Wireless Access

Reply
Occasional Contributor II
Posts: 13
Registered: ‎06-16-2009

Captive Portal in split-tunnel mode

Hello All,

 

Has someone working in a Captive Portal in a RAP in mode split-tunnel? If yes, could you tell me in which AOS version?  I had tried at AOS 6.1.2.3 and 5.0.4.3 but no success.

 

Thanks in advance,

 

Ed

Guru Elite
Posts: 21,291
Registered: ‎03-29-2007

Re: Captive Portal in split-tunnel mode

[ Edited ]

Ed,

 

It should work on both, and users on both platforms have it configured and it works.  There is a document here:  http://support.arubanetworks.com/DOCUMENTATION/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=2888 that describes how to configure it.  Please search the document for "split tunnel captive portal" and you will get detailed instructions.

 

At what point are you getting stuck?

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 13
Registered: ‎06-16-2009

Re: Captive Portal in split-tunnel mode

Thanks Cjoseph,

 

I will do a double check and I will say if that configuration worked . I followed the http://support.arubanetworks.com/Default.aspx?tabid=111
answer id 825.

 

 

Guru Elite
Posts: 21,291
Registered: ‎03-29-2007

Re: Captive Portal in split-tunnel mode

It is pretty much the same thing.  Are your guest users getting an ip address?  Are they bringing up the Captive Portal page?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 13
Registered: ‎06-16-2009

Re: Captive Portal in split-tunnel mode

Thanks Colin,

The procedure worked. The problem was I tested a RAP in a local network. The split not works in a same network that controller.

Regular Contributor I
Posts: 190
Registered: ‎04-27-2009

Re: Captive Portal in split-tunnel mode

Am i right that if following straight the mentioned pages they only define some "splitcp-logon" role (like the normal guest-logon role) and set the VAP to split-tunnel instead of tunnel . nothing more ?

 

i have in mind that if you want to access local printers in your remote subnet then there was a need to change ACLs ...

 

some customer asked for such a solution and im happy that i found your thread here ;-)

 

regards

ben

Regular Contributor I
Posts: 190
Registered: ‎04-27-2009

Re: Captive Portal in split-tunnel mode

Hello,

 

is RAP2 and Split-Tunneling working for accessing internet via the remote site ISP provider? before i waste time to checkout the remote networking guide and result in non.-functioning i would speak about my pretty simple environment :

 

Headquarter : Controller with AOS 5.x or 6.x

Branch : RAP2 with PSK-SSID + Guest-Captive Portal , the Voucher are created from Remote Site via seperarate Connection to the HQ-controller .

 

My goal is : the internet traffic from remote-users with guest-voucher should go straight out the local remote router to ISP , and not passing the RAP2-tunnel to controller and vice versa.

 

Is this possible ?

 

regards

ben

Guru Elite
Posts: 21,291
Registered: ‎03-29-2007

Re: Captive Portal in split-tunnel mode


bg wrote:

Hello,

 

is RAP2 and Split-Tunneling working for accessing internet via the remote site ISP provider? before i waste time to checkout the remote networking guide and result in non.-functioning i would speak about my pretty simple environment :

 

Headquarter : Controller with AOS 5.x or 6.x

Branch : RAP2 with PSK-SSID + Guest-Captive Portal , the Voucher are created from Remote Site via seperarate Connection to the HQ-controller .

 

My goal is : the internet traffic from remote-users with guest-voucher should go straight out the local remote router to ISP , and not passing the RAP2-tunnel to controller and vice versa.

 

Is this possible ?

 

regards

ben


If you are asking about split tunnel captive portal, yes it does work.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor I
Posts: 190
Registered: ‎04-27-2009

Re: Captive Portal in split-tunnel mode

Hi cjoseph,

 

as always - thanks for you godspeed replies ;-) , im still confused how the DHCP stuff is done :

 

on the Branch the DSL router does DHCP and is used as DNS-forwarder, or local clients using external DNS - nevermind.

The RAP2 getting one DHCP adress, connecting to HQ_controller , receives VirtualIP from the RAP Range and enables the Wifi.

 

I  have in mind that 2 SSID's (one with tunnel, one with split-tunnel) isnt working. is this correct? E.g. if you want to use the other SSID to control the voucher accounts , otherwise customer should use Wired-Access to have controller accessed via some separate corporate VLAN.

 

Regardless of 2 SSIDs for the moment i would like to solve it with one VAP in split-tunnel mode. Regarding DHCP my wifi clients need DHCP adress too, and if they want to access internet resources via the local router then those clients need adresses of the same local subnet of the router. I dont think it's possible to use only the local router's DHCP for the wifi clients itself.

 

the VBN guest network has to be identified on the controller too, e.g. some separate VLAN as mentioned in the KB article mentioned few postings before.

Am i right ? sorry, im just asking confusing questions ;-)

 

regards

 

Guru Elite
Posts: 21,291
Registered: ‎03-29-2007

Re: Captive Portal in split-tunnel mode


bg wrote:

Hi cjoseph,

 

as always - thanks for you godspeed replies ;-) , im still confused how the DHCP stuff is done :

 

on the Branch the DSL router does DHCP and is used as DNS-forwarder, or local clients using external DNS - nevermind.

The RAP2 getting one DHCP adress, connecting to HQ_controller , receives VirtualIP from the RAP Range and enables the Wifi.

 

I  have in mind that 2 SSID's (one with tunnel, one with split-tunnel) isnt working. is this correct? E.g. if you want to use the other SSID to control the voucher accounts , otherwise customer should use Wired-Access to have controller accessed via some separate corporate VLAN.

 

Regardless of 2 SSIDs for the moment i would like to solve it with one VAP in split-tunnel mode. Regarding DHCP my wifi clients need DHCP adress too, and if they want to access internet resources via the local router then those clients need adresses of the same local subnet of the router. I dont think it's possible to use only the local router's DHCP for the wifi clients itself.

 

the VBN guest network has to be identified on the controller too, e.g. some separate VLAN as mentioned in the KB article mentioned few postings before.

Am i right ? sorry, im just asking confusing questions ;-)

 

regards

 


Each VAP is individual.  Let's talk about split-tunnel captive portal in specific:

 

- Your VAP needs to be set to split-tunnel

- Your VAP needs to be set to a VLAN that is at corporate so that your guest clients can get ip addresses.  The corporate DHCP server will give out the ip address, subnet mask, default gateway, dns ip.

- That VLAN, at corporate, will give an ip address to your guests

- The initial role of that AAA profile attached to that VAP has the "Captive Portal" ACL so that clients can be initially redirected to the Captive Portal on the controller for authentication, or whatever

- in the Captive Portal Authentication profile for this WLAN, the default guest role will have something like this:

 

any any dhcp permit

any any any route src-nat

 

That means, once the guest authenticates, all of his traffic will be source-natted out of the ip address of the AP that the guest is on.  DNS, http, https, etc all will be source-natted out of that AP.

 

What I just described is independent of the other VAPs on that AP.  You could have a fully tunneled VAP on the same AP.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: