03-16-2012 12:10 PM
We have an ESI captive portal in a multi-controller environment - we have the problem of determining which controller a logon request is coming through, so we can post back the ESI XML to log the user on. The ESI document says src-nat should be used in the access-list, so that the traffic from the client to the ESI server is SNATed behind the IP address of the controller in use. However, I've hit a few problems with this...
Firstly, the SNAT just seems to translate the address of the packet without routing it to another VLAN - our controllers are not the default gateway / router for clients as the client networks sit in a different routing domain to the management interface of the controller (using VRFs on Cisco): the controllers are on the LAN whereas the client networks are in a kind of DMZ. As such, when the address is translated, it becomes invalid for the VLAN on which it is entering the router (and rejected). [Even if we were to remove this anti-spoofing, the path for this traffic would take a very strange, asymmetric path to the logon page.]
I can fix this by translating to an internal address (one valid on the client VLAN - the controller has to have one of these for the captive portal to work, anyway), then this causes problems because there are several client VLANs and the address needs to selected appropriate for a particular client (which will get horribly messy).
I have noticed I can do 'user alias esi-logon-server svc-http route src-nat' - with no pool specified (I can't) - and this translates the address behind the default gateway interface address AND send it out that interface -- all seems fine, except it doesn't seem to pick up the whole TCP connection: just the first few packets - enough to establish the connection - then the remaining packets don't get routed through that interface, so fall foul of the anti-spoofing. The 'route' option is not documented, so I suspect it might not work!
I'm running 22.214.171.124 -- has anyone got any tips for how to make this work in this situation?
03-16-2012 12:50 PM
I knew I'd seen this somewhere, but couldn't find it -- there's an option in the captive portal configuration:
aaa authentication captive-portal mycp
... that does what I want but isn't mentioned in the separate ESI documentation.
I think that solves my problem, but help with the src-nat option and how it works would still be useful.