Security

Hi,

I'm hoping someone can help with this.

I have a Dell Powerconnect W-620 controller running Aruba 6.1.3.7.

I also have two AP's associated to this controller.

I have already configured a network for LAN connection using EAP/RADIUS and now i'm trying to create a Guest SSID.

I have followed what i thought was correct below but it seems the clients (Win7 Laptop and Android Phone) connect, get an IP from the Guest DHCP pool and then disconnect a few seconds afterward.

Subsequent attempts to connect nearly always fail straight away without getting an IP.

I have ran traces using NetMon on the laptop and not every time there are DHCP requests and you can see the IP given by the Guest VLAN IP to the laptop. If you run a quick 'ipconfig' it gets the IP ok but soon disconnects with no event logs.

I have only added the pre-authentication role policies below as it doesn't hold its IP long enough to logon to the captive portal.

Details:

Guest VLAN created -  

ID=200 - IP 20.20.20.1 /24 - Not associated to any port

Enabled src-NAT for this VLAN

Inter-VLAN routing enabled

DHCP -

Enabled

Guest_Pool1 - 

Default Router - 20.20.20.1

Network - 20.20.20.0 /24

Range - 20.20.20.6 - 20.20.20.254

NAT Pools - 

dymanic-srcnat 0.0.0.0 - 0.0.0.0 - 0.0.0.0 for everything

IP Routes - 

default gateway - 10.0.0.6 (IP of Firewall)

No other routes

Roles-

Role - LM-Guest-guest-logon (pre authentication/captive portal)

Policies-

captiveportal

source user Dest controller Service svc-https Action dst-nat 8081

source user Dest any Service svc-http Action dst-nat 8080

source user Dest any Service svc-https Action dst-nat 8081

source user Dest any Service svc-http-proxy1 Action dst-nat 8088

source user Dest any Service svc-http-proxy2 Action dst-nat 8088

source user Dest any Service svc-http-proxy3 Action dst-nat 8088

Guest-Logon-Access

source any Dest any Service svc-dhcp Action permit

source any Dest Public-DNS Service svc-dns Action src-nat pool dymanic-srcnat  (Public-DNS contains list of external DNS servers)

Block-Internal-Networks

source user Dest Internal-Networks Service any Action deny   ( Internal Networks lists IP ranges for internal networks)

Doesn't look like it.

From what i can gather (since the connection only lasts a few seconds) it gets the DNS servers that i have assigned but it can't resolve www.google.com when pinging during  its time of having the IP.

Just going through an Aruba doc, albeit a little old but it gave me the fundamentals to set this up.

I have no doubt there is something just configured incorrectly.

Shall i just permit DNS ?

Ok.

I permitted DNS and it still dodn't work.

Rule for Guest-Logon-Access

any any svc-dhcp permit

any public-dns svc-dns permit

The client gets an IP 20.20.20.253

This IP is not routable to the internet

The VLAN is set directly on the controller.

The controller is connected to a switch stack which doesn't have this VLAN 200 added to the trunk (not that i though this was necessary as i understood it used the address of the controller as its NAT)

This switch then connects to a Firewall and then out to the internet.

The default gateway on the controller is that of the Internal IP of the Firewall.

I can understand if the client kept its IP but couldn't get to the Captive Portal but the clients are dropping the wireless connection within 10 seconds....slightly annoying me :-)

You need to allow DHCP on your captive portal role too ?

Make sure you have attached the captive portal profile to that role too ?

Hi,

I have just tried that this morning...same problem.

It connects, client gets an IP, windows says it's connected but 'identifying' and then it disconnects.

I'll attach some screen shots of the area the profile/roles are configured.

Is there a way of getting logs of the connection from the controller or AP?

I can't find a definitive answer of how to do this online.

Thanks

I may have found the problem.

Looks like there is a WIPS profile on there to detect a rogue SSID not matching those in the list.

The Guest SSID wasn't in the list !!!

This must have been left over from a previous config.

Captive Portal loads ok now and i can authenticate ok.

Just trying to now sort why i can't access the internet even though i can resolve DNS :-)