Security

It is possible to do this

Having a remote AP, giving people GUEST access i mean authenticated access witha captive portal, but also make those guest users go internet locally in the remote site, but still authenticating in the corporate network?

The remote site is accesed via VPN Tunnels so there is no layer 2 bound between the corporate and the central site

yes it is possible you need to create a guest SSID in split-tunnel forwardig mode.

• The controller should be the default gateway for this guest network. The intial guest logon role or the pre-auth role for captive portal should allow DHCP , DNS and should include the predefined captive portal firewall policy (if amigopod or any other external captive portal is used then this role should allow http and https to the external CP. The firewall policy that allows http/https access to the external cp should be placed above the predifined captive portal policy that redirects a user to the captive portal ).
• The post authentication role should be a role that will route scr-nat all traffic to the wan.

Sample guest-branch-logon role policies:  (if you are using the internal CP of the controller you can remove the amigopod policy from the intial user role)

• Amigopod

!

ip access-list session amigopod

  user   alias amigopod svc-http permit 

  user   alias amigopod svc-https permit 

!

• captiveportal (predefined policy)
• guest-branch-logon-access

!

ip access-list session guest-logon-access

  user any udp 68  deny

  any any svc-dhcp  permit

  user   alias public-dns svc-dns  permit 

!

Sample guest logon role is (attach captive portal profile to initial role)

!

user-role guest-branch-logon

 captive-portal "amigopod-cp"

 access-list session amigopod

 access-list session captiveportal

 access-list session guest-logon-access

!

Sample auth-guest role policies:

• cplogout (predefined policy)
• guest-branch-logon-access
• block-internal-access

!

ip access-list session block-internal-access

 user alias internal-Network any deny

!

• auth-guest-access  (this role which is applied to authenticated guest will scr-nat the traffic to the internet or to the local subnet  at the remote site)

!

ip access-list session auth-guest-access

  user any svc-http  route src-nat 

  user any svc-https  route src-nat t

!

Sample authenticated guest role (this is the default role in the CP profile)

!

user-role auth-guest

access-list session cplogout

 access-list session guest-logon-access

 access-list session block-internal-access

 access-list session auth-guest-access

!

Now create a VAP in split tunnel mode and make sure the controller is the default gateway for the guest subnet. 

As long as a RAP is able to connect to a controller this should work.

Regards,

Sathya

Thanks for replying im doing a lab to see how it works....

ill let you know

thanks again

Okay i made it work i did a fast reading to what you put it and as far i understand correct me if im wrong just wanna check i did the correct way.

You basically for the captive portal did the same you do for a normal corporate access with split tunneling config

i mean

you do a route scr nat so he use the internet of your home for example and for the corporate traffic it will go through the tunnel

Now in the captive portal its the same but you just block the access with the firewall to the corporate and  just give them access through http and https and well as you are doing split tunneling telling it to route src nat then he will use the internet of the remote office.

I am right?

yes, you are right. An important thing to remember is that the controller has to be the default gateway if you are using CP in split-tunnel.

Regards,

Sathya

Why is that important?

It seems to work correctly without that...

The default gateway of that network was my coreswitch in my office not the wireless controller

But what i need if the core switch is routing is an ip address on the wireless controller on the vlan im using for the captive portal...

Another question

Let say that this remote sites got access via vpn tunnels to the central site... and i dont really need to put these aps as remote APS

it is okay if i just put it like a campus AP configure the vap with split tunnel and then configure the source nat rule on the firewall rules on the role and it will work still right?

When they first came up with CP for split tunnel, it was a requirement that the controller be the default gateway for the CP but i think that requirement has been removed. It should work fine with a different core router as the default GW as long as the controller has a IP for that VLAN.

Split-tunnel mode is supported only for RAPs. So if you convert an AP to campus AP you wont be able to use split-tunneling.

Regards,

Sathya

Thanks for telling the last part i dindt know that....

i also searched in the manual

"Most ArubaOS features are supported in all forwarding modes. However, there are a some features that are

not supported in one or more forwarding modes. Campus APs do not support split-tunnel forwarding mode

and the decrypt-tunnel forwarding mode does not support TKIP Counter measure management on campus

APs or remote APs."

So even if they APs can see the private ip address ill have to configure it as remote APs right ?

I dont get what you exactly mean by  "So even if the APs can see the private ip address" ?

Regards, 

Sathya

What i mean is that a remote ap is meant to be for a corporate access for a remote site that doesnt have ACCESS to the corporate network

But the remote site ALREADY got access to the corporate site with a VPN tunnel.

Im doing the remote AP just to make the captive portal to use the local internet of the remote site

You know what i mean...

Im using this like for something else that its not meant to be i guess... thats why i was asking if there is no issue wiitht this.

I think you should be fine but the one thing i would be aware of is the fragmentation by your current VPN. If the packet that is IPsec encrypted by the RAP is fragmented by your VPN and arrives out of order at the controller , the controller might consider it as a replay attack. But if you can ensure that this doesn't happens things should be fine. I haven't encoutered this but someone else can eloborate on this and confirm it.

Regards,

Sathya

Now the question here is how can i prevent this from happening?

When you say you have not encountered this is because

1-you never build a vpn tunnel with the rap and passed that traffic through a vpn ilnk?

2-or you have done it and nothing wrong happen, but you telling me that it might happen?

Which of the two?

Question

What happens if i do this

1-On the central site i do a virtual IP and have a public IP for the Wireless controller(of course just using the correct ports)

2-On the remote site i tell the remote AP that the WC ip address is the public IP address of the WC

This will make the Remote AP to build a separated VPN tunnel over the internet and all the wireless client will go through this tunnel?

Anyways it just an idea i dont kow if that works hehe

--------------------------------------------------------------------------------------------------------------------------------------------------------------------Question

What happens if i do this

1-On the central site i do a virtual IP and have a public IP for the Wireless controller(of course just using the correct ports)

2-On the remote site i tell the remote AP that the WC ip address is the public IP address of the WC

This will make the Remote AP to build a separated VPN tunnel over the internet and all the wireless client will go through this tunnel?

Anyways it just an idea i dont kow if that works heh

------------------------------------------------------------------------------------------------------------------------------------------------------------------------

This is how a typical RAP deployment works, since most people who use RAPs at remote locations don't have a VPN end-point. This should solve the fragmentation problem.

Regards,

Sathya

Well i tested iwth a small remote AP i got and seems to work pretty good.

I did a lab i build a vpn tunnel between the office and my house  and bring a small RAP-2WG to my house and it build a separate tunnel as i expected... I tried the captive portal access which was successful, no issue...

Now i came today to the office to get a 105AP and ill use it as a remote AP to see it should work with no issue i guess

Anyways many thanks for the idea.

---------------------------------------------------------------------------------------------------------------------------------------------------------------------Now the question here is how can i prevent this from happening?

When you say you have not encountered this is because

1-you never build a vpn tunnel with the rap and passed that traffic through a vpn ilnk?

2-or you have done it and nothing wrong happen, but you telling me that it might happen?

Which of the two?

------------------------------------------------------------------------------------------------------------------------------------------------------------------------

For this my answer is number 1

Guys, I followed link but trying to use RAP with external CP from clearpass. for some reason I see myself connected in the controller with the logon role but splash page does not pops out. Actually I think it is blocked but my logon rules include whitelisting for my clearpass IP.  What could be wrong?