Wireless Access

Reply
Regular Contributor II
Posts: 242
Registered: ‎09-11-2013

How to direct guest traffic to DMZ controllers and DMZ ClearPass?

Hi all,

 

I have two locals that are setup with a GRE tunnel to 2 DMZ controllers. Guest connects to the guest SSID and the local controllers tunnel their traffic over to the DMZ controller using the GRE tunnel. This is working great.

I have a clearpass the sits on the DMZ. How do I direct the guest traffic to the DMZ CPPM after they are tunneled?

From the afp.arubanetworks.com it says to set the DMZ end of the tunnel to untrusted, but it doesn't mention what else is required. I know that I need some sort of wired-aaa-profile that need to be triggered for traffic coming from that tunnel. Please advise and let me know if I can provide any info that might help you to help me ;)

 

Thanks,

 

Guru Elite
Posts: 8,639
Registered: ‎09-08-2010

Re: How to direct guest traffic to DMZ controllers and DMZ ClearPass?

https://ase.arubanetworks.com/solutions/id/23

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: How to direct guest traffic to DMZ controllers and DMZ ClearPass?

https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/Guest-Clients-unable-to-get-captive-portal-page-from-Amigopod-server

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: How to direct guest traffic to DMZ controllers and DMZ ClearPass?

[ Edited ]

The VLAN that the guests will be assigned to on the DMZ controller needs to have a wired-AAA profile associated with it.   This AAA profile will have an initial role assigned that contains a captive portal role/profile assigned.   The DMZ end of the tunnel should be "untrusted" to trigger the AAA profile assigned to the VLAN.   An example configuration (VLAN 666 is the guest VLAN on the DMZ controller)...customize per your needs.  The changes are made on the DMZ controller.

 

interface tunnel 5

  description guest-tunnel-5

  tunnel source 1.1.1.1

  tunnel mode gre 48

  tunnel destination 2.2.2.2

  tunnel vlan 666

  

aaa authentication captive-portal dmz-guest-cp 

  default-role guest-role 

  server-group cppm-servers 

  redirect-pause 1 

  no logout-popup-window 

  login-page https://clearpass.domain.com/guest/guest.php

 

user-role dmz-guest-logon

  captive-portal dmz-guest-cp

  access-list session logon-control

  access-list session captiveportal

 

aaa profile guest-dmz

  initial-role dmz-guest-logon

 

vlan 666 wired aaa-profile dmz-guest-logon

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Regular Contributor II
Posts: 242
Registered: ‎09-11-2013

Re: How to direct guest traffic to DMZ controllers and DMZ ClearPass?

Perfect, thank you very much all.

Clembo, I set it up like you mentioned and it worked perfectly.

I have one more question:

The DMZ controllers are Master local. Guest now get their dhcp from the DMZ master, if that one fails, how do I configure the dhcp pool between the two dmz controllers? Is it the same exact scope or do I split the scope in between the two controllers?

 

Thank you for your help.

 

 

Aruba
Posts: 1,290
Registered: ‎08-29-2007

Re: How to direct guest traffic to DMZ controllers and DMZ ClearPass?

You need to split the scopes because both controllers will respond.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Search Airheads
Showing results for 
Search instead for 
Did you mean: