Wired Intelligent Edge

 I’m deploying Aruba Project and we are facing some error with Captive portal for guest access in new building.

Logical topology

(Building A) Master Controller-------------IP sec tunnel----------Local controller (Building B)

In building A:

• VLAN ID of Guest : 6
• DHCP of Vlan 6 on master controller
• Interface Vlan 6 on master controller
• Captive portal configured on master
• Internal database using for guest access
• Guest is working fine in Building A

In Building B ( New building,  have a local controller )

• Local controller GRE to master controller
• Almost configuration is pushed from master controller
• Vlan for guest is 226
• Interface vlan for guest is created on local controller
• Ip cp redirect to interface vlan IP
• DHCP on external server

When I connect to guest for test,  I have get IP address of guest vlan, and initial role, but captive portal was error, when I open a session with Brower, it cannot load the login page.

I’m pausing my project because of that. Please help me and give me some ideas.

Thank you so much

Lee

Did you create the GRE tunnel manually between the two controllers?

Is that right Colin

(Aruba-Local-01) (config) #show crypto isakmp sa

ISAKMP SA Active Session Information
------------------------------------
Initiator IP Responder IP Flags Start Time Private IP
------------ ------------ ----- --------------- ----------
10.16.2.10 10.17.3.11 i-a-p Jul 26 10:41:39 -
10.16.2.225 10.16.2.10 r-v2-c-C Jul 26 16:41:30 10.16.2.225

Thank you so much

That is an ipsec tunnel, not a GRE tunnel.  Did you create the tunnel yourself?

No, i did not creat it, Please support me, how to creat tunnel GRE on Aruba controller.

Thank you so much

Hi Colin,

I will use GRE layer or layer 3 ?,

As my understand if i use layer 2, in new building will use same vlan guest with A building right ?

Thank

What is the purpose of a tunnel between controllers?  Is it to tunnel the guest VLAN from the master to the local?  If you do that, when the master controller goes down, guest traffic will not work on the local controller.

Instead, you should probably have a guest VLAN where the default gateway is a layer 3 switch connected to your local controller.

Yes, i have a vlan on my local for guest access, but it not wokring when it load login page.

do you have any solution for that ?

Thank you

1.  Associate a client to the guest VLAN

2.  Do not open a webpage

3.  See if you can resolve DNS (ping www.yahoo.com).

If you can do that, we should take it to the next step.

Dear Colin,

1. do associate a client to the guest VLAN, my client get IP, GW..., but i cannot ping or dns yahoo.com

2. When i switch 1 PC to VLAN guest (wired) and ping and tracert to yahoo.com it wokring fine.

3. From Local controller I can ping yahoo.com

As my understand

- users can not access to any network resouces without authentication ( internal database )

Thank you so much

You should at least be able to do an NSLOOKUP to www.yahoo.com on that client.  Can you do that?

Yes from that client, i can nslookup the domain www.yahoo.com

Thank you, so dns is wokring fine, what is the next step?

Regards,

Lee

Can you do an nslookup to securelogin.arubanetworks.com?

No, it cannot know securelogin.arubanetworks.com

DNS server of Guest network is 8.8.8.8, so it i's dont know what is securelogin.arubanetworks.com

Thnk you

When you have a captive portal WLAN, the controller should intercept any DNS traffic to securelogin.arubanetworks.com and return the ip address of the controller.  Did you change the Captive Portal Certificate on the controller?

The resolution to the issue ended up being the filename to the HTML page uploaded did not match what was configured in the Captive Portal Authentication Profile.  The filename to the HTML is case-sensitve..