode wpa2-psk-aes
 max-authentication-failures 0
 rf-band all
 captive-portal disable
 dtim-period 1
 broadcast-filter arp
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 0
 max-clients-threshold 64

from my opinion i would say that my wired-port profile has to be setup properly which i didnt changed to far. could that be the culprit at all ? 

 

wired-port-profile wired-instant
 switchport-mode access
 allowed-vlan all
 native-vlan guest
 no shutdown
 access-rule-name wired-instant
 speed auto
 duplex auto
 no poe
 type guest
 captive-portal disable
 no dot1x

wired-port-profile default_wired_port_profile
 switchport-mode trunk
 allowed-vlan all
 native-vlan 1
 shutdown
 access-rule-name default_wired_port_profile
 speed auto
 duplex full
 no poe
 type employee
 captive-portal disable
 no dot1x


enet0-port-profile default_wired_port_profile

As im more the controller campus AP guy i normally setup switch-access ports or trunk ports on an aruba campus controller , i expect i have to setup something to the IAP ethernet port aswell.

i wonder as my client - accessing the gast-ssid is getting properly DHCP ip from the tagged VLAN and is able to send DNS queries, why the other traffic is not working? The firewall policy for the outbound traffic from the tagged vlan 100 is set to any-allowed to external .

thanks for any hints,
ben

Guru Elite
Posts: 21,007
Registered: ‎03-29-2007

Re: Captive portal in different VLAN/Network for Aruba Instant

What is the default gateway of VLAN 100?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor I
Posts: 190
Registered: ‎04-27-2009

Re: Captive portal in different VLAN/Network for Aruba Instant

Hi C, 

 

default gateway for the client is the trusted interface IP adress of the firewall's vlan100 interface, set to trusted. 

 

as DNS requests are properly sent out from the client-assigned IP adress i wonder why no other traffic passing outbound.

 

is there something to edit in the wired-ap profile settings on the IAP as everything set to default values - the iAP is factory default, i only setup'ed the 2 SSID's with the untagged vlan10 and tagged vlan100 . 

 

some interesting info i saw in my outbound firewall log :

 

im able to send and receive whatsapp messages from that client which has real outgoing tcp/udp any traffic to external www

 

it's really strange what happens here as there are no limited ACL's on that VLAN100 trusted network. 

 

2016-08-26 13:37:13 Allow 10.0.100.100 174.37.199.199 xmpp-client/tcp 61403 5222 100-guest-cp-VLAN100-tagged 0-External-TCOM-193er Allowed 64 63 (Outgoing-00)  proc_id="firewall" rc="100" 

so overall , im able to access outbound whatsapp port 5222 and DNS 53 is working too, wow ;-)

 

 

 

Regular Contributor I
Posts: 190
Registered: ‎04-27-2009

Re: Captive portal in different VLAN/Network for Aruba Instant

Making steps forward, using another DNS server for that VLAN 100 solved it. clients now properly accessing internet from that tagged vlan100 , seems the usual Telekom DNS :

 

T-Online, 194.25.2.129,

 

isnt properly working in this setup . changing to 8.8.8.8 on the client side properly works. 

 

really strange as both IP's are legit DNS .

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: