Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

L3 GRE Tunnel between Aruba Controller and ClearPass Guest

This thread has been viewed 32 times

  • 1.  L3 GRE Tunnel between Aruba Controller and ClearPass Guest

    Posted May 16, 2014 04:17 PM

    Have run into a configuration issue and need some expert help.

     

    I have a guest VLAN on 192.168.225.0/24 network and all of our internal infrastructure on 172.16.0.0/16. By design, the guest network cannot talk to internal infrastructure, which has presented a bit of an issue for ClearPass Guest enablement.

     

    ClearPass is set up on the management port only in the 172 network. I have tried to set up a L3 GRE tunnel between both the controller and the clearpass server at the request of TAC, and have had no luck yet. My config on the controller is:

     

    (config) #interface tunnel 1
    (config-tunnel) #tunnel mode gre ip
    (config-tunnel) #no shutdown
    (config-tunnel) #trusted
    (config-tunnel) #ip address 10.1.1.1 255.255.255.255
    (config-tunnel) #tunnel source 10.1.1.1
    (config-tunnel) #tunnel destination 172.16.1.10 

     

    I have two questions and this will probably help me in the long run - when configuring an L3 GRE tunnel, what should the tunnel source be? The tunnel IP on the controller or the tunnel IP on the Clearpass server? Since we're handling guest requests coming inbound on the Aruba controller, I would think the source would be the controller itself, but if I am wrong in that assumption, please let me know. The tunnel destination I have configured is the IP of the management port on the Clearpass server - should this be the tunnel IP instead?

     

    On the ClearPass side, I have set up the GRE tunnel with a local inner ip of 10.1.1.2, remote outer IP to the controller IP in the 172 network and set the remote inner IP to 10.1.1.1 - I had verified this configuration with TAC and they said it was correct. 

     

    I have ACL's set up to pass traffic through the tunnel, directed to the ClearPass server.

     

    The problems that I have run into is that when I connect to the guest network, redirection to guest login portal page within ClearPass does not populate. I am able to get an IP and I am able to ping the controller, but I cannot ping through the tunnel to the ClearPass server. Is there something wrong with the configuration on the controller that might be failing me?

     

    Thanks in advance!



  • 2.  RE: L3 GRE Tunnel between Aruba Controller and ClearPass Guest

    EMPLOYEE
    Posted May 16, 2014 08:07 PM

    Did you add a route on the ClearPass commandline that points back to the client subnet?

     

    network ip add gre0 -d 192.168.225.0/24 -g 10.1.1.1

     

    This is assuming that gre0 is your created gre tunnel and 192.168.225.0 is your client subnet and the controller end of the tunnel is 10.1.1.1

     

    Use "network ip list" to see what routes have been added

     



  • 3.  RE: L3 GRE Tunnel between Aruba Controller and ClearPass Guest

    Posted May 18, 2014 04:23 PM

    Thanks for the reply Colin-

     

    I had added the the network route on Friday and still no traffic through the tunnel. I haven't been able to rule out a firewall, which at this point is the only thing I can come up with that might be causing me all this headache. Is there anything else I can try?

     

    Thanks for your help



  • 4.  RE: L3 GRE Tunnel between Aruba Controller and ClearPass Guest

    Posted Jan 25, 2021 07:51 AM
    What about AOS8 clusters? How should the configuration should look when having two MDs in a cluster? One GRE tunnel for each MD?


    Original Message


  • 5.  RE: L3 GRE Tunnel between Aruba Controller and ClearPass Guest

    EMPLOYEE
    Posted May 18, 2014 04:48 PM
    Type "show datapath tunnel table" and see if the encaps and decaps are going up on the Aruba side of the tunnel.


  • 6.  RE: L3 GRE Tunnel between Aruba Controller and ClearPass Guest

    Posted Nov 05, 2016 09:37 AM

    I have a similar configuration working, except on the CPPM route entry I needed to point the gateway to CPPM's local innner tunnel IP. So in this example it would be:

    network ip add gre0 -d 192.168.225.0/24 -g 10.1.1.2

     



  • 7.  RE: L3 GRE Tunnel between Aruba Controller and ClearPass Guest

    Posted Nov 11, 2016 03:35 PM

    What about if the ClearPass server has a VIP?



  • 8.  RE: L3 GRE Tunnel between Aruba Controller and ClearPass Guest

    Posted Nov 11, 2016 03:56 PM

    What about if authentications to CPG are going to a VIP? Can you point the controller to the VIP remote IP and make identical tunnels on both CP nodes?



  • 9.  RE: L3 GRE Tunnel between Aruba Controller and ClearPass Guest

    Posted Nov 11, 2016 04:28 PM

    You can have a tunnel go to each of the CPPM nodes. Then in your guest-logon captiveportal policy you can write a rule referencing a tunnel-group. Ex:

     

    #ip access-list session captiveportal

    #user alias <cppm servers> svc-https redirect tunnel-group <tunnel-group>

     

    One thing to point out.. Tunnel-groups rely on keepalives to monitor tunnel state. Currently CPPM doesn't advertise keepalives in its tunnel interfaces. So your tunnels on the controller will always read up/up even if a tunnel on the far end goes down.



  • 10.  RE: L3 GRE Tunnel between Aruba Controller and ClearPass Guest

    Posted Oct 23, 2017 03:02 PM

    I am having two issues with this;

     

    1 - When I have my Captive Portal profile guest login URL set to the ClearPass VIP, it will not load since my GRE tunnel destination is the CPPM mgmt port address (it works fine when my guest login URL is the mgmt port address rather than the VIP and my VIP works fine for everything else)

     

    2 - When I add a tunnel to the tunnel group, it requires me to enable the keepalive timer. Once the keepalive timer is enabled, I can no longer ping the ClearPass end of the GRE tunnel from the controller. 

     

    Has anyone successfully set this up with redundant CPPM boxes?



  • 11.  RE: L3 GRE Tunnel between Aruba Controller and ClearPass Guest

    EMPLOYEE
    Posted Jan 25, 2021 12:13 PM
    Did you consider to use NAT to solve this?

    You can assign a dummy IP address from the Guest Subnet on your external router/firewall and you NAT that IP to ClearPass internal VIP IP.. This might be a simpler approach if it is possible in your environment.

    ------------------------------
    Ayman Mukaddam
    ------------------------------

    Original Message


  • 12.  RE: L3 GRE Tunnel between Aruba Controller and ClearPass Guest

    Posted Aug 26, 2021 05:22 PM
    I think the idea in using the GRE tunnel is keep the guest non trusted traffic off the corporate network.

    ------------------------------
    Kelly L
    ------------------------------

    Original Message