Wireless Access

Dear all,

I have an issue with my VIA connection, the users can’t access to the LAN, only to the controller.

The configuration is the following :

-       Two VLANs are used on the controller, 1 (default) and 6.

-       IP adresses of the VLAN 6 are assigned to the VIA users (in the VPN service part)

Once they are authenticated, it seems that the users exit from the controller using the VLAN 1 even if their IP adresse is in VLAN 6.

We tried to give them an IP adress in VLAN 1 and it works well.

Is there a way to force them to access to vlan 6 ?

Thanks in advance for your help !

Via users ONLY get their ip addresses from an internal ipsec pool created on the controller.  If the ipsec pool is in ip address space that is non-routable in your environment you have to choices:

- Make it routable, by pointing a route from a router to the ip address on the controller for that non-routable subnet

- Add "any any any src-nat" as the last rule of the role of your VIA users.

If the pool is routable, a.k.a. the ip addresses match an ip interface on the controller, the controller will automatically answer traffic for any via user that is active in the user table.

Whether or not VIA users use one VLAN or another depends on the pool that create for users.

I'm aguestin's colleague.

Thanks for your quick answer. The pool ip adress given to the VIA users is on the same VLAN as the others WiFi users managed by the controller and we excluded it from the DHCP range. Those users don't have any problem, that's why we have some trouble to understand the issue.

The VLAN is not routed on the controller but by an independant network device (firewall). So on the controller, the VLAN is only on layer 2.

Should we add something on the VIA profile to allow routing ?

Thanks in advance for your help.

What is the role that Via users get when they authenticate successfully?  Type "show rights <that role>" so we can take a look at your ACLs.

Here is the description of the role given to the VIA users:

(Aruba650) #show rights default-via-role

Derived Role = 'default-via-role'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = VIA
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 54/0
 Max Sessions = 65535

 VIA Connection Profile = default

access-list List
----------------
Position  Name      Type     Location
--------  ----      ----     --------
1         allowall  session

allowall
--------
Priority  Source  Destination  Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         any     any          any      permit                           Low                                                           4
2         any     any          any      permit                           Low                                                           6

As you see, the ACL is Allowall, the same as all the Wi-Fi users.

The VIA users seems to be allowed to access to all the network...