Security

Reply
Aruba
Posts: 1,285
Registered: ‎08-29-2007

Guest access through GRE tunnel to Master controller

Hi,

 

I am trying to setup Guest users to tunnel through a GRE tunnel to the Master controller and break out to internet from there.

 

I've read a number of post in this forum and varius guides and it works, but with some minor issues I can think why.

 

When a users connects, it is put into the initial role on the local.  Captive portal page is served by the master (ip cp-redirect-address <masterip>).  After entering the credentials, the user is put into the authenticated guest role, on the local, but then the captive portal is presented again.  When I put the credentials is again, it is fine and the user is in the authenticated guest role, on the master, and traffic goes out.

 

I'm not sure what I've missed here, but when I make the master end of the tunnel trusted, that fixes it, but goes against all the guides and docs I've seen.

 

I was expecting to see the user appear in the user-table only on the master, not on the local?

 

Any suggestions?


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Frequent Contributor I
Posts: 64
Registered: ‎02-28-2012

Re: Guest access through GRE tunnel to Master controller

Hi Michael,

Please see this :

http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Using-GRE-Tunnels-to-centralize-L3-access/td-p/2831

I think this is what you looking for.

 

For guest only showing on the master, you have to terminate them on the Master, not on local controller.

- Create VLAN X on master -> give them IP address -> set DHCP for this VLAN

- Create VLAN X on local -> no IP 

- Create GRE tunnel for VLAN X (check the link mentioned)

 

Hope this help.

 

Goodluck!

 

 

Frequent Contributor I
Posts: 64
Registered: ‎02-28-2012

Re: Guest access through GRE tunnel to Master controller

Sorry I forgot one thing:

- Put hte vlan on the VAP for Guest, create CP profile.

 

Aruba
Posts: 1,285
Registered: ‎08-29-2007

Re: Guest access through GRE tunnel to Master controller

I've tried that at first, with the local controller vlan not having an ip.  The clients can connect and get an ip from the master and get dns response, but the captive portal page does not open.

 

In wireshark I'm not seeing the redirect responses.  It's bound to be something simple, so I'll keep trying to crack it.

 

:-)


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Frequent Contributor I
Posts: 64
Registered: ‎02-28-2012

Can you ping the controller vlan ? dns server ? What is t...

Can you ping the controller vlan ? dns server ?

What is the dhcp-server for the guest? is it controller or something else.

Thick the "Enable Source Nat" in the vlan for the guest inside the controller.

 

What happen if you browse to IP (exp : 8.8.8.8) ?

 

 

Goodluck!

Aruba
Posts: 1,285
Registered: ‎08-29-2007

Re: Can you ping the controller vlan ? dns server ? What is t...

master is the dhcp and gateway.  client get an address and I can ping master and dns.  dns is resolving no problem.

 

ip nat inside enabled on master.

 

Can't browse to anything and not seeing the http redirect in wireshark.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Frequent Contributor I
Posts: 64
Registered: ‎02-28-2012

Re: Can you ping the controller vlan ? dns server ? What is t...

just pieces to the puzles, what is the initial role for the guest?

Did you specify the Captive Portal Profile for that role?

 

I don't see any other thing that can block the network, please create ticket so TAC can check and verify your configuration.

 

 

Goodluck!

Aruba
Posts: 1,285
Registered: ‎08-29-2007

Re: Can you ping the controller vlan ? dns server ? What is t...

If I put an ip on the local controller vlan, then captive portal works fine.  Have a case open now for them to take a quick look.  Will let you know the solution.

 

:-)


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Guru Elite
Posts: 20,582
Registered: ‎03-29-2007

Re: Can you ping the controller vlan ? dns server ? What is t...

If you have a GRE tunnel and you are authenticating on the local, do not make the GRE tunnel untrusted on the master side.  That is why you are getting the second Captive Portal page.

 

If you are NOT authenticating on the local side (just tunneling the traffic to the master), then you can make the master untrusted.

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: