Security

Reply
MVP
Posts: 2,958
Registered: ‎10-25-2011

Guest access thought remote AP

[ Edited ]

It is possible to do this

Having a remote AP, giving people GUEST access i mean authenticated access witha captive portal, but also make those guest users go internet locally in the remote site, but still authenticating in the corporate network?

 

The remote site is accesed via VPN Tunnels so there is no layer 2 bound between the corporate and the central site

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Aruba Employee
Posts: 117
Registered: ‎09-21-2010

Re: Guest access thought remote AP

[ Edited ]

yes it is possible you need to create a guest SSID in split-tunnel forwardig mode.

  • The controller should be the default gateway for this guest network. The intial guest logon role or the pre-auth role for captive portal should allow DHCP , DNS and should include the predefined captive portal firewall policy (if amigopod or any other external captive portal is used then this role should allow http and https to the external CP. The firewall policy that allows http/https access to the external cp should be placed above the predifined captive portal policy that redirects a user to the captive portal ).
  • The post authentication role should be a role that will route scr-nat all traffic to the wan.

 

Sample guest-branch-logon role policies:  (if you are using the internal CP of the controller you can remove the amigopod policy from the intial user role)


  • Amigopod

!

ip access-list session amigopod

  user   alias amigopod svc-http permit 

  user   alias amigopod svc-https permit 

!

  • captiveportal (predefined policy)
  • guest-branch-logon-access

!

ip access-list session guest-logon-access

  user any udp 68  deny

  any any svc-dhcp  permit

  user   alias public-dns svc-dns  permit 

!

 

 

Sample guest logon role is (attach captive portal profile to initial role)

 

!

user-role guest-branch-logon

 captive-portal "amigopod-cp"

 access-list session amigopod

 access-list session captiveportal

 access-list session guest-logon-access

!

 

 

Sample auth-guest role policies:


  • cplogout (predefined policy)
  • guest-branch-logon-access
  • block-internal-access

!

ip access-list session block-internal-access

 user alias internal-Network any deny

!

  • auth-guest-access  (this role which is applied to authenticated guest will scr-nat the traffic to the internet or to the local subnet  at the remote site)

!

ip access-list session auth-guest-access

  user any svc-http  route src-nat 

  user any svc-https  route src-nat t

!

 

Sample authenticated guest role (this is the default role in the CP profile)

 

!

user-role auth-guest

access-list session cplogout

 access-list session guest-logon-access

 access-list session block-internal-access

 access-list session auth-guest-access

!

 

Now create a VAP in split tunnel mode and make sure the controller is the default gateway for the guest subnet. 

 

As long as a RAP is able to connect to a controller this should work.

 

Regards,

Sathya

                                  

 

MVP
Posts: 2,958
Registered: ‎10-25-2011

Re: Guest access thought remote AP

Thanks for replying im doing a lab to see how it works....

ill let you know

 

thanks again

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
MVP
Posts: 2,958
Registered: ‎10-25-2011

Re: Guest access thought remote AP

Okay i made it work i did a fast reading to what you put it and as far i understand correct me if im wrong just wanna check i did the correct way.

 

You basically for the captive portal did the same you do for a normal corporate access with split tunneling config

i mean

you do a route scr nat so he use the internet of your home for example and for the corporate traffic it will go through the tunnel

 

Now in the captive portal its the same but you just block the access with the firewall to the corporate and  just give them access through http and https and well as you are doing split tunneling telling it to route src nat then he will use the internet of the remote office.

 

I am right?

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Aruba Employee
Posts: 117
Registered: ‎09-21-2010

Re: Guest access thought remote AP

[ Edited ]

yes, you are right. An important thing to remember is that the controller has to be the default gateway if you are using CP in split-tunnel.

 

 

Regards,

Sathya

MVP
Posts: 2,958
Registered: ‎10-25-2011

Re: Guest access thought remote AP

Why is that important?

It seems to work correctly without that...

The default gateway of that network was my coreswitch in my office not the wireless controller

But what i need if the core switch is routing is an ip address on the wireless controller on the vlan im using for the captive portal...

 

Another question

Let say that this remote sites got access via vpn tunnels to the central site... and i dont really need to put these aps as remote APS

it is okay if i just put it like a campus AP configure the vap with split tunnel and then configure the source nat rule on the firewall rules on the role and it will work still right?

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Aruba Employee
Posts: 117
Registered: ‎09-21-2010

Re: Guest access thought remote AP

When they first came up with CP for split tunnel, it was a requirement that the controller be the default gateway for the CP but i think that requirement has been removed. It should work fine with a different core router as the default GW as long as the controller has a IP for that VLAN.

 

Split-tunnel mode is supported only for RAPs. So if you convert an AP to campus AP you wont be able to use split-tunneling.

 

Regards,

Sathya

MVP
Posts: 2,958
Registered: ‎10-25-2011

Re: Guest access thought remote AP

Thanks for telling the last part i dindt know that....

i also searched in the manual

 

"Most ArubaOS features are supported in all forwarding modes. However, there are a some features that are

not supported in one or more forwarding modes. Campus APs do not support split-tunnel forwarding mode

and the decrypt-tunnel forwarding mode does not support TKIP Counter measure management on campus

APs or remote APs."

 

 

So even if they APs can see the private ip address ill have to configure it as remote APs right ?

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Aruba Employee
Posts: 117
Registered: ‎09-21-2010

Re: Guest access thought remote AP

I dont get what you exactly mean by  "So even if the APs can see the private ip address" ?

 

Regards, 

Sathya

MVP
Posts: 2,958
Registered: ‎10-25-2011

Re: Guest access thought remote AP

What i mean is that a remote ap is meant to be for a corporate access for a remote site that doesnt have ACCESS to the corporate network

 

But the remote site ALREADY got access to the corporate site with a VPN tunnel.

 

Im doing the remote AP just to make the captive portal to use the local internet of the remote site

 

You know what i mean...

 

Im using this like for something else that its not meant to be i guess... thats why i was asking if there is no issue wiitht this.

 

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Search Airheads
Showing results for 
Search instead for 
Did you mean: