Security

So I have about 6 vlans pooled and I set the pool as the Vlan in my VAP profile. I setup a IP in one of the subnets on the coltroller.

I set the CP-redirect address to that address.

Do I need to enable dst-nat on that interface?

Do I need to enable inter vlan routing ? for client to talk to Controller ?

Is there any docs to help configure this?

TIA

You need to :

set up "ip cp-redirect" to an ip interface on the controller

turn on "Allow Tri-session with DNAT" under Advanced Services> Stateful Firewall

still no luck getting the CP page.

I get nothing browser just times out.

I have dns working

I can ping the CP ip redirect address

do I need Enable source nat or inter vlan routing enabled?

what about Deny Inter User Traffic will this stop the users from getting to the IP of the Controller vlan since they are both users on the wifi ?

Inter VLAN routing on the interfaces should be enabled by default.  Yes you should have this enabled.  Is there a reason to disable it?

Deny inter user traffic should not have an effect.

ok so i have 6 subnets

10.24.0.0/21 

10.24.4.0/21

10.24.8.0/21

10.24.12.0/21

10.24.16.0/21

10.24.20.0/21

I have the IP cp-redirect address as 10.24.12.5 which is the IP on the controller vlan for 10.24.12.x

Enable source NAT for this VLAN is NOT checked.

From the wireless laptop I can ping the 10.24.12.5

i can resolve dns no problems

i did the Allow Tri-session with DNAT checked.

still no luck with redirection.

Can the user put the ip cp-redirect address into the browser?  Can you confirm the role that the user gets?  Are you using the same captive portal authentication profile anywhere else?  Can you get it to work with a single VLAN?

Can the user put the ip cp-redirect address into the browser? nothing happens it just says connecting and keeps spinning

Can you confirm the role that the user gets? Yes its CCwCP_Preauth sho rights ccwpreauth attached.

Are you using the same captive portal authentication profile anywhere else? Yes it was working with 1 VLan with the controller as the dhcp and the default gateway for the subnet.

now its 6 vlans configured on cisco router with IP helpers to 2 DHCP servers.

I get address fine

I get the proper Preauth profile but no CP login to get to the Guest profile

Can the unauthenticated clients ping the ip cp-redirect address?  Please post "show datapath session table <ip address of client>" when it is trying to reach the controller.  Make sure the ip cp-redirect address is an ip address on that specific controller that is routable to all of your clients.  I would start with a single VLAN first to work out config issues and then move to multiple VLANs when that is working.

Yes the unauthenticated host can ping the cp redirect IP see attached datapath.jpg

yes the controller IP for cp-redirect is reachable from all clients.

The datapath when the client launches the browser, please.

10.29.1.211 is the vlan 1 IP in the controller

It looks like its trying to use that?

but the following is from the controller

#  show ip cp-redirect-address

Captive Portal IPv4 redirect Address ... 10.24.12.5
Captive Portal IPv6 redirect Address ... ::1

Attachment(s)

datapath opein browser.txt   42 KB 1 version

What version of ArubaOS is this?  

ok new information.

This worked when I tried it.

I put a new IP on the controller in the vlan that I got the DHCP from.

so I got IP 10.24.22.69 which is on the 10.24.20.0/21 subnet

I put 10.24.20.5 as the cp-redirect address and configured it in the IP for that vlan on the controller

it works so why wont it redirect me if im in one of the other vlans if I can ping and route to the other IP of 10.20.12.5 in same vlan pool.

6.1.3.7

on a 6000 controller

The->Config ->Advanced Services->Stateful Firewall-> Allow Tri-session with DNAT

 is designed to deal with that.  Hopefully you have it enabled on the local controller with the issue.

yes i do

The controller needs an IP on every VLAN that will have captive portal authentication on it; not just one.

Thanks for your help the trick was to put a IP on all the vlans in the pool

no problem mmikolay.