Wireless Access

Reply
Occasional Contributor II

Captive Portal/Routing Issue

Hello,

 

I am trying to setup a wireless service for external visitors. The plan is for them to access a standalone ADSL network (VLAN 10 - 192.168.214.0/24) via ClearPass captive portal. Our clearpass devices sit on our main internal network (VLAN 1 - 10.1.48.0/22) on which our Aruba controller has an L3 interface. Our aruba controller also has an L3 connection to the ADSL network.

 

The issue I am seeing is that traffic coming from VLAN 10 to the ClearPass servers is being dropped. I have added a route on our ClearPass appliances and can ping the ADSL interface of the controllers from them, if I try and ping from the controllers to the ClearPass Appliances with a source of VLAN 10, the packets appear to be dropped. Packet capture on the ClearPass appliances shows the ICMP packets coming in and being responded to but the ping shows no replies.

 

Am I missing anything obvious on the controllers/clearpass appliances to allow inter VLAN routing?

 

Thanks.

Re: Captive Portal/Routing Issue

Is your clearpass virtual or hardware ?
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II

Re: Captive Portal/Routing Issue

Virtual.

 

Thanks.

Re: Captive Portal/Routing Issue

You have two options:
- Make clearpass guest portal public (reachable via public dns)
- Use an NAT ACL to send https/http traffic to clearpass via the Controller
Internal IP (the only issue with this solution is that you only will be
able to reach clearpass guest portal via IP)
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II

Re: Captive Portal/Routing Issue

Thanks Victor,

 

The second option is what we are trying to do but if the ClearPass servers cannot be pinged by the controller on the ADSL source then surely an ACL will not work either? 

Re: Captive Portal/Routing Issue

If you do a ping source vlan you will be able to
ping it

you will need to define the ip nat pool (so the traffic will go through the
controller internal IP)

ip NAT pool GUEST-NAT-IP

!

netdestination CLEARPASS-SERVER-DEST

host

!

ip access-list session CLEARPASS-NAT-ACL

user alias CLEARPASS-SERVER-DEST svc-http src-nat pool GUEST-NAT-IP

user alias CLEARPASS-SERVER-DEST svc-https src-nat pool GUEST-NAT-IP

!

user-role guest-logon

access-list session CLEARPASS-NAT-ACL position 3

access-list session captiveportal position 4

access-list session captiveportal position 5

!
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II

Re: Captive Portal/Routing Issue

Victor thanks for this but as I siad in my original post, if I do a ping source vlan, I cannot ping it.

 

I will try the config you have sent though and see how I get on.

 

 

Re: Captive Portal/Routing Issue

Can you share your routing config on the controller?
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: