L2 GRE to DMZ controller with Captive Portal SSID

By ckokstar posted Sep 17, 2014 05:09 PM


L2 GRE to DMZ controller with Captive Portal SSID



This solution creates a captive portal SSID where the guest traffic is tunneled from an internal controller(s) to a headend controller which in most cases is installed in the DMZ​. The tunnel is made using an L2 GRE tunnel. This solution generates configuration for both the internal controller(s) and the DMZ controller(s). The SSID configuration will be created for the internal controller(s) and the captive portal configuration will be created for the DMZ controller(s).

This solution allows you to specify either an internal captive portal hosted on the controller or an external captive portal such as ClearPass Guest. Additionally, the solution allows the guests to be authenticated using the controller's internal database or by using a specified RADIUS server such as ClearPass Policy Manager.

This solution template will generate the following configuration:

  • An Open System or Pre Shared Key SSID on the internal Aruba Mobility Controller(s).
  • A VLAN with IP address for the guest users.
  • L2 GRE tunnel between the internal and DMZ controller.
  • Optionally, NAT can be enabled to avoid any additional routing configuration.
  • A DHCP server scope for guest users.
  • A pre-authentication (i.e. initial / logon) role that allows DNS + DHCP* and allows the captive portal server IP to allow the initial redirect. For all other requests, the role will destination NAT so the clients get redirected to the captive portal page. *The role allows DHCP requests but denies DHCP offers) to prevent any station to become a DHCP server.
  • A post authentication role to assign guest users after successful authentication. The sample role allows DHCP, DNS, HTTP, and HTTPS traffic.
  • A user in the internal user database for testing if an external RADIUS server is not selected.
  • A new AP Group. You need to provision an AP into this group or assign the new Virtual AP created by this solution into your existing AP Group.

Platform Tested

Aruba Mobility Controller 3400 running AOS build 38111

Apple iPad 3 version 6.0.1

Windows XP SP2



Access Point and PEF Licenses needed by this solution template.


Lab Topology



AOS Guest Access App Note

1 view


Jan 15, 2017 09:23 AM

Another thing where the sessions will be terminated? on DMZ Controller or Internel Controllers (Airport master or Locals).



Jan 15, 2017 09:12 AM

Thanks cjoseph,


In our case we don't have captive portal. We have 802.1x EAP-SIM authentication.


As i uderstood from the artical you sent to me, in our case Internal Controllers are Airport Master and Local Controllers. On Airport master they have already configured groups and in that groups just i will add my SSID Profile, then the Airport APs will start to broadcast our SSID as well. 


Lets assume if a user try to associate with our EAP-SIM SSID, the user authentication traffic will first hit the DMZ controller via GRE over IPSec tunnel. Now further i am confused


1. Once they reach to DMZ what will happened? 

2. Where should i configure the Radius Server Group either on DMZ Controllers or Airport Master Controller or Airport Local Controllers.