Wireless Access

Reply
MVP
Posts: 512
Registered: ‎05-11-2011

Design and setup with separate ISP for Guest

Hi

 

This could be posted under guest, but it's more of a general design issue than providing and authenticating guest access.. I could use your input on how to accomplish this.. The essence is that we go from an internal captive portal to Clearpass and at the same time introduce a new ISP/internet connection that only the guests should use. Tried to separate the Guest network as much as possible.

 

I've read through the VRD's, but can't say that this is covered there.

 

The scenario is as follows.

 

Current setup

  • Master-standby 3600
  • MGMT and default gw - VLAN 23
  • Layer 3 for Employee - VLAN 13
  • Layer 2 for Guests - VLAN 18
  • The Controller terminates both CAP and RAP's.
  • Controller is Captive Portal and DHCP for Guests

 

Both guests and employee surf via same internet connection. RAP's establish tunnel through the same connection.

 

Needed setup

  • Master-standby 3600
  • Layer 3 for Employee - VLAN 13
  • MGMT and default gw - VLAN 23
  • Layer 2 for Guests - VLAN 64
  • The Controller terminates both CAP and RAP's.
  • New ISP connection for Guests - VLAN 38
  • Clearpass Guest is Captive Portal and guest authentication server. Recides in VLAN 64

Guests should surf through a new ISP connection established on VLAN 38.

Employee should continue to surf through the connection established on their gateway in VLAN 13.

 

 

What's the best way to implement this?

Is it viable, or should we go about this differently?

In what VLAN should the controllers default Gateway be?

Where should I place the Clearpass - and should we use both MGT and LAN interfaces?

What kinda of static routes should I use?

 

The things we've done haven't really worked out.

We changed the default gateway for the controller to vlan 38, but then all our RAP's stopped working. They came in through vlan 23, but controller sendt the traffic out on vlan 38 so that was no good.


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
MVP
Posts: 4,238
Registered: ‎07-20-2011

Re: Design and setup with separate ISP for Guest

Where's VLAN 38 defined ?

What device is doing the nating ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 512
Registered: ‎05-11-2011

Re: Design and setup with separate ISP for Guest

Vlan 38 is defined on the Controller and the switch it is connected to. The Controller is the Nat device.

Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
MVP
Posts: 4,238
Registered: ‎07-20-2011

Re: Design and setup with separate ISP for Guest

 
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 4,238
Registered: ‎07-20-2011

Re: Design and setup with separate ISP for Guest


If you don't have a firewall or router to do the nating what you could do is create an SVI with VLAN 38 assigned an IP address in the same range of your ISP and then create an IP nat pool pointed to that IP address .

The only issue with this setup is that your controller will now have a public address (exposed)
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 4,238
Registered: ‎07-20-2011

Re: Design and setup with separate ISP for Guest

By the way what do you mean about where to place clearpass ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 512
Registered: ‎05-11-2011

Re: Design and setup with separate ISP for Guest

Thanks for your attention vfabian.

Can you elaborate around that proposed solution? We did try that both in our solution and a customer solution without success, so a concrete example that you know work is grestly appreciated. I don't have a problem with the Controller being exposed.

Ignore the clearpass placement part - it's not really relevant to the problem, just a part of the overall design.

Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
MVP
Posts: 512
Registered: ‎05-11-2011

Re: Design and setup with separate ISP for Guest

So - to sum this up...

 

I'm trying to src-nat traffic from one VLAN (64 - the inside Guest) using the IP address on another VLAN (38 - the outside) instead of the Controller IP.

 

I'm unable to get this to work..

 

I've done:

 

ip access-list session guest-srcnat
  any any any src-nat pool pool-guest-srcnat

 

Added "guest-srcnat" as default role on my AAA profile (for now until I get this working)

 

No src-nat on either vlan 64 or 38. Thinking that should be handled by the src-nat rule on the role

 


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
MVP
Posts: 4,238
Registered: ‎07-20-2011

Re: Design and setup with separate ISP for Guest

[ Edited ]

 

See if this helps

 

interface vlan 38
ip address 169.45.34.50 255.255.255.0

ip NAT pool NAT-GUEST-POOL 169.45.34.50 169.45.34.50

ip dhcp pool GUEST-DHCP-POOL
 default-router 10.10.30.1
 dns-server 169.45.67.1
 network 10.10.30.0 255.255.255.0
 authoritative

interface vlan 64
ip address 10.10.30.1 255.255.255.0


ip access-list session GUEST-LOGON-CONTROL-ACL
  user any udp 68  deny 
  any any svc-icmp  permit 
  any any svc-dhcp  permit 
  alias GUEST-IP any svc-dns  src-nat pool NAT-GUEST-POOL 
  alias GUEST-IP   alias CLEARPASS-SERVER svc-https  src-nat pool NAT-GUEST-POOL 
  alias GUEST-IP   alias CLEARPASS-SERVER svc-http  src-nat pool NAT-GUEST-POOL
  any   alias CLEARPASS-SERVER svc-https  permit 
  any   alias CLEARPASS-SERVER svc-http  permit 

ip access-list session GUEST-SRC-NAT-ACL
  any any svc-ssh  src-nat pool NAT-GUEST-POOL
  user   alias DNS-SERVERS svc-dns  src-nat pool NAT-GUEST-POOL 
  any any svc-icmp  src-nat pool NAT-GUEST-POOL
  any any svc-https  src-nat pool NAT-GUEST-POOL 
  any any svc-http  src-nat pool NAT-GUEST-POOL
  user any any  src-nat pool NAT-GUEST-POOL

ip access-list session CAPTIVE-PORTAL-ACL
user alias CLEARPASS-SERVER svc-https src-nat pool NAT-GUEST-POOL 
user alias CLEARPASS-SERVER svc-http src-nat pool NAT-GUEST-POO 
user alias CLEARPASS-SERVER any src-nat pool NAT-GUEST-POOL

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 512
Registered: ‎05-11-2011

Re: Design and setup with separate ISP for Guest

You have this working vfabian?

 

I have tried more or less the exact same config with no luck. Now I'm off for a week - going to Airheads in Alicante - so I'll look at this more closely when I get back.

 

I have read several old posts now that is about the same topic, but haven't really seen any of them solved.

 

 

Thanks for the help so far!


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Search Airheads
Showing results for 
Search instead for 
Did you mean: