Wireless Access

Reply
Occasional Contributor II
Posts: 18
Registered: ‎04-07-2016

NAT Guest devices on Single VLAN design

Hi all,

I have just deployed two SSIDs on a 7210 Mobility Controller at a client site. Lets call the SSIDs 'Guest' and 'Corp'.

 

The client uses a completely flat /16 network so I have used the Single VLAN design and used ClearPass to pass seperate user roles/firewall polices back to the Controller for network segregation.

 

The problem is that the client uses an upstream proxy server to authenticate users. We wish to bypass authentication on the Proxy for 'Guest' users, but can't do this by source IP address range due to the single large subnet.

 

The only other way I can think of doing this, would be to NAT all guest users behind a single IP address on the Controller and use this IP address in the bypass authentication rules, however they reside behind the same interface as the corp users so I'm not sure how to achieve this.

 

Is it possible to nat users based on the SSID they connect to?

 

If not, are there any alternative solutions to bypass proxy auth for guest users as part of a single VLAN design?

 

-Brett

Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

Re: NAT Guest devices on Single VLAN design

You could:

 

- Do an "ip nat inside" for the guest VLAN on the controller

- On your proxy, allow all traffic from the controller's ip address to go to the internet without logging in.

 

You will have to:

- Create a non-routable guest VLAN on the controller and set and ip address for the controller on that VLAN.

- Create a DHCP server on the controller to give out ip addresses on that VLAN.

- Configure "ip nat inside" on that VLAN interface on the controller.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 18
Registered: ‎04-07-2016

Re: NAT Guest devices on Single VLAN design

Hi Colin,

 

Thanks for the super quick reply.

 

Do I need an "ip nat outside" command on another interface somewhere?

 

-Brett

Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

Re: NAT Guest devices on Single VLAN design

Nope.  Just an ip nat inside on the ip interface of the private vlan you create for guests within the controller.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 18
Registered: ‎04-07-2016

Re: NAT Guest devices on Single VLAN design

Hi Colin,

Thanks for your help. It works a treat!

-Brett

Search Airheads
Showing results for 
Search instead for 
Did you mean: