Security

Hi,

I am trying to setup Guest users to tunnel through a GRE tunnel to the Master controller and break out to internet from there.

I've read a number of post in this forum and varius guides and it works, but with some minor issues I can think why.

When a users connects, it is put into the initial role on the local.  Captive portal page is served by the master (ip cp-redirect-address <masterip>).  After entering the credentials, the user is put into the authenticated guest role, on the local, but then the captive portal is presented again.  When I put the credentials is again, it is fine and the user is in the authenticated guest role, on the master, and traffic goes out.

I'm not sure what I've missed here, but when I make the master end of the tunnel trusted, that fixes it, but goes against all the guides and docs I've seen.

I was expecting to see the user appear in the user-table only on the master, not on the local?

Any suggestions?

Hi Michael,

Please see this :

http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Using-GRE-Tunnels-to-centralize-L3-access/td-p/2831

I think this is what you looking for.

For guest only showing on the master, you have to terminate them on the Master, not on local controller.

- Create VLAN X on master -> give them IP address -> set DHCP for this VLAN

- Create VLAN X on local -> no IP 

- Create GRE tunnel for VLAN X (check the link mentioned)

Hope this help.

Goodluck!

Sorry I forgot one thing:

- Put hte vlan on the VAP for Guest, create CP profile.

I've tried that at first, with the local controller vlan not having an ip.  The clients can connect and get an ip from the master and get dns response, but the captive portal page does not open.

In wireshark I'm not seeing the redirect responses.  It's bound to be something simple, so I'll keep trying to crack it.

:-)

Can you ping the controller vlan ? dns server ?

What is the dhcp-server for the guest? is it controller or something else.

Thick the "Enable Source Nat" in the vlan for the guest inside the controller.

What happen if you browse to IP (exp : 8.8.8.8) ?

Goodluck!

master is the dhcp and gateway.  client get an address and I can ping master and dns.  dns is resolving no problem.

ip nat inside enabled on master.

Can't browse to anything and not seeing the http redirect in wireshark.

just pieces to the puzles, what is the initial role for the guest?

Did you specify the Captive Portal Profile for that role?

I don't see any other thing that can block the network, please create ticket so TAC can check and verify your configuration.

Goodluck!

If I put an ip on the local controller vlan, then captive portal works fine.  Have a case open now for them to take a quick look.  Will let you know the solution.

:-)

If you have a GRE tunnel and you are authenticating on the local, do not make the GRE tunnel untrusted on the master side.  That is why you are getting the second Captive Portal page.

If you are NOT authenticating on the local side (just tunneling the traffic to the master), then you can make the master untrusted.