Wireless Access

Reply
Frequent Contributor II

Captive portal through without routing on the controller - any issues?

Hi,

 

Rather than do the routing on the controller for guests access, I was looking into just dropping the unauthenticated guest onto a dedicated vlan in a DMZ, which hands off to a dedicated guest router within a firewall complex, which forwards DHCP to a remote server also an amigopod for guest auth - two less things for the controller to worry about so it can focus on wireless and enforcement and scale up well.

 

When attached via a wire to this DMZ you can get to the web (dhcp, dns and http(s) work ok as I connected a laptop to this vlan)

 

This avoids difficult decisions about default routes.  (pity there's no VRF support)

 

 

Now I labbed this and it all seemed to work really well, very happy, really nice and clean solution for the firms needs.  I got an IP on the VLAN interface, as I found in the lab through sniffers I needed this as it uses this for the connection to amigopod (i disable intervlan routing) - but, for some reason on the production controller things don't work out ok.

 

Datapath session table show a loss of state, and are denying traffic, user-role is configure to permit traffic it is denying (even used an allow-all to test, sometimes works sometimes not).  Interestingly enough it did work on the lab (same code different platform) - anyone had similar issues? 

 

I worry I need a fresh set of eyes, hence the post.  If I am not doing anything too stupid here I'll go to TAC

 

 

 

Thanks in advance,

Frequent Contributor II

Re: Captive portal through without routing on the controller - any issues?

Sorry I should have mentioned the client uses this dedicated router as a default gateway not the controller.

 

This is basically a rip off of the campus VRD but with captive portal and not dot1x

Guru Elite

Re: Captive portal through without routing on the controller - any issues?

Does the controller have an ip address on this VLAN?

What role does the user get from the controller when he associates for the first time?

do you have the ip cp-redirect-address parameter on the controller set to the ip address of the controller on that DMZ VLAN?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II

Re: Captive portal through without routing on the controller - any issues?

Assignment are as expected and I checked the rights on the role and the ACL hits on the roel assignment, they seem....  normal.

 

DHCP fails, but I am incrementing hits on the ace in the acl for this service to permit, and I go the fw guys to check to see that the packet forwards to the router, the router relays, and the server responds. 

 

you may have a really good point about the ip on the captive portal, which may be the cause.  The lab would have differed here.

 

thanks again cj, I think you have given me the focus I need - I might ask you some more questions later on today :smileywink:

 

bit cautious about the change of IP as I have a native captive portal running... (need to migrate)

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: