Wireless Access

Reply
Contributor I
Posts: 22
Registered: ‎09-07-2011

Problem configuring captive portal with private address space

Hello,

I have two controllers (master=7210 & local=7240 running 6.4.3.4) and I'm trying to create a new guest access network with a captive portal using private address space that resides only on the local controller.  This will be natted to a public address in our dmz.  After I create this config with captive portal turned on using the wlan wizard, my test client retrieves an address from the local dhcp server but the captive portal login page never appears.  It seems like a routing issue.  My test client cannot ping the default gateway address which resides on the local controller.  I have created whitelist entries as a test for my entire network.  Do the controllers need to be on the same private subnet?  The controllers can communicate on their management addresses.  Thanks.

Guru Elite
Posts: 21,480
Registered: ‎03-29-2007

Re: Problem configuring captive portal with private address space

Does your controller have an ip address on the guest vlan?  If yes, do this command on that local controller;

 

config t

ip cp-redirect-address <ip address of controller on guest vlan>



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 22
Registered: ‎09-07-2011

Re: Problem configuring captive portal with private address space

Thanks for your response.  Yes, my local controller has an address within the guest vlan.  The master does not.  I've added that command on my local but my test client still does not receive the captive portal upon connecting to the ssid.  

Guru Elite
Posts: 21,480
Registered: ‎03-29-2007

Re: Problem configuring captive portal with private address space

Can that client on your local controller resolve DNS?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 22
Registered: ‎09-07-2011

Re: Problem configuring captive portal with private address space

No, dns is failing for the client.  In my guest logon role, I do have a temporary "any any permit" policy and the captive portal profile has a whitelist entry for my entire internal address space.  The private address of the controller in my guest vlan is reachable from the rest of my network.

Guru Elite
Posts: 21,480
Registered: ‎03-29-2007

Re: Problem configuring captive portal with private address space

DNS is essential.

 

Just in case routing to your guest network is not working, as a temporary workaround, you can do;

 

config t

interface vlan <guest vlan number>

ip nat inside

 

So that any user traffic should be natted out of the controller.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 22
Registered: ‎09-07-2011

Re: Problem configuring captive portal with private address space

Thanks again.  I do have source nat enabled for the guest vlan.

Guru Elite
Posts: 21,480
Registered: ‎03-29-2007

Re: Problem configuring captive portal with private address space

Then the default gateway of your guest clients needs to be the ip address of the controller on that guest subnet.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 22
Registered: ‎09-07-2011

Re: Problem configuring captive portal with private address space

I'm using the internal dhcp server on the local controller and it's configured to deliver it's internal address on the same vlan as the default gateway to clients.  

 

Not sure if this helps, but if I manually move my client into the authenticated role with:

aaa user add [internal address of client] role [authenticated role name]

I still don't get Internet access.  DNS and pinging the default gateway still fail.  The authenticated role has the same "any any permit" policies and source nat is enabled on the guest vlan ip interface.

Contributor I
Posts: 22
Registered: ‎09-07-2011

Re: Problem configuring captive portal with private address space

Ok, I have found something.  If I remove a related nat pool entry, dns begins to work.  I haven't fully tested this.  In this particular case for this guest network I need to source nat onto our dmz.  The local controller has an interface on this network which is different than the default management address being used for source nat.  Any advice on how to source nat out a different interface?  

Search Airheads
Showing results for 
Search instead for 
Did you mean: