Wireless Access

in our setup we are planning to provide only internet access to our clients

1.we are going to provide access to clients by a captiveportal login

2. AP 105 is connected over vlan 50, with Core Switch 

3. Aruba Controller 3600 is connected  over vlan 50, with Core Switch 

4. clients gets ip from vlan 55

5. client should not have access to our LAN (they should have internet access only )

6.we are using firewall "Checkpoint"

what is the easiest basic setup for this, and what are the settings for Core Switch and Firewall and Aruba Controller...

Thanks...

Assumptions:

• You have PEFNG licenses
• IPs for VLAN 55 are provided on your LAN
• Controller has an IP on VLAN 55 (needed for Captive Portal redirects)
  
• Physical port configurations are setup to support VLAN 50 and VLAN 55
• If these are not in place, let us know.
  

netdestination rfc-1918-nets - (I usually use this alias for all RFC 1918 addresses spaces; but you can create your own with only your networks if you choose)

   network 10.0.0.0 255.0.0.0

   network 192.168.0.0 255.255.0.0

   network 172.16.0.0 255.240.0.0

ip access-list session guest-post-acl

  user any udp 68 deny

  any any svc-dhcp permit

  user alias "rfc-1918-nets" any deny  - (blocks access to nets in this netdestination above; could be just your internal networks)

  user any svc-dns permit

  user any svc-http permit

  user any svc-https permit

 <allow other services you want here>

user-role guest-initial-role

   captive-portal "your-captiveportal-profile"  - (your specific profile; settings not included here)

   access-list logon-control - (default acl or edited)

   access-list captiveportal - (default acl or edited if you need to allow http/https to your captive portal server)

user-role guest-post-logon

   access-list guest-post-acl

wlan ssid-profile open-net-ssid

   essid "open-net-name"

aaa profile "open-net-aaa"
   initial-role "guest-initial-role"

wlan virtual-ap "open-net-vap"
   aaa-profile "open-net-aaa"
   ssid-profile "open-net-ssid"
   vlan 55

Take in mind the databse limit. 

• M3= 8K (8192)
• 3600=8K
• 3400=4K
• 3200=2K
• 651/650=512
• 620=256
• SC-2=2K

Cheers

Carlos

however even after setting up according to above.... the clients can  Ping to our LAN computers, even without  loging to Captive portal.... (just after connecting to SSID)

in our setup inter vlan touting is enabled in Core Switch.

Please let me know is there any way to send clients' packets directly to the Firewall (Checkpoint)

The reason they can do this is because of the rules in the logon role (in my example, guest-initial-role).   The logon-control ACL allows this (listed at the bottom here).   You can customize your rules to be whatever you like, one example may e something like this:

netdestination "public-dns-servers"

  host 8.8.8.8

  host 4.2.2.2 - (add whatever DNS servers you want)

ip access-list session guest-initial-acl

  user any udp 68 deny

  any any svc-dhcp permit

  user alias "public-dns-servers" svc-dns permit - (you could set this up to all DNS serves or just public serversyour specific profile; settings not included here)

  user alias "rfc-1918-nets" any deny

user-role guest-initial-role

   captive-portal "your-captiveportal-profile"  - (your specific profile; settings not included here)

   access-list captiveportal - (default acl or edited if you need to allow http/https to your captive portal server)

   access-list guest-initial-acl

This is the default logon-control ACL that is allowing your ping:

ip access-list session logon-control
  user any udp 68  deny
  any any svc-icmp  permit
  any any svc-dns  permit
  any any svc-dhcp  permit
  any any svc-natt  permit
  any network 169.254.0.0 255.255.0.0 any  deny
  any network 240.0.0.0 240.0.0.0 any  deny