Wireless Access

Reply
Occasional Contributor I

Multiple ESSIDs and VLANs over two-controller tunnel

Hello all, I've got a two controller setup currently, with one in the office, and one at our data centre. The office controller has two SSIDs: one for corporate, which puts the traffic on the local network, and one for guest Internet access, which tunnels the traffic down to the data centre controller and goes out to the Internet from there. It uses Captive Portal with internal accounts for guest access. I'd like to add another SSID for corporate users phones, which would also tunnel to the data centre and allow them to access the Internet from there, also through Captive Portal, but with RADIUS auth instead of internal. There will also be different firewall policies applied, so it definitely needs to be a different VLAN and SSID. I've set up the new corporate SSID in the office, and I can see the traffic tunneling down to the data centre, but the user is getting the guest access user role, rather than the corporate user role. I can't seem to find where I tell it that when access is coming from the guest VLAN or SSID, to use the guest role, and when it's coming from the corporate VLAN or SSID, to use the corporate role. Can anyone advise? Cheers, John Moe

Guru Elite

Re: Multiple ESSIDs and VLANs over two-controller tunnel

Do you have a GRE tunnel to transport traffic between controllers for that SSID?  Is one side of the tunnel untrusted?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Multiple ESSIDs and VLANs over two-controller tunnel

Yes, there is an existing GRE tunnel between the two controllers, which is (and has been for a while) working fine for guest access. It is configured for both VLANs, and the data centre tunnel is configured as untrusted, office side is trusted.

Guru Elite

Re: Multiple ESSIDs and VLANs over two-controller tunnel

Making one side of a tunnel untrusted means that the controller will put that traffic leaving the tunnel be  into the role under Configuration> Advanced Services> Wired Access.  If that role is a captive portal role, and that far side of the tunnel is untrusted, that means that both sets of traffic in the same tunnel are being place into the same captive portal role.  You would have to create a separate tunnel that is trusted and place the new Vlans' traffic into that tunnel.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Multiple ESSIDs and VLANs over two-controller tunnel

Oh, well I thought I had found it; in the VLAN, I can specify a wired AAA profile, and gave it my corp profile. Now my phone gets the correct user role and profile. But while I'm getting an IP address, and can use Fing to see My Phone, the Aruba controller, and the PAN firewall on that VLAN, when I try to browse, it's not giving me the Captive Portal logon page. Can I use the "Wired AAA Profile" selection in the VLAN? Or do I need to change it to two tunnels?

Occasional Contributor I

Re: Multiple ESSIDs and VLANs over two-controller tunnel

I was able to use the Wired AAA Profile of the VLAN to make this work. It turned out to be a problem with the firewall rules after all; the security group re-checked and found some problems, and once they were fixed, everything started to work.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: