09-04-2014 01:14 AM
I have a setup of 6 IAP-105 managed by a virtual controller. This role is assumed by one of the IAP by master election procedure. My management traffic is going thought VLAN = 1. My IAP have an IP address in 192.168.50.0/24 and his gateway is 192.168.50.1.
Beyon the IAP, I have a pair of routers in HSRP where only one is acting as DHCP server. They server 2 pools: 192.168.50.0/24 (VLAN 1) and 172.16.0.0/24 (VLAN 2)
I have setup 2 SSID:
- A SSID 1 for employees mapped to VLAN 1 with WPA2 authentication. Clientes get IP assigned correctly and have working navigation.
- A SSID 2 for guest mapped to VLAN 2 with Captive Portal. Here is my problem.
If I activate WPA2 (or no auth) on SSID 2, I have IP address and working navigation.
If I activate Captive Portal (withouth WPA2) on SSID, I have IP from DHCP but I never have captive portal and of course I have no traffic from client to router (just DNS queries).
In summary, my problem is that the IAP never shows the captive portal when SSID is mapped in another VLAN. I have read about assigning an IP to the IAP in the VLAN 2 but unfortunately, I dont't find this command in CLI Aruba Instant.
So, is there some workaround to activate Captive Portal in a VLAN/Network where the IAP has no adddress?
09-04-2014 04:41 AM
Can users in VLAN 2 access the IAP's address (in VLAN1) using http/https?
Consulting Systems Engineer - ACCX, ACDX, ACMX
If you found my post helpful, please give kudos
09-08-2014 01:13 AM
I haven't tested all scenarios but I'm sure users in VLAN 2 can't:
- Access http in IAP real address.
- Ping VLAN2 gateway
- Ping VLAN1 gateway
If I turn on wireshark, I only see DNS packets.
09-18-2014 02:18 AM
I have been doing some lab testing. I think the problem is related with DNS query. In my understanding, this is happening:
- IAP allow initial DNS query to webpage, for example google.com
- It intercept initital HTTP request and make a redirect to to securelogin.arubanetworks.om
- IAP intercetps the second DNS query to securelogin.arubanetworks.com and response with 172.31.98.1
- IAP answers to a HTTP request in 172.31.98.1 showing captive portal.
Someone could confirm this sequence?
08-26-2016 04:22 AM
having same issue , trying to build up just 2 plain SSID's on an IAP 115 where one SSID is "standard" network assigned in an untagged VLAN where my client properly gets DHCP ip and also can access internet. that untagged vlan is just the AP management network.
so far so good, tried to add another SSID where i set "static" vlan assignment and on the physical port of the IAP there's a tagged VLAN serving DHCP and internet access aswell.
my wifi client gets DHCP ip in the tagged VLAN and only produces DNS queries , but no internet access.
the firewall which serves this untagged/tagged vlan on an interface is directly connected to the IAP . i wonder what else to configure on that plain factory default IAP . im just testing this setup for a customer and im more the controller-campus-AP guy and wonder why this kind of setup is not working for me.
wlan access-rule gast-100 index 0 rule any any match any any any permit wlan access-rule default_wired_port_profile index 1 rule any any match any any any permit wlan access-rule wired-instant index 2 rule masterip 0.0.0.0 match tcp 80 80 permit rule masterip 0.0.0.0 match tcp 4343 4343 permit rule any any match udp 67 68 permit rule any any match udp 53 53 permit wlan access-rule mgmt-10 index 3 rule any any match any any any permit wlan ssid-profile gast-100 enable index 0 type employee essid gast-100 wpa-passphrase c5433dbc94f00815c693c0b32d3fc6b55ef69c813bd0df73 opmode wpa2-psk-aes max-authentication-failures 0 vlan 100 rf-band all captive-portal disable dtim-period 1 broadcast-filter arp dmo-channel-utilization-threshold 90 local-probe-req-thresh 0 max-clients-threshold 64 wlan ssid-profile mgmt-10 enable index 1 type employee essid mgmt-10 wpa-passphrase 505d05e04c46f9c69e332fddb07cb5506055226abf614873 opmode wpa2-psk-aes max-authentication-failures 0 rf-band all captive-portal disable dtim-period 1 broadcast-filter arp dmo-channel-utilization-threshold 90 local-probe-req-thresh 0 max-clients-threshold 64
from my opinion i would say that my wired-port profile has to be setup properly which i didnt changed to far. could that be the culprit at all ?
wired-port-profile wired-instant switchport-mode access allowed-vlan all native-vlan guest no shutdown access-rule-name wired-instant speed auto duplex auto no poe type guest captive-portal disable no dot1x wired-port-profile default_wired_port_profile switchport-mode trunk allowed-vlan all native-vlan 1 shutdown access-rule-name default_wired_port_profile speed auto duplex full no poe type employee captive-portal disable no dot1x enet0-port-profile default_wired_port_profile
As im more the controller campus AP guy i normally setup switch-access ports or trunk ports on an aruba campus controller , i expect i have to setup something to the IAP ethernet port aswell.
i wonder as my client - accessing the gast-ssid is getting properly DHCP ip from the tagged VLAN and is able to send DNS queries, why the other traffic is not working? The firewall policy for the outbound traffic from the tagged vlan 100 is set to any-allowed to external .
thanks for any hints,
08-26-2016 04:28 AM
What is the default gateway of VLAN 100?
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
08-26-2016 04:51 AM
default gateway for the client is the trusted interface IP adress of the firewall's vlan100 interface, set to trusted.
as DNS requests are properly sent out from the client-assigned IP adress i wonder why no other traffic passing outbound.
is there something to edit in the wired-ap profile settings on the IAP as everything set to default values - the iAP is factory default, i only setup'ed the 2 SSID's with the untagged vlan10 and tagged vlan100 .
some interesting info i saw in my outbound firewall log :
im able to send and receive whatsapp messages from that client which has real outgoing tcp/udp any traffic to external www
it's really strange what happens here as there are no limited ACL's on that VLAN100 trusted network.
2016-08-26 13:37:13 Allow 10.0.100.100 18.104.22.168 xmpp-client/tcp 61403 5222 100-guest-cp-VLAN100-tagged 0-External-TCOM-193er Allowed 64 63 (Outgoing-00) proc_id="firewall" rc="100"
so overall , im able to access outbound whatsapp port 5222 and DNS 53 is working too, wow ;-)
08-26-2016 05:08 AM
Making steps forward, using another DNS server for that VLAN 100 solved it. clients now properly accessing internet from that tagged vlan100 , seems the usual Telekom DNS :
isnt properly working in this setup . changing to 22.214.171.124 on the client side properly works.
really strange as both IP's are legit DNS .