08-28-2012 08:52 PM - edited 08-28-2012 08:57 PM
I'm trying to set up the guest/contractor wireless access with amigopod captive portal authentication as shown in diagram attached.
DHCP server for guest is on the Aruba controller and routing is disabled for vlan 300.
Guest gateway is pointing directly to Palo alto firewall.
interface vlan 300
IP address 172.16.240.253 255.255.255.0
no IP routing
I can see the guest captive portal and request the new user from that portal to amigopod.
Login button become active (from dim state) after the user account is granted from amidopod.
But it only bring me to "https://10.2.8.126/auth/index.html/u?errmsg=Access
Could it be the asymmetric routing issue ?
Since the guest account request traffics are forward through Palo alto friewall to amigopod.
Guest PC -> Aruba Controller -> Palo Alto -> Amigopod
I suspect somehow Aruba controller return the authentication accept traffics directly to guest pc which should direct through Palo alto.
Is it possible to configure policy route statement on Aruba controller ?
I'll try to post the configuratoin file later.
Solved! Go to Solution.
08-28-2012 09:10 PM
Despite the diagram you mentioned so perhaps I not grasping the full picture here. However, if I understand correctly you are able to get to the ClearPass Guest Captive Portal and you are able to self register and click Login...Is my understanding correct?
If yes, then I'd say your clients have the routes they need in this path that you described: Guest PC -> Aruba Controller -> Palo Alto -> Amigopod - not really sure I am following where these firewalls come into play yet. I assume the client is connecting via the AP that is pictured?
It seems like, you hit the redirect error after you login? Perhaps this is just an issue with your welcome page configuration?
I will say that your instincts are correct, the client PC on the guest network must have a route to be able to hit the ClearPass Guest server on 80 and 443. But, as I said if I understand you correctly it seems this working. Please follow up with more information if you can.
08-29-2012 10:13 AM
sorry to confuse you as I was rushing to go out previously :)
Allow me to clarify a bit more on my requirement
i) Guest-VLAN need to be separated from corporate networks. There's no guest-vlan in core switch and we use direct cable connection from Aruba controller to Palo Alto Firewall DMZ port.
ii) Guest's internet usage need to monitor and log with Palo Alto PAN agent which is installed in internal(employee) subnet.
There's no issue in guest internet with any other authentication method.
Yes, I'm able to self register new guest account if I use clearpass CP.
Only problem is I can't login after my account has been activated.
appreciate your help..
08-29-2012 07:21 PM
So I wonder if this is simply a welcome page redirect issue? Even though you get a page load error after you click login - Can you get to any outside websites (e.g. google.com)? Have you tired that? Please read the problem definition in the attached found on page 3. Does it describe your issue. If so, you should be able to follow this document through to resolution.
08-29-2012 07:34 PM
Have you enabled the NAS login on the self registration page? In the GUI based self registration editor, click on the 'NAS Login' which is an icon that looks like a generic controller on the bottom right hand corner.of the page (under the arrow that points down with text 'Redirect'). Enable this checkbox and ensure the settings correspond to your NAS device and you should be all set.
let us know how you get on.
08-30-2012 10:27 AM
Thank so much guys..
Setting NAS Vendor's IP Address to Controller's VLAN 300 (Guest) interface from internal ip solved my problem.
Is there anyway to send all the wireless users' traffics to syslog from Aruba Controller ?