Security

Reply
Contributor I
Posts: 20
Registered: ‎11-07-2013

L3 GRE Tunnel between Aruba Controller and ClearPass Guest

Have run into a configuration issue and need some expert help.

 

I have a guest VLAN on 192.168.225.0/24 network and all of our internal infrastructure on 172.16.0.0/16. By design, the guest network cannot talk to internal infrastructure, which has presented a bit of an issue for ClearPass Guest enablement.

 

ClearPass is set up on the management port only in the 172 network. I have tried to set up a L3 GRE tunnel between both the controller and the clearpass server at the request of TAC, and have had no luck yet. My config on the controller is:

 

(config) #interface tunnel 1
(config-tunnel) #tunnel mode gre ip
(config-tunnel) #no shutdown
(config-tunnel) #trusted
(config-tunnel) #ip address 10.1.1.1 255.255.255.255
(config-tunnel) #tunnel source 10.1.1.1
(config-tunnel) #tunnel destination 172.16.1.10 

 

I have two questions and this will probably help me in the long run - when configuring an L3 GRE tunnel, what should the tunnel source be? The tunnel IP on the controller or the tunnel IP on the Clearpass server? Since we're handling guest requests coming inbound on the Aruba controller, I would think the source would be the controller itself, but if I am wrong in that assumption, please let me know. The tunnel destination I have configured is the IP of the management port on the Clearpass server - should this be the tunnel IP instead?

 

On the ClearPass side, I have set up the GRE tunnel with a local inner ip of 10.1.1.2, remote outer IP to the controller IP in the 172 network and set the remote inner IP to 10.1.1.1 - I had verified this configuration with TAC and they said it was correct. 

 

I have ACL's set up to pass traffic through the tunnel, directed to the ClearPass server.

 

The problems that I have run into is that when I connect to the guest network, redirection to guest login portal page within ClearPass does not populate. I am able to get an IP and I am able to ping the controller, but I cannot ping through the tunnel to the ClearPass server. Is there something wrong with the configuration on the controller that might be failing me?

 

Thanks in advance!

Guru Elite
Posts: 21,036
Registered: ‎03-29-2007

Re: L3 GRE Tunnel between Aruba Controller and ClearPass Guest

[ Edited ]

Did you add a route on the ClearPass commandline that points back to the client subnet?

 

network ip add gre0 -d 192.168.225.0/24 -g 10.1.1.1

 

This is assuming that gre0 is your created gre tunnel and 192.168.225.0 is your client subnet and the controller end of the tunnel is 10.1.1.1

 

Use "network ip list" to see what routes have been added

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 20
Registered: ‎11-07-2013

Re: L3 GRE Tunnel between Aruba Controller and ClearPass Guest

Thanks for the reply Colin-

 

I had added the the network route on Friday and still no traffic through the tunnel. I haven't been able to rule out a firewall, which at this point is the only thing I can come up with that might be causing me all this headache. Is there anything else I can try?

 

Thanks for your help

Guru Elite
Posts: 21,036
Registered: ‎03-29-2007

Re: L3 GRE Tunnel between Aruba Controller and ClearPass Guest

Type "show datapath tunnel table" and see if the encaps and decaps are going up on the Aruba side of the tunnel.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 1
Registered: ‎09-04-2013

Re: L3 GRE Tunnel between Aruba Controller and ClearPass Guest

I have a similar configuration working, except on the CPPM route entry I needed to point the gateway to CPPM's local innner tunnel IP. So in this example it would be:

network ip add gre0 -d 192.168.225.0/24 -g 10.1.1.2

 

Contributor II
Posts: 53
Registered: ‎11-24-2014

Re: L3 GRE Tunnel between Aruba Controller and ClearPass Guest

What about if the ClearPass server has a VIP?

Contributor II
Posts: 53
Registered: ‎11-24-2014

Re: L3 GRE Tunnel between Aruba Controller and ClearPass Guest

What about if authentications to CPG are going to a VIP? Can you point the controller to the VIP remote IP and make identical tunnels on both CP nodes?

Occasional Contributor II
Posts: 21
Registered: ‎02-12-2012

Re: L3 GRE Tunnel between Aruba Controller and ClearPass Guest

You can have a tunnel go to each of the CPPM nodes. Then in your guest-logon captiveportal policy you can write a rule referencing a tunnel-group. Ex:

 

#ip access-list session captiveportal

#user alias <cppm servers> svc-https redirect tunnel-group <tunnel-group>

 

One thing to point out.. Tunnel-groups rely on keepalives to monitor tunnel state. Currently CPPM doesn't advertise keepalives in its tunnel interfaces. So your tunnels on the controller will always read up/up even if a tunnel on the far end goes down.

Search Airheads
Showing results for 
Search instead for 
Did you mean: