Wireless Access

Reply

Guest access via captive portal to Local internet on RAP

I've got centeral controller deployemnt and there are some branch offices with local internet connection. I'm plannig to use RAP for branches which are controlled by central contrellr at HQ office.

How can I route internet request via local internet in branch.

 

 

Re: Guest access via captive portal to Local internet on RAP

You can configure your RAP in split tunnel mode
http://www.arubanetworks.com/techdocs/ArubaOS_63_Web_Help/Content/ArubaFrameStyles/Remote_AP/Split_Tunneling.htm

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA

Re: Guest access via captive portal to Local internet on RAP

Thanks Victor,
I know about using split tunnel but what it’s not fully clear to me is, what should be my default gateway and DHCP server.
I’ve gone through different documents and the discussions were confusing or different.



Re: Guest access via captive portal to Local internet on RAP

You control this with the firewall rules attached to a role (access-list session). In the example:

ip access-list session <policy>
   any any svc-dhcp permit
   any alias <name> any permit
   user any any route src-nat

The first line will allow DHCP, this DHCP is from the VLAN where the client is placed and will live centrally on the controller. The second line, but basically everything with action permit, will be sent through the tunnel to the controller. The last line, with action route nat will break out on the RAP locally and that traffic source IP will be NATted to the IP address of your RAP. So IP and default gateway will be on or behind the controller, but due to NAT the client traffic can be routed directly to the internet.

 

 

So: permit = tunnel to controller, route nat = break out locally.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).

Re: Guest access via captive portal to Local internet on RAP

The problem is my DHCP server is the controller in data centre and the default gateway for guest users is the firewall in branch office,

Frequent Contributor I

Re: Guest access via captive portal to Local internet on RAP

the default gateway given to the client by the centralised DHCP is not actually used for "internet" traffic. Note the "user any any route src-nat" at the bottom of the ACL which Herman wrote, in this case, all the traffic that doesn't go up the tunnel (e.g. everything other than DHCP) will be source-natted to the branch LAN IP of the AP and thus it will follow the default gateway that the AP itself uses. The client thinks it's sending to the default gateway but the AP intercepts it.

 

Hence, the only requirement here is that default gateway being given to the APs by whatever DHCP server exists in the branch LAN is also the one that the clients will use to reach the internet, so it must be the firewall.

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: