Wireless Access

Hello

 Following the example of http://community.arubanetworks.com/t5/tkb/articleprintpage/tkb-id/ControllerBasedWLANs/article-id/1408 we tried to configure a external captive portal, but when we configure the ESI to redirect we don't see any place to chose the NAT

 Any advice on where to configure it?

Regards

EDIT:

Try your configuration from the CLI.  I just tested this and also did not see it in the WebUI.  The following is just a sample of the input.

ip access-list session ESI-POLICY

any any svc-http redirect esi-group EXT-CP direction forward src-nat pool ESI-NAT-POOL

Well that explains a lot, in the heart of be more exact we plan to deploy this rule before the access-list session captiveportal.

ip access-list session ESI-POLICY

user host IP-CP svc-http redirect esi-group EXT-CP direction forward src-nat pool ESI-NAT-POOL
user host IP-CP svc-https redirect esi-group EXT-CP direction forward src-nat pool ESI-NAT-POOL

Where IP-CP it's the IP of the ClearPass.

One more dobut should we have to enable inside NAT or InterVLAN routing to this to make it work?

There a reason you are using ESI and not the Captive Portal profile itself to redirect to ClearPass.  Have a look at the Aruba/ClearPass Integration Guide attached.    Look around page 19 for the Captive Portal profile creation and pointing to ClearPass (external).

Attachment(s)

Aruba - ClearPass Integration Guide.pdf   4.25 MB 1 version

The reason it's not configured that way it's beacuse the ClearPass it's isolated from the guest network, so there is no route for the guest network to reach ClearPass. Also in the desing the controller it's not the default gateway for the network.

We have oppened a case in TAC and now it's scalated to Enegeneering team (it does not work as it have to work), we depoyed a work around using a dst-nat on a TCP port of the controller

Regards

OK, but it is reachable from the controller's IP?   If so, you can NAT just the CPPM traffic in the logon role, while all other traffic is sent out its normal route.  For example:

netdestination CPPM-SERVERS

  host x.x.x.x

  host y.y.y.y

ip access-list session CPPM-REDIRECT

  user alias CPPM-SERVERS svc-http src-nat

  user alias CPPM-SERVERS svc-https src-nat

user-role CPPM-LOGON-ROLE

  access-list logon-control

  access-list CPPM-REDIRECT

  access-list captiveportal

Thanks Clembo, once we where unable to make ESI work, we tried your propossed solution, using dynamic source nat first  and then the pool we haver already defined and it did not worked, we debuged the datapath on the controller but source IP was of the client connected on the VLAN, not translated to the IP of the controller.

We even tired dual nat with the same result.

Enabling or disabling tristate NAT does not make any difference even.

Our solution was to map one of the controller ports with a SRC NAT ACL and this works, but it's not our prerrefered solution.

Take note that we are deploying a 6.4.2 Early Deployment version.

I belive Aruba guys are reproducing the same situation