Wireless Access

Hi All

I am trying to setup split tunnel captive portal and having some problems.

The clients should receive an IP on the guest VLAN present on the remote site and be locked down from the PreAuth user role, then once authenticated via the captive portal, allowed to browse the internet via the PostAuth user role with the same IP.

The roles are setup as per the documentation - the PreAuth role has logon-control & captive portal configured.

The APs are 105 RAPs.

The VLAN is defined on the controller, but NOT physically connected or configured with an IP as traffic should not leave via the controller, only via the AP.

The VAP is configured to split tunnel and configured with the internet VLAN.

The VLAN is definetly configured correctly on the switches/routers as the same VLAN in a bridge mode config works correctly.

This VLAN is configured to allow DHCP traffic to our internal DHCP server.

The clients will attempt to connect but cannot get an IP - after enabling DHCP debugging I can see only DHCP discover entries.  It will shows as 'connected' (XP laptop).

The logs show the correct PreAuth role assigned. 

Show ACL Hits shows nothing against the policy in the role.

If i static the client, it will appear in show user-table with the correct role and VLAN.

I cannot ping the default gateway NOR trigger the destination NAT to force to the captive portal via browsing to a web page via name or IP.

I have tried adjusting the PreAuth role to have only the allow all policy with no change.

Logs seem to show the following without a static configured:

Sep 24 10:00:04  authmgr[1688]: <124091> <DBUG> |authmgr|  station_check_license_limits: mac 4c:0f:6e:1e:21:17  encr-algo:1.
Sep 24 10:00:04  authmgr[1688]: <124093> <DBUG> |authmgr|  Called mac_station_new() for mac 4c:0f:6e:1e:21:17.
Sep 24 10:00:04  authmgr[1688]: <124103> <DBUG> |authmgr|  Setting user 4c:0f:6e:1e:21:17 aaa profile to Guest_AAA_Profile, reason: ncfg_get_wireless_aaa_prof.
Sep 24 10:00:04  authmgr[1688]: <124103> <DBUG> |authmgr|  Setting user 4c:0f:6e:1e:21:17 aaa profile to Guest_AAA_Profile, reason: ncfg_set_aaa_profile_defaults.
Sep 24 10:00:04  authmgr[1688]: <124104> <DBUG> |authmgr|  ifmap: user=0x0x10ac1f3c, ipuser=0x0x0, mac=4c:0f:6e:1e:21:17, event=3.
Sep 24 10:00:04  authmgr[1688]: <124104> <DBUG> |authmgr|  ifmap: user=0x0x10ac1f3c, ipuser=0x0x0, mac=4c:0f:6e:1e:21:17, event=4.
Sep 24 10:00:04  authmgr[1688]: <124105> <DBUG> |authmgr|  MM: mac=4c:0f:6e:1e:21:17, state=3, name=, role=Guest_PreAuth, dev_type=Win XP, ipv4=0.0.0.0, ipv6=0.0.0.0, new_rec=1.
Sep 24 10:00:04  authmgr[1688]: <124105> <DBUG> |authmgr|  MM: mac=4c:0f:6e:1e:21:17, state=4, name=, role=Guest_PreAuth, dev_type=, ipv4=0.0.0.0, ipv6=0.0.0.0, new_rec=1.
Sep 24 10:00:04  authmgr[1688]: <522035> <INFO> |authmgr|  MAC=4c:0f:6e:1e:21:17 Station UP: BSSID=d8:c7:c8:23:c1:05 ESSID=Guest VLAN=77 AP-name=headoffice-002
Sep 24 10:00:04  authmgr[1688]: <522077> <DBUG> |authmgr|  MAC=4c:0f:6e:1e:21:17 ingress 0x0x0 (vlan 0), u_encr 1, m_encr 1, slotport 0x0x2040 , type: remote, FW mode: 3, AP IP: 1.1.2.111 mdie 0 ft_complete 0
Sep 24 10:00:04  authmgr[1688]: <522242> <DBUG> |authmgr|  MAC=4c:0f:6e:1e:21:17 Station Created Update MMS: BSSID=d8:c7:c8:23:c1:05 ESSID=Guest VLAN=77 AP-name=headoffice-002
Sep 24 10:00:04  dhcpdwrap[1727]: <202534> <DBUG> |dhcpdwrap| |dhcp| Datapath vlan77: DISCOVER 4c:0f:6e:1e:21:17 Options 74:01 3d:014c0f6e1e2117 0c:48502d333039313530 3c:4d53465420352e30 37:010f03062c2e2f1f21f77b 2b:dc00
Sep 24 10:00:04  dhcpdwrap[1727]: <202541> <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x42 opcode 0x5a ingress 0x1003e vlan 77 egress 0x5c src mac 4c:0f:6e:1e:21:17
Sep 24 10:00:04  stm[1702]: <501095> <NOTI> |stm|  Assoc request @ 10:00:04.522016: 4c:0f:6e:1e:21:17 (SN 3872): AP 1.1.2.111-d8:c7:c8:23:c1:05-headoffice-002
Sep 24 10:00:04  stm[1702]: <501100> <NOTI> |stm|  Assoc success @ 10:00:04.525881: 4c:0f:6e:1e:21:17: AP 1.1.2.111-d8:c7:c8:23:c1:05-headoffice-002
Sep 24 10:00:04  stm[695]: <501093> <NOTI> |AP headoffice-002@1.1.2.111 stm|  Auth success: 4c:0f:6e:1e:21:17: AP 1.1.2.111-d8:c7:c8:23:c1:05-headoffice-002
Sep 24 10:00:04  stm[695]: <501095> <NOTI> |AP headoffice-002@1.1.2.111 stm|  Assoc request @ 10:00:04.518774: 4c:0f:6e:1e:21:17 (SN 3872): AP 1.1.2.111-d8:c7:c8:23:c1:05-headoffice-002
Sep 24 10:00:04  stm[695]: <501100> <NOTI> |AP headoffice-002@1.1.2.111 stm|  Assoc success @ 10:00:04.520516: 4c:0f:6e:1e:21:17: AP 1.1.2.111-d8:c7:c8:23:c1:05-headoffice-002
Sep 24 10:00:04  stm[695]: <501109> <NOTI> |AP headoffice-002@1.1.2.111 stm|  Auth request: 4c:0f:6e:1e:21:17: AP 1.1.2.111-d8:c7:c8:23:c1:05-headoffice-002 auth_alg 0

 Then I set a static:

Sep 24 10:02:27  authmgr[1688]: <124004> <DBUG> |authmgr|  sta_add_l3: mac 4c:0f:6e:1e:21:17 ip x.x.x.x
Sep 24 10:02:27  authmgr[1688]: <124104> <DBUG> |authmgr|  ifmap: user=0x0x10ac1f3c, ipuser=0x0x10b4de0c, mac=4c:0f:6e:1e:21:17, event=1.
Sep 24 10:02:27  authmgr[1688]: <124104> <DBUG> |authmgr|  ifmap: user=0x0x10ac1f3c, ipuser=0x0x10b4de0c, mac=4c:0f:6e:1e:21:17, event=1.
Sep 24 10:02:27  authmgr[1688]: <124104> <DBUG> |authmgr|  ifmap: user=0x0x10ac1f3c, ipuser=0x0x10b4de0c, mac=4c:0f:6e:1e:21:17, event=1.
Sep 24 10:02:27  authmgr[1688]: <124104> <DBUG> |authmgr|  ifmap: user=0x0x10ac1f3c, ipuser=0x0x10b4de0c, mac=4c:0f:6e:1e:21:17, event=3.
Sep 24 10:02:27  authmgr[1688]: <124104> <DBUG> |authmgr|  ifmap: user=0x0x10ac1f3c, ipuser=0x0x10b4de0c, mac=4c:0f:6e:1e:21:17, event=3.
Sep 24 10:02:27  authmgr[1688]: <124104> <DBUG> |authmgr|  ifmap: user=0x0x10ac1f3c, ipuser=0x0x10b4de0c, mac=4c:0f:6e:1e:21:17, event=3.
Sep 24 10:02:27  authmgr[1688]: <124104> <DBUG> |authmgr|  ifmap: user=0x0x10ac1f3c, ipuser=0x0x10b4de0c, mac=4c:0f:6e:1e:21:17, event=3.
Sep 24 10:02:27  authmgr[1688]: <124104> <DBUG> |authmgr|  ifmap: user=0x0x10ac1f3c, ipuser=0x0x10b4de0c, mac=4c:0f:6e:1e:21:17, event=3.
Sep 24 10:02:27  authmgr[1688]: <124104> <DBUG> |authmgr|  ifmap: user=0x0x10ac1f3c, ipuser=0x0x10b4de0c, mac=4c:0f:6e:1e:21:17, event=3.
Sep 24 10:02:27  authmgr[1688]: <124105> <DBUG> |authmgr|  MM: mac=4c:0f:6e:1e:21:17, state=1, name=, role=Guest_PreAuth, dev_type=Win XP, ipv4=x.x.x.x, ipv6=0.0.0.0, new_rec=0.
Sep 24 10:02:27  authmgr[1688]: <124105> <DBUG> |authmgr|  MM: mac=4c:0f:6e:1e:21:17, state=1, name=, role=Guest_PreAuth, dev_type=Win XP, ipv4=x.x.x.x, ipv6=0.0.0.0, new_rec=0.
Sep 24 10:02:27  authmgr[1688]: <124105> <DBUG> |authmgr|  MM: mac=4c:0f:6e:1e:21:17, state=1, name=, role=Guest_PreAuth, dev_type=Win XP, ipv4=x.x.x.x, ipv6=0.0.0.0, new_rec=0.
Sep 24 10:02:27  authmgr[1688]: <124105> <DBUG> |authmgr|  MM: mac=4c:0f:6e:1e:21:17, state=3, name=, role=Guest_PreAuth, dev_type=Win XP, ipv4=x.x.x.x, ipv6=0.0.0.0, new_rec=0.
Sep 24 10:02:27  authmgr[1688]: <124105> <DBUG> |authmgr|  MM: mac=4c:0f:6e:1e:21:17, state=3, name=, role=Guest_PreAuth, dev_type=Win XP, ipv4=x.x.x.x, ipv6=0.0.0.0, new_rec=0.
Sep 24 10:02:27  authmgr[1688]: <124105> <DBUG> |authmgr|  MM: mac=4c:0f:6e:1e:21:17, state=3, name=, role=Guest_PreAuth, dev_type=Win XP, ipv4=x.x.x.x, ipv6=0.0.0.0, new_rec=0.
Sep 24 10:02:27  authmgr[1688]: <124105> <DBUG> |authmgr|  MM: mac=4c:0f:6e:1e:21:17, state=3, name=, role=Guest_PreAuth, dev_type=Win XP, ipv4=x.x.x.x, ipv6=0.0.0.0, new_rec=0.
Sep 24 10:02:27  authmgr[1688]: <124105> <DBUG> |authmgr|  MM: mac=4c:0f:6e:1e:21:17, state=3, name=, role=Guest_PreAuth, dev_type=Win XP, ipv4=x.x.x.x, ipv6=0.0.0.0, new_rec=0.
Sep 24 10:02:27  authmgr[1688]: <124105> <DBUG> |authmgr|  MM: mac=4c:0f:6e:1e:21:17, state=3, name=, role=Guest_PreAuth, dev_type=Win XP, ipv4=x.x.x.x, ipv6=0.0.0.0, new_rec=1.
Sep 24 10:02:27  authmgr[1688]: <124148> <DBUG> |authmgr|  Create ipuser x.x.x.x for user 4c:0f:6e:1e:21:17.
Sep 24 10:02:27  authmgr[1688]: <522006> <INFO> |authmgr|  MAC=4c:0f:6e:1e:21:17 IP=x.x.x.x User entry added: reason=Auth Request
Sep 24 10:02:27  authmgr[1688]: <522049> <INFO> |authmgr|  MAC=4c:0f:6e:1e:21:17,IP=0.0.0.0 User role updated, existing Role=Guest_PreAuth/none, new Role=Guest_PreAuth/Guest_PreAuth, reason=First IP user created
Sep 24 10:02:27  authmgr[1688]: <522049> <INFO> |authmgr|  MAC=4c:0f:6e:1e:21:17,IP=x.x.x.x User role updated, existing Role=Guest_PreAuth/Guest_PreAuth, new Role=Guest_PreAuth/Guest_PreAuth, reason=User not authenticated for inheriting attributes
Sep 24 10:02:27  authmgr[1688]: <522049> <INFO> |authmgr|  MAC=4c:0f:6e:1e:21:17,IP=x.x.x.x User role updated, existing Role=Guest_PreAuth/Guest_PreAuth, new Role=Guest_PreAuth/Guest_PreAuth, reason=User not authenticated for inheriting attributes
Sep 24 10:02:27  authmgr[1688]: <522049> <INFO> |authmgr|  MAC=4c:0f:6e:1e:21:17,IP=x.x.x.x User role updated, existing Role=Guest_PreAuth/Guest_PreAuth, new Role=Guest_PreAuth/Guest_PreAuth, reason=User not authenticated for inheriting attributes
Sep 24 10:02:27  authmgr[1688]: <522096> <DBUG> |authmgr|  4c:0f:6e:1e:21:17: Sending STM new Role ACL : 64, and Vlan info: 77, action : 18, AP IP: 1.1.2.111, flags : 0
Sep 24 10:02:27  authmgr[1688]: <522096> <DBUG> |authmgr|  4c:0f:6e:1e:21:17: Sending STM new Role ACL : 64, and Vlan info: 77, action : 18, AP IP: 1.1.2.111, flags : 0
Sep 24 10:02:27  authmgr[1688]: <522096> <DBUG> |authmgr|  4c:0f:6e:1e:21:17: Sending STM new Role ACL : 64, and Vlan info: 77, action : 18, AP IP: 1.1.2.111, flags : 0

 One of the messages I notice is "User not authenticated for inheriting attributes" - from googling this it seems to reference MAC authentication which we are not using.

The VLAN has NO connectivity to the controller, but I understand this should not be needed as the destination NAT should be able to route the traffic to the captive portal page. 

Any help would be much appreciated!

Cheers

Steve

You mention there is no IP on the guest VLAN on the controller; this is required for captive portal to work.

Thanks for the reply.

Is this the case even if no traffic is flowing through the controller on that VLAN?

If so, does it actually need a physical connection to the VLAN on the controller?

Yes, it always needs an IP on the VLAN that will need Captive Portal connectivity.   It does not need to be tied to a physical port.   You should also set the gateway for the guests to the controller's IP in DHCP.    Also, enable source nat for that VLAN so that DNS queries are able to traverse out for the pre-auth role.    

If you still have any issues, share the results of your pre and post auth roles:

show rights <pre-auth-role>

show rights <post-auth-role>

So for the PreAuth role logoncontrol ACL - I should adjust this to route source nat DNS rather than just permit?

At the moment I have no route source nat in the PreAuth role.

By the way - you mention "source nat", when you configure the ACL I have been selecting route, then ticking src-nat, does this need src-nat instead?

I will get the IP added and re-test.

Thanks for your help.

You can do it in the ACL or the entire VLAN; I prefer doing it under the VLAN itself; under the IP settings for that VLAN.

For the post authentication role; "route src-nat" is the proper action.  If you choose to do it in the pre-auth role rather than the entire VLAN, then it is just src-nat (the "route scr-nat" action is what allows traffic to traverse the RAP in split-tunnel mode vs. tunnelling to the controller.

Thanks - one thing that might be a problem - our off site guest VLAN's share different default gateways, but the same VLAN ID.

The sites use a /24 in an overall /16 subnet.

I was going to put the IP of our head office (where I am testing) internet VLAN on the controller, but would this cause issue with the site VLAN's?

e.g.

Head Office   192.168.1.0/24

Branch Site 1 192.168.2.0/24

Branch Site 2 192.168.3.0/24

For example, I was going to give the controller 192.168.1.250/24 for this VLAN?

Thanks

Steve

I have added an IP to the VLAN on the controller and still cannot get an IP.

I notice this extra line in the logs above the DHCP discover messages:

Sep 24 13:37:37  dhcpdwrap[1727]: <202085> <DBUG> |dhcpdwrap|  DHCPDISCOVER from 4c:0f:6e:1e:21:17 via eth1: unknown network segment
Sep 24 13:37:37  dhcpdwrap[1727]: <202534> <DBUG> |dhcpdwrap| |dhcp| Datapath vlan77: DISCOVER 4c:0f:6e:1e:21:17 Options 74:01 3d:014c0f6e1e2117 0c:48502d333039313530 3c:4d53465420352e30 37:010f03062c2e2f1f21f77b 2b:dc00
Sep 24 13:37:37  dhcpdwrap[1727]: <202541> <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x42 opcode 0x5a ingress 0x1003e vlan 77 egress 0x5c src mac 4c:0f:6e:1e:21:17
Sep 24 13:37:45  dhcpdwrap[1727]: <202085> <DBUG> |dhcpdwrap|  DHCPDISCOVER from 4c:0f:6e:1e:21:17 via eth1: unknown network segment
Sep 24 13:37:45  dhcpdwrap[1727]: <202534> <DBUG> |dhcpdwrap| |dhcp| Datapath vlan77: DISCOVER 4c:0f:6e:1e:21:17 Options 74:01 3d:014c0f6e1e2117 0c:48502d333039313530 3c:4d53465420352e30 37:010f03062c2e2f1f21f77b 2b:dc00
Sep 24 13:37:45  dhcpdwrap[1727]: <202541> <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x42 opcode 0x5a ingress 0x1003e vlan 77 egress 0x5c src mac 4c:0f:6e:1e:21:17
Sep 24 13:38:01  dhcpdwrap[1727]: <202085> <DBUG> |dhcpdwrap|  DHCPDISCOVER from 4c:0f:6e:1e:21:17 via eth1: unknown network segment

Here are the role's you requested:

show rights Guest_PreAuth

Derived Role = 'Guest_PreAuth'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 64/0
 Max Sessions = 65535

 Captive Portal profile = Guest_cp_prof

access-list List
----------------
Position  Name           Type     Location
--------  ----           ----     --------
1         captiveportal  session
2         logon-control  session

captiveportal
-------------
Priority  Source  Destination  Service          Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------          ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    controller   svc-https        dst-nat 8081                           Low                                                           4
2         user    any          svc-http         dst-nat 8080                           Low                                                           4
3         user    any          svc-https        dst-nat 8081                           Low                                                           4
4         user    any          svc-http-proxy1  dst-nat 8088                           Low                                                           4
5         user    any          svc-http-proxy2  dst-nat 8088                           Low                                                           4
6         user    any          svc-http-proxy3  dst-nat 8088                           Low                                                           4
logon-control
-------------
Priority  Source  Destination  Service   Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------   ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    any          udp 68    deny                             Low                                                           4
2         any     any          svc-icmp  permit                           Low                                                           4
3         any     any          svc-dns   permit                           Low                                                           4
4         any     any          svc-dhcp  permit                           Low                                                           4
5         any     any          svc-natt  permit                           Low                                                           4

Expired Policies (due to time constraints) = 0


 show rights Guest_PostAuth

Derived Role = 'Guest_PostAuth'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 65/0
 Max Sessions = 65535


access-list List
----------------
Position  Name                       Type     Location
--------  ----                       ----     --------
1         Guest_PostAuth_Policy  session

Guest_PostAuth_Policy
-------------------------
Priority  Source  Destination  Service  Action         TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------  ------         ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         any     any          any      route src-nat             Yes           Low                                                           4

Expired Policies (due to time constraints) = 0

Your roles look fine,so now we need to look at DHCP...or just take a step back and confirm the networking is as you want it to be.  

In one of your last posts, you mention "the sites use a /24 in an overall /16".   You then broke it down to HQ and 2 branch sites with different /24s.    

Questions:

- how many controllers do you have?

- how is the DHCP scope setup......for /24s or /16?

- do you need to differentiate each branch with a unique VLAN?

- if so....you'll need to define unique VLANs on the controller for the appropriate virtual APs, have an IP on each, and define a DHCP scope for each

- if not....you can create one VLAN for all sites, but if you do this, you'll need to make sure the VLAN/mask assignment is correct on the controller (/16 vs. /24)

Questions:

- how many controllers do you have?

Two controllers, 1 master, 1 local, using VRRP.  AP's are on the master.

- how is the DHCP scope setup......for /24s or /16?

/24's - only reason I mentioned /16 was due to my uncertainty as to what IP to put on the controller.

- do you need to differentiate each branch with a unique VLAN?

No - each site has the same VLAN ID for the guest network, but a different default gateway (it breaks out to our hosted WAN via the router).  Its for this reason I am unsure what IP needs to go on the controller.

- if so....you'll need to define unique VLANs on the controller for the appropriate virtual APs, have an IP on each, and define a DHCP scope for each

N/A

- if not....you can create one VLAN for all sites, but if you do this, you'll need to make sure the VLAN/mask assignment is correct on the controller (/16 vs. /24)

All our guest networks are subnetted as /24's.  Would I need to assign an IP per guest network on the controller?  The IP currently on the controller is for the office where I am testing.