Security

s_hughes78 · ‎11-19-2013

Hi,

I'm hoping someone can help with this.

I have a Dell Powerconnect W-620 controller running Aruba 6.1.3.7.

I also have two AP's associated to this controller.

I have already configured a network for LAN connection using EAP/RADIUS and now i'm trying to create a Guest SSID.

I have followed what i thought was correct below but it seems the clients (Win7 Laptop and Android Phone) connect, get an IP from the Guest DHCP pool and then disconnect a few seconds afterward.

Subsequent attempts to connect nearly always fail straight away without getting an IP.

I have ran traces using NetMon on the laptop and not every time there are DHCP requests and you can see the IP given by the Guest VLAN IP to the laptop. If you run a quick 'ipconfig' it gets the IP ok but soon disconnects with no event logs.

I have only added the pre-authentication role policies below as it doesn't hold its IP long enough to logon to the captive portal.

Details:

Guest VLAN created -

ID=200 - IP 20.20.20.1 /24 - Not associated to any port

Enabled src-NAT for this VLAN

Inter-VLAN routing enabled

DHCP -

Enabled

Guest_Pool1 -

Default Router - 20.20.20.1

Network - 20.20.20.0 /24

Range - 20.20.20.6 - 20.20.20.254

NAT Pools -

dymanic-srcnat 0.0.0.0 - 0.0.0.0 - 0.0.0.0 for everything

IP Routes -

default gateway - 10.0.0.6 (IP of Firewall)

No other routes

Roles-

Role - LM-Guest-guest-logon (pre authentication/captive portal)

Policies-

captiveportal

source user Dest controller Service svc-https Action dst-nat 8081

source user Dest any Service svc-http Action dst-nat 8080

source user Dest any Service svc-https Action dst-nat 8081

source user Dest any Service svc-http-proxy1 Action dst-nat 8088

source user Dest any Service svc-http-proxy2 Action dst-nat 8088

source user Dest any Service svc-http-proxy3 Action dst-nat 8088

Guest-Logon-Access

source any Dest any Service svc-dhcp Action permit

source any Dest Public-DNS Service svc-dns Action src-nat pool dymanic-srcnat (Public-DNS contains list of external DNS servers)

Block-Internal-Networks

source user Dest Internal-Networks Service any Action deny ( Internal Networks lists IP ranges for internal networks)

cjoseph · ‎11-19-2013

Can the user resolve DNS?

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************

s_hughes78 · ‎11-19-2013

Doesn't look like it.

From what i can gather (since the connection only lasts a few seconds) it gets the DNS servers that i have assigned but it can't resolve www.google.com when pinging during its time of having the IP.

cjoseph · ‎11-19-2013

Resolving DNS is key to bring up the portal. Why are you source natting?

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************

s_hughes78 · ‎11-19-2013

Just going through an Aruba doc, albeit a little old but it gave me the fundamentals to set this up.

I have no doubt there is something just configured incorrectly.

Shall i just permit DNS ?

cjoseph · ‎11-19-2013

Yes.

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************

s_hughes78 · ‎11-19-2013

Ok.

I permitted DNS and it still dodn't work.

Rule for Guest-Logon-Access

any any svc-dhcp permit

any public-dns svc-dns permit

cjoseph · ‎11-19-2013

Can the IP address the client gets route to the internet? What is the default gateway?

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************

s_hughes78 · ‎11-19-2013

The client gets an IP 20.20.20.253

This IP is not routable to the internet

The VLAN is set directly on the controller.

The controller is connected to a switch stack which doesn't have this VLAN 200 added to the trunk (not that i though this was necessary as i understood it used the address of the controller as its NAT)

This switch then connects to a Firewall and then out to the internet.

The default gateway on the controller is that of the Internal IP of the Firewall.

I can understand if the client kept its IP but couldn't get to the Captive Portal but the clients are dropping the wireless connection within 10 seconds....slightly annoying me :-)

Victor Fabian · ‎11-19-2013

You need to allow DHCP on your captive portal role too ?

Make sure you have attached the captive portal profile to that role too ?

Security

Guests connect but disconnect soon after

Guests connect but disconnect soon after

Re: Guests connect but disconnect soon after

Re: Guests connect but disconnect soon after

Re: Guests connect but disconnect soon after

Re: Guests connect but disconnect soon after

Re: Guests connect but disconnect soon after

Re: Guests connect but disconnect soon after

Re: Guests connect but disconnect soon after

Re: Guests connect but disconnect soon after

Re: Guests connect but disconnect soon after

Re: Guests connect but disconnect soon after

Re: Guests connect but disconnect soon after

Re: Guests connect but disconnect soon after

Re: Guests connect but disconnect soon after

Re: Guests connect but disconnect soon after

Re: Guests connect but disconnect soon after

Re: Guests connect but disconnect soon after

Re: Guests connect but disconnect soon after

Re: Guests connect but disconnect soon after

Follow Us