Wireless Access

Reply
Occasional Contributor II
Posts: 16
Registered: ‎08-08-2012

multiple vlan on captive portal issue

Hello, I'm new to the board as we just procured our first Aruba controller.  We're setting up a captive portal and I have 5 VLANs configured.  The first VLAN I am using is for the controller, and my goal is to use the other 4 VLANs for the captive portal.  I have successfully used each of the 4 VLANs on the captive portal individually, but when I atttempt to use multiple VLANS on the portal by adding a 2nd, 3rd, or 4th VLAN to the portal, any device that obtains a DHCP address for one of these additional VLANs cannot access the portal authentication page.  I'm not sure what I'm missing, hoping someone here has successfully configured this and can help me out.  Thanks!

Guru Elite
Posts: 20,773
Registered: ‎03-29-2007

Re: multiple vlan on captive portal issue

Go to Configuration> Advanced Services> Stateful Firewall.  Enable "Alow-tri-session with DNAT" and click on apply.

 

Here is the description of the feature in the user guide - "

Allows three-way session when performing destination NAT. This option should be enabled when the controller is not the default gateway for wireless clients and the default gateway is behind the controller. This option is typically used for captive portal configuration"

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II
Posts: 135
Registered: ‎07-06-2012

Re: multiple vlan on captive portal issue

hi

 

how did you add the other vlans to the captive portal ? did you use:

 

vlan-name "captive-pool" pool

vlan captive-pool 3-6    ; where 3-6 are vlans numbers

 

then you have to add this pool (captive-pool) to the guest VAP;

 

wlan virutal-ap "guest-ap"

vlan captive-pool

 

please note that it is recommended that the MC is the DHCP server for the guest/captive portal users.

 

then you have to create 4 DHCP servers for vlan 3,4,5,6

!

!

interface vlan 3

interface vlan 3 ip address 192.168.200.1 255.255.255.0

ip nat inside

!

interface vlan 4

interface vlan 4 ip address 192.168.201.1 255.255.255.0

ip nat inside

!

interface vlan 5

interface vlan 5 ip address 192.168.202.1 255.255.255.0

ip nat inside

!

interface vlan 6

interface vlan 6 ip address 192.168.203.1 255.255.255.0

ip nat inside

!

ip dhcp pool "guestpool3"

default-router 192.168.200.1

dns-server 208.67.222.222 208.67.222.220

network 192.168.200.0 255.255.255.0

!

ip dhcp pool "guestpool4"

default-router 192.168.201.1

dns-server 208.67.222.222 208.67.222.220

network 192.168.201.0 255.255.255.0

!

ip dhcp pool "guestpool5"

default-router 192.168.202.1

dns-server 208.67.222.222 208.67.222.220

network 192.168.202.0 255.255.255.0

!

ip dhcp pool "guestpool6"

default-router 192.168.203.1

dns-server 208.67.222.222 208.67.222.220

network 192.168.203.0 255.255.255.0

!

service dhcp

 

 

have you tried something like this ?

Occasional Contributor II
Posts: 16
Registered: ‎08-08-2012

Re: multiple vlan on captive portal issue

[ Edited ]

Thanks for the quick reply, cjoseph.  That didn't work for me.  Regarding the description you posted, my controller is the default gateway for all of the VLANs

Frequent Contributor II
Posts: 135
Registered: ‎07-06-2012

Re: multiple vlan on captive portal issue

Take CJosephe solution he is the expert :)

Guru Elite
Posts: 20,773
Registered: ‎03-29-2007

Re: multiple vlan on captive portal issue

[ Edited ]

tgillon wrote:

Thanks for the quick reply, cjoseph.  That didn't work for me.  Regarding the description you posted, my controller is the default gateway for all of the VLANs


Allright.  You might need to pick one of the ip addresses on the user vlans and make it the "ip cp-redirect-address" ip on the controller.

 

Choose on the of the VLAN ip addresses on the controller that the user will be using:

 

config t

ip cp-redirect-address <ip address of controller on one of those vlans>

 

 

You also need to be careful, because the controller's internal DHCP server is only rated for 512 DHCP leases maximum.  After that you might have to use an external DHCP server to serve your addresses.

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 16
Registered: ‎08-08-2012

Re: multiple vlan on captive portal issue

Here's the relevant parts of my config:

 

vlan 180

vlan 186

vlan 187

vlan 188

vlan 189

 

vlan-name CCMPool pool

vlan CCMPool 180,186-189

 

interface gigabitethernet  1/3        

description "GE1/3"        

trusted        

trusted vlan 1-4094        

switchport mode trunk        

switchport trunk native vlan 180        

switchport trunk allowed vlan 1-4094

!

interface vlan 180        

ip address 10.180.0.2 255.255.0.0

!

interface vlan 1

!

interface vlan 187        

ip address 10.187.0.2 255.255.0.0        

ip helper-address 10.187.0.2

!

interface vlan 188        

ip address 10.188.0.2 255.255.0.0        

ip helper-address 10.188.0.2

!

interface vlan 186        

ip address 10.186.0.2 255.255.0.0        

ip helper-address 10.186.0.2

!

interface vlan 189        

ip address 10.189.0.2 255.255.0.0        

ip helper-address 10.189.0.2

!

ip default-gateway 10.180.0.1

uplink disable

 

ip dhcp pool CCM  

default-router 10.189.0.1  

dns-server 10.25.0.120  

domain-name xxx.com  

lease 0 1 0 0

network 10.189.0.0 255.255.0.0  

authoritative

 !

ip dhcp pool CCM2  

default-router 10.188.0.1  

dns-server 10.125.0.20  

domain-name xxx.com  

lease 0 1 0 0  

network 10.188.0.0 255.255.0.0  

authoritative

Occasional Contributor II
Posts: 16
Registered: ‎08-08-2012

Re: multiple vlan on captive portal issue

512 DHCP maximum?  That's not going to work for me, I'll need double that.  I'll reconfigure to use my internal DHCP server.

 

I had the cp-redirect-address set to 10.180.0.2

Guru Elite
Posts: 20,773
Registered: ‎03-29-2007

Re: multiple vlan on captive portal issue

I have a question, but let's start with the basics:

 

The clients that cannot retrieve the captive portal, do they get an ip address, and can they resolve DNS?  That is required to bring up the captive portal.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 16
Registered: ‎08-08-2012

Re: multiple vlan on captive portal issue

[ Edited ]

Any client that gets a 10.189.0.xx address can get the CP auth page and logon and access the internet.  Any client that gets a 10.188.0.xx address cannot.  Those are the 2 VLANs I have setup on CP.

Search Airheads
Showing results for 
Search instead for 
Did you mean: