Wireless Access

Reply
Occasional Contributor II
Posts: 10
Registered: ‎08-11-2015

Isolated SSID connected to OPT network interface of router

Hi All,

 

I'm a very new user to Aruba equipment. I've got the basics down and I have an Aruba 3200 with 6 AP105's that are working just fine. The current environment is pretty standard and is in use by our internal employees and protected via WPA2 aes/tkip.

 

I'd like to add a guest network that is connected to the OPT port of my m0n0wall router, but I'm having some trouble getting it set up correctly. My reason for using the OPT port is because I'd like to have public traffic routed through a different static IP that my production network.

 

My router is configured at 192.168.x.1, DNS forwarding is enabled and pushing out to public addresses. If I plug my laptop directly into this interface and set a static address, I can browse just fine. I'm using the built in throttle options for the m0n0wall and they are tested and working fine on this interface.

 

DHCP was enabled for this network via the m0n0wall, but I have since disabled it to see if I could have the Aruba controller handle it.

 

I set up a VLAN per documentation, am pointing to the router as the default router address, have DHCP enabled on the subnet within the Aruba controller, and have the new SSID pointed to the correct VLAN. I have the VLAN pointing to Port 1, which is where my interface from my OPT network on my m0n0wall is connected to.

 

I can't even get a DHCP address issued when I successfully connect to the new SSID, that's even with the SSID tied to that VLAN.

 

Any thoughts or input?

Guru Elite
Posts: 20,759
Registered: ‎03-29-2007

Re: Isolated SSID connected to OPT network interface of router

- Dedicate a physical port and a VLAN on your Aruba Controller for guest traffic.

config t
vlan 1000
interface vlan 1000
interface gigabitethernet 1/0 <-----Physical port you would plug your router in
switchport access vlan 1000

- Plug the user (not the WAN) side of your firewall into that connection

- Give the Aruba controller an ip address on that VLAN in the range that the router would assign to clients

config t
interface vlan 1000
ip address 192.168.1.3 255.255.255.0

- Use the WLAN wizard to create an SSID that puts users on that VLAN

- Optionally, you can create a DHCP server within the Aruba Controller to supply your guest clients with ip addresses (the scope would have the router as the default gateway so that your clients can get out)



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 10
Registered: ‎08-11-2015

Re: Isolated SSID connected to OPT network interface of router

Hey Colin,

 

Thanks for the quick reply.

 

Here's my output with the actual IP masked

 

(Aruba3200-BOMF) #show vlan

VLAN CONFIGURATION
------------------
VLAN  Description  Ports           AAA Profile
----  -----------  -----           -----------
1     Default      GE1/0-3 Pc0-7   N/A

(Aruba3200-BOMF) #configure t
Enter Configuration commands, one per line. End with CNTL/Z

(Aruba3200-BOMF) (config) #vlan 1000
(Aruba3200-BOMF) (config) #interface vlan 1000
(Aruba3200-BOMF) (config-subif)#interface gigabitethernet 1/1
(Aruba3200-BOMF) (config-if)#switchport access vlan 1000
(Aruba3200-BOMF) (config-if)#configure t
Enter Configuration commands, one per line. End with CNTL/Z

(Aruba3200-BOMF) (config) #interface vlan 1000
(Aruba3200-BOMF) (config-subif)#ip address 192.168.x.150 255.255.255.0
(Aruba3200-BOMF) (config-subif)#

 

I then created a new SSID and mapped it to VLAN 1000. DHCP is enabled on the router (if I plug into that port directly in the router I get an address and all is well)... I have the OPT port (not WAN) plugged into gigabitethernet 1/1 as specified.

 

I still cannot seem to grab an IP address, nothing ever gets assigned.

 

Any other thoughts? Seems I was headed in the right direction but it's just not happening.

Guru Elite
Posts: 20,759
Registered: ‎03-29-2007

Re: Isolated SSID connected to OPT network interface of router

[ Edited ]

You do not grab an address if you do what?  If you create an open WLAN mapped to VLAN 1000, you should be able to get an ip address if the controller is providing DHCP, OR the router is providing dhcp for your clients.  Since VLAN 1000 is not attached to any other physical ports, none of the remaining wired ports can get an ip address from the router unless they were assigned to VLAN 1000.

 

When you created the role for the users that connect to that WLAN, the role should allow DHCP (any any service dhcp permit).

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 10
Registered: ‎08-11-2015

Re: Isolated SSID connected to OPT network interface of router

Hey Colin,

 

No, no such luck.

 

Can you clarify this for me?

 

"When you created the role for the users that connect to that WLAN, the role should allow DHCP (any any service dhcp permit)"

 

I have not created any users nor run that command.

 

I tested it an a wide open network and still do not pull an address from the controller.

 

I'm perplexed.

Guru Elite
Posts: 20,759
Registered: ‎03-29-2007

Re: Isolated SSID connected to OPT network interface of router

Assign a second physical port to vlan 1000 and plug a laptop into that port to see if you got an IP address.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 10
Registered: ‎08-11-2015

Re: Isolated SSID connected to OPT network interface of router

Here's a few more screenshots...

Guru Elite
Posts: 20,759
Registered: ‎03-29-2007

Re: Isolated SSID connected to OPT network interface of router

When users get on the wireless, what role are they assigned?  You need to see what firewall policies are assigned to that role.  Since users require an ip address, they will probably not show up in the user table until they get a 169 address.  When they do, look at th user table to see what role they have.  Then go to configuration> security> access control and see what firewall policies are assigned to that role.  If there are no firewall policies, add one that has no restrictions (allowall).



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 10
Registered: ‎08-11-2015

Re: Isolated SSID connected to OPT network interface of router

Hey Colin,

 

Thanks for all your help so far. I think we're getting closer. I've attached screenshots from both sections.

 

For what it's worth.. if I connect to our internal, working wifi, I get "logon" as the assignment, but it works fine.

 

Connecting to the open test network I also get logon.

 

What's the steps from here?

Occasional Contributor II
Posts: 10
Registered: ‎08-11-2015

Re: Isolated SSID connected to OPT network interface of router

Oh, and yes I get an IP address when I plug into port 1/2 after assigning it.

Search Airheads
Showing results for 
Search instead for 
Did you mean: