Security

Reply
Occasional Contributor II

External dns

Hello,

 

Aruba design guide recommends  to use external DNS when possible for captiveportal based  guest access.

If external DNS  is in play, does the controller  management IP participate in any  DNS (send/receive) at all during guest  redirection/handover process? ( Note.we are sourcing packets from mangment not loopback)

Put it differently, does the controller require DNS  connectivity in guest implmentation?

With  Trapeze implmentations,I had to allow DNS to be sourced from the controller but  thought of getting  some  thoughts from the forum.If there is a document/link to this info that would be great.

Thanks,

nerd

 

 

Guru Elite

Re: External dns

The client needs to be able to resolve DNS.  Absolutely.

 

Please see the "Guest Access with ArubaOS" design guide on this page for guest access details:  http://www.arubanetworks.com/technology/reference-design-guides/

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: External dns

Thanks Joseph.

I have no doubts on the clients and DNS connectivity. The question was about the controller  and DNS.

 

Retired Employee

Re: External dns

The guest role should have "permit" for DNS traffic on the controller i.e. the controller will just pass through the DNS requests from the client.
--
HT
Occasional Contributor II

Re: External dns

guest role is allowing DNS  traffic.

 

let me explain with an example..

suppose we throw a firewall between the controller and internet, controller IP is 192.168.10.50/29 and the guest client subnet is 172.16.20.0/24.

I have allowed  DNS/http/https  on the firewall for 172.16.10.0/24 only.do i need to punch a hole for  192.168.10.50/29 ?

Guru Elite

Re: External dns

I don't know if you made a mistake, but you need to allow DNS from the guest subnet of 172.16.20.0/24 for this to work.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: External dns

Thanks Joseph.

 

This is what we have configured:

 

netdestination P-DNS
  host a.b.c.d
  host  e.f.g.h

 

ip access-list session guest-logon-access
  user any udp 68  deny
  any any svc-dhcp  permit time-range w-hours
  user   alias P-DNS svc-dns  permit time-range w-hours

Occasional Contributor II

Re: External dns

one more thing folks.

 there is  dst-nat 8081 on the  controller ACL .So I think  I need to open port 8081 on the upstream firewall as well.

 

Guru Elite

Re: External dns

No, you don't.

 

The only thing you need is for the clients (not the controller) to be able to resolve DNS.  The controller's role is only to pass the client's traffic.  It does not directly resolve DNS and does not source DNS packets.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: External dns

Thanks  for the reply Joseph,

 

Looking at the steps involved in guest authentication, it seems that it breaks from Step 14 onwards.

 

Investigations continues...

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: