Wireless Access

Reply
Occasional Contributor II

Captive Portal Split Tunnel help??

Hi

Hope someone can help...

 

We have a 3400 controller at our datacentre.

We have a several AP's at branch sites which connect via a MPLS back to our datacentre.

We have internet breakout via a VLAN configured on our ISP's router.  i.e. traffic on this VLAN is allowed out via the ISPs firewall and does not need to be routed via a datacentre proxy as per internet traffic on our normal VLAN.

 

We have AP's using bridge mode successfully, and server derivation roles assigning VLANS where appropriate.  This works great.

 

However I am trying to get Captive Portal working from a branch AP in the same way, i.e. the internet traffic uses the internet VLAN and does not need to travel back to the datacentre.  With the exception of DHCP, devices on the internet VLAN are not able to route to the production network, where the controller and captive portal page sit.

 

With bridge mode on the VAP, I am able to get an IP, but the captive portal does not load, due to the lack of routing to the controller (intentional).  So I assume I need split tunnel.

 

I am following the Captive Portal guide and have setup the following:

 

A Captive Portal Profile (standard settings - user login ticked) A new policy with the following configured: -local internet VLAN network configured to permit. -user/any action SRC-NAT (expecting any other traffic to SRC-NAT back to the controller)

A user role, configured with: -Logon-Control -Captive Portal -Policy as above

A AAA profile, with the intial role set to the role above. This AAA profile assigned to a VAP The VAP set to split tunnel, with the internet VLAN configured. The internet VLAN is tagged correctly on the switch.

 

However I cannot get an IP address, I just get cannot join network.  No user role shows up in show user-table.

 

Should this work?

 

Many Thanks

Steve

Aruba

Re: Captive Portal Split Tunnel help??

Please run

show rights <nameoflogonrole>


Where do you want the client to get an IP from; local or the controller-side?

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Aruba

Re: Captive Portal Split Tunnel help??

Also, just to confirm, is the AP at the remote site configured as a RAP?   split-tunnel only works on RAPs.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Re: Captive Portal Split Tunnel help??

Hi,

:smileyhappy: Some info:

 

A. Bridge mode will not make captive portal work.

B.you should config your ap's as RAPS (IPSEC/CERT)

C.Config your working mode as SPLIT-TUNNEL and not bridge. (choose a vlan from the controller - make sure it got dhcp working settings..and that it can reach the internet and resolve dns)

D.Build an access role with logon-control + captive portal | dont forget to choose at the bottom the right captive and press apply

E.build an access role with all the needed ports/service from user to XXX with route-src-nat (because u want that all the user traffic will go locally to those ports/services)

here as an access role example for u: (But u can keep is simple :) this is just a huge post auth acl list for all our remote users...

Capture2.PNG

 

 

I hope it gave u some idea.

 

Have a lovley night.

 

me

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************

Re: Captive Portal Split Tunnel help??

BTW: in split-tunnel working mode:

 

PERMIT in ACL = Traffic allowed back to the tunnel (Controller)

ROUTE SRC-NAT = Traffic allowed via local AP.(Not going back to the Controller...)

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Occasional Contributor II

Re: Captive Portal Split Tunnel help??

Hi All

 

My test AP was not a RAP so I have now re-provisioned it.  Unfortunatly no change.

 

Here is the initial user role:

 

 

(arw-001) #show rights SplitCP_Logon

Derived Role = 'SplitCP_Logon'  Up BW:No Limit   Down BW:No Limit  L2TP Pool = default-l2tp-pool  PPTP Pool = default-pptp-pool  Periodic reauthentication: Disabled  ACL Number = 60/0  Max Sessions = 65535

 Captive Portal profile = CP_Prof

access-list List ---------------- Position  Name                      Location --------  ----                      -------- 1         SplitCP_Policy 2         logon-control 3         captiveportal

SplitCP_Policy ------------------------ Priority  Source  Destination       Service   Action   TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6 --------  ------  -----------       -------   ------   ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------ 1         any     any               svc-dhcp  src-nat             Yes           Low                                                           4 2         user    any               any       src-nat                           Low                                                           4 3         any     SunlightInternal  any       permit                            Low                                                           4 logon-control ------------- Priority  Source  Destination  Service   Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6 --------  ------  -----------  -------   ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------ 1         user    any          udp 68    deny                             Low                                                           4 2         any     any          svc-icmp  permit                           Low                                                           4 3         any     any          svc-dns   permit                           Low                                                           4 4         any     any          svc-dhcp  permit                           Low                                                           4 5         any     any          svc-natt  permit                           Low                                                           4 captiveportal ------------- Priority  Source  Destination  Service          Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6 --------  ------  -----------  -------          ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------ 1         user    controller   svc-https        dst-nat 8081                           Low                                                           4 2         user    any          svc-http         dst-nat 8080                           Low                                                           4 3         user    any          svc-https        dst-nat 8081                           Low                                                           4 4         user    any          svc-http-proxy1  dst-nat 8088                           Low                                                           4 5         user    any          svc-http-proxy2  dst-nat 8088                           Low                                                           4 6         user    any          svc-http-proxy3  dst-nat 8088                           Low                                                           4

Expired Policies (due to time constraints) = 0

(arw-001) #

Occasional Contributor II

Re: Captive Portal Split Tunnel help??

Just noticed - my test AP shows as Rc2I (inactive).

 

When I change the VAP to bridge mode from split tunnel, it goes to Rc2 (active RAP).


Strange??

Guru Elite

Re: Captive Portal Split Tunnel help??

What is the VLAN on your Virtual AP?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: Captive Portal Split Tunnel help??

Its our internet only VLAN (with a DHCP server).

This is the VLAN which is "local" in this sense.

It is not defined on the controller, as we normally use it for bridge mode only.

Guru Elite

Re: Captive Portal Split Tunnel help??

It must be defined on the controller, or it will not work with split tunnel.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: