08-10-2012 03:58 AM
Rather than do the routing on the controller for guests access, I was looking into just dropping the unauthenticated guest onto a dedicated vlan in a DMZ, which hands off to a dedicated guest router within a firewall complex, which forwards DHCP to a remote server also an amigopod for guest auth - two less things for the controller to worry about so it can focus on wireless and enforcement and scale up well.
When attached via a wire to this DMZ you can get to the web (dhcp, dns and http(s) work ok as I connected a laptop to this vlan)
This avoids difficult decisions about default routes. (pity there's no VRF support)
Now I labbed this and it all seemed to work really well, very happy, really nice and clean solution for the firms needs. I got an IP on the VLAN interface, as I found in the lab through sniffers I needed this as it uses this for the connection to amigopod (i disable intervlan routing) - but, for some reason on the production controller things don't work out ok.
Datapath session table show a loss of state, and are denying traffic, user-role is configure to permit traffic it is denying (even used an allow-all to test, sometimes works sometimes not). Interestingly enough it did work on the lab (same code different platform) - anyone had similar issues?
I worry I need a fresh set of eyes, hence the post. If I am not doing anything too stupid here I'll go to TAC
Thanks in advance,
08-10-2012 04:12 AM
Sorry I should have mentioned the client uses this dedicated router as a default gateway not the controller.
This is basically a rip off of the campus VRD but with captive portal and not dot1x
08-10-2012 04:47 AM
Does the controller have an ip address on this VLAN?
What role does the user get from the controller when he associates for the first time?
do you have the ip cp-redirect-address parameter on the controller set to the ip address of the controller on that DMZ VLAN?
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
08-10-2012 05:11 AM
Assignment are as expected and I checked the rights on the role and the ACL hits on the roel assignment, they seem.... normal.
DHCP fails, but I am incrementing hits on the ace in the acl for this service to permit, and I go the fw guys to check to see that the packet forwards to the router, the router relays, and the server responds.
you may have a really good point about the ip on the captive portal, which may be the cause. The lab would have differed here.
thanks again cj, I think you have given me the focus I need - I might ask you some more questions later on today :smileywink:
bit cautious about the change of IP as I have a native captive portal running... (need to migrate)