Security

Reply
Contributor I

Vlan Pools an CP

So I have about 6 vlans pooled and I set the pool as the Vlan in my VAP profile. I setup a IP in one of the subnets on the coltroller.

I set the CP-redirect address to that address.

 

Do I need to enable dst-nat on that interface?

Do I need to enable inter vlan routing ? for client to talk to Controller ?

 

Is there any docs to help configure this?

TIA

 

 

Guru Elite

Re: Vlan Pools an CP

You need to :

 

set up "ip cp-redirect" to an ip interface on the controller

turn on "Allow Tri-session with DNAT" under Advanced Services> Stateful Firewall

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I

Re: Vlan Pools an CP

still no luck getting the CP page.

I get nothing browser just times out.

 

I have dns working

I can ping the CP ip redirect address

 

do I need Enable source nat or inter vlan routing enabled?

 

what about Deny Inter User Traffic will this stop the users from getting to the IP of the Controller vlan since they are both users on the wifi ?

 

 

 

 

Guru Elite

Re: Vlan Pools an CP

Inter VLAN routing on the interfaces should be enabled by default.  Yes you should have this enabled.  Is there a reason to disable it?

 

Deny inter user traffic should not have an effect.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I

Re: Vlan Pools an CP

ok so i have 6 subnets

 

10.24.0.0/21 

10.24.4.0/21

10.24.8.0/21

10.24.12.0/21

10.24.16.0/21

10.24.20.0/21

 

I have the IP cp-redirect address as 10.24.12.5 which is the IP on the controller vlan for 10.24.12.x

Enable source NAT for this VLAN is NOT checked.

 

From the wireless laptop I can ping the 10.24.12.5

i can resolve dns no problems

 

i did the Allow Tri-session with DNAT checked.

still no luck with redirection.

 

Guru Elite

Re: Vlan Pools an CP

Can the user put the ip cp-redirect address into the browser?  Can you confirm the role that the user gets?  Are you using the same captive portal authentication profile anywhere else?  Can you get it to work with a single VLAN?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I

Re: Vlan Pools an CP

Can the user put the ip cp-redirect address into the browser? nothing happens it just says connecting and keeps spinning

 

Can you confirm the role that the user gets? Yes its CCwCP_Preauth sho rights ccwpreauth attached.

 

Are you using the same captive portal authentication profile anywhere else? Yes it was working with 1 VLan with the controller as the dhcp and the default gateway for the subnet.

 

now its 6 vlans configured on cisco router with IP helpers to 2 DHCP servers.

I get address fine

I get the proper Preauth profile but no CP login to get to the Guest profile

 

Guru Elite

Re: Vlan Pools an CP

Can the unauthenticated clients ping the ip cp-redirect address?  Please post "show datapath session table <ip address of client>" when it is trying to reach the controller.  Make sure the ip cp-redirect address is an ip address on that specific controller that is routable to all of your clients.  I would start with a single VLAN first to work out config issues and then move to multiple VLANs when that is working.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I

Re: Vlan Pools an CP

Yes the unauthenticated host can ping the cp redirect IP see attached datapath.jpg

yes the controller IP for cp-redirect is reachable from all clients.

 

 

 

 

Guru Elite

Re: Vlan Pools an CP

The datapath when the client launches the browser, please.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: