Unified Wired & Wireless Access

Reply
Contributor I
rcadmin
Posts: 30
Registered: ‎03-24-2012
Accepted Solution

Using GRE Tunnels to centralize L3 access

HI,

 

I am working on this

http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Using-GRE-Tunnels-to-centralize-L3-access/td-p/2831

 

The point I am stuck on is that I have assigned no IP address on VLAN2. I have tunneled it to the master controller. The tunnel is untrusted only at master controller bcoz I want all the authentication to be held at master controller.

 

Following the instrucations on the above link, I am able to get the IP from the DHCP which is at vlan 2 but i never get a captive portal page. How ever when I try to connect to APs on master controller, i have no issues in getting the clients authenticated. They are redirected to the captive portal page but on local controller they wont.

 

However I have noticed when I assign IP on the Vlan 2 interface I get the captive portal page. But this stops roaming between the clients since session of a client do not exist on master controller and when user roams from local to master controller they again gets the captive portal page to get authenticated which means their all application sessions are deleted.

 

I have found the instructions on the above link and completely followed it. But I am not getting the captive portpage on the clients which are connecting with local controller.

 

Kindly advise.

 

Farzan

Moderator
cjoseph
Posts: 12,618
Registered: ‎03-29-2007

Re: Using GRE Tunnels to centralize L3 access

First, make sure your clients can resolve DNS, which is crucial to them being able to bring up the page.

 

Second, if the master side of the tunnel is untrusted the clients get redirected to the "ip cp-redirect-address" on the master controller and that needs to be reachable.

 

Third, Make sure the AAA profile on either side does not have "Enforce DHCP" just as a troubleshooting step.

 

 

Colin Joseph
Aruba Customer Engineering
Contributor I
rcadmin
Posts: 30
Registered: ‎03-24-2012

Re: Using GRE Tunnels to centralize L3 access

Hi Joseph,

 

Thank you for your response.

 

Answer to first question:

Yes clients are able to resolve the DNS and can also ping the domain names such as google.com or yahoo.com. But they do not get a captive portal until I define an IP on the Vlan interface. In my case I have an IP on vlan on both that is master controller and on local controller.

 

Answer to Second question:

Yes the clients can reach to cp-redirect-ip which is the master controller IP. I have also manually added cp-redirect-ip to my local controller which is the master controller IP. Do you think this could be because of PEF on local controller?

 

Answer to Third Question:

Enforce DHCP is disabled on both ends.

 

Thanks.

Moderator
cjoseph
Posts: 12,618
Registered: ‎03-29-2007

Re: Using GRE Tunnels to centralize L3 access

On the master controller, see if you can ping the client.  When the client is opening  a web page, do a "show datapath session table <ip address of client>" to see what it is doing at the time.

 

Do NOT point the ip cp-redirect of the local to the master.  That will only work for untrusted traffic at the local controller and should not be pointed to the master.

 

When you say PEF on the local controller, what do you mean?

 

 

Colin Joseph
Aruba Customer Engineering
Contributor I
rcadmin
Posts: 30
Registered: ‎03-24-2012

Re: Using GRE Tunnels to centralize L3 access

Thanks for your prompt response.

 

I am not able to ping the client from the master controller. However I can see that client is maintaining a tunnel from local controller to master controller and hopefully the sessions are flowing from that tunnel. Also, I see that the roaming status is wired under master controller. Which again shows that the client data is flowing from master controller.

 

By PEF on local controller I mean that may be when I remove IP from the vlan interface, it is PEF which is blocking the captive portal page from the master controller to come up??

 

The command you told me, shall i try to run it now or after removing the IP from the vlan interface? And then try to connect to get the captive portal for authentication?

show datapath session table < ip address of client>

Moderator
cjoseph
Posts: 12,618
Registered: ‎03-29-2007

Re: Using GRE Tunnels to centralize L3 access

you should be able to ping the client from the master. You should see the client as wired on the master in the user table so that is correct. What is the role that the user gets on the master controller? Type " show rights <role>" to see what traffic should be allowed.

The previous command should be run while the client is attempting to bring up the page.
Colin Joseph
Aruba Customer Engineering
Contributor I
rcadmin
Posts: 30
Registered: ‎03-24-2012

Re: Using GRE Tunnels to centralize L3 access

Hi,

 

When I do the datapath session command on master controller for that client i get nothing. But when I ran it on local controller on which client is connected, I got following

 

RC-Aruba-620) #show datapath session table 172.16.235.245

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal

Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- -----
172.16.235.245 62.75.246.130 6 64914 5938 0/0 0 0 0 tunnel 19 c FDYC
172.16.235.245 74.125.237.136 6 64912 80 0/0 0 0 0 tunnel 19 20 NYCI
172.16.235.245 74.125.237.137 6 64915 80 0/0 0 0 0 tunnel 19 b NYCI
192.168.100.15 172.16.235.245 6 8080 64915 0/0 0 0 1 tunnel 19 b S
192.168.100.15 172.16.235.245 6 8080 64912 0/0 0 0 1 tunnel 19 20 S

 

 

 

192.168.100.15 is my local controller and 192.168.100.17 is master controller.

 

The initial user role is Hotspot-guest-logon

and rights are as follows:

 

Derived Role = 'Rosmini_Hotspot-guest-logon'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 35/0
Max Sessions = 65535

Captive Portal profile = Rosmini_Hotspot-cp_prof

access-list List
----------------
Position Name Location
-------- ---- --------
1 logon-control
2 captiveportal

logon-control
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user any udp 68 deny Low 4
2 any any svc-icmp permit Low 4
3 any any svc-dns permit Low 4
4 any any svc-dhcp permit Low 4
5 any any svc-natt permit Low 4
captiveportal
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user controller svc-https dst-nat 8081 Low 4
2 user any svc-http dst-nat 8080 Low 4
3 user any svc-https dst-nat 8081 Low 4
4 user any svc-http-proxy1 dst-nat 8088 Low 4
5 user any svc-http-proxy2 dst-nat 8088 Low 4
6 user any svc-http-proxy3 dst-nat 8088 Low 4

Expired Policies (due to time constraints) = 0

Contributor I
rcadmin
Posts: 30
Registered: ‎03-24-2012

Re: Using GRE Tunnels to centralize L3 access

And yes the user role on master controller is authenticated and status is wired.

Contributor I
rcadmin
Posts: 30
Registered: ‎03-24-2012

Re: Using GRE Tunnels to centralize L3 access

Thank you for your support Joseph. It is much appreciated.

Moderator
cjoseph
Posts: 12,618
Registered: ‎03-29-2007

Re: Using GRE Tunnels to centralize L3 access

No problem.

 

Colin Joseph
Aruba Customer Engineering
Search Airheads
Showing results for 
Search instead for 
Do you mean