Wireless Access

last person joined: an hour ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

RAP Split-Tunneling and external Captive Portal

This thread has been viewed 27 times
  • 1.  RAP Split-Tunneling and external Captive Portal

    Posted 30 days ago
    Hi

    i trying to get guest access working in our remote AP branche offices.
    For general split-tunnel for corporate devices is working. Corporate iphones are route src natted to local internet acces where rap is connected to.

    So i wanted to get guest ssid working. So I followed the guide here:

    Airheads Community

    I created a dedicated vlan on controller for providing dhcp to the clients.

    So  I have a question for DNS:
    Is it possible to use external DNS Servers in the Internet?
    I don't not want to have any traffic from guest users within my corporate network. 

    Because of the fact my clearpass login-page is reachable over internet for my opinion there is no need to use corporate DNS servers.

    So I try to keep things simple I wrote new logon role where i permit dhcp and route src-nat https traffic to cp.
    Result: Spalsh page is not appearing and not reachable by manual connect.

    So will external dns and external cp work?

    ------------------------------
    Florian Kueck
    ------------------------------


  • 2.  RE: RAP Split-Tunneling and external Captive Portal

    Posted 29 days ago
    The client traffic for Captive-Portals need to go through the controller firewall that handles the dns re-direction. Because your guest traffic is locally bridges from the AP it doesn't reach the controller firewall, so there can't be a dns re-direction.

    Captive-Portals in a controller-based solution are not supported when the traffic is locally bridged. Its only supported in the tunneled forwarding mode.

    ------------------------------
    Marcel Koedijk | MVP Guru 2021 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opionions are my own
    ------------------------------



  • 3.  RE: RAP Split-Tunneling and external Captive Portal

    Posted 29 days ago
    Hi,
    thanks for the answere, but I think there is a missunderstanding.
    My VAP is configured in split-tunnel mode.

    (MD1) [MDC] #show rights rap_guest-logon

    Valid = 'Yes'
    CleanedUp = 'No'
    Derived Role = 'rap_guest-logon'
    Up BW:No Limit Down BW:No Limit
    L2TP Pool = default-l2tp-pool
    PPTP Pool = default-pptp-pool
    Number of users referencing it = 0
    Periodic reauthentication: Disabled
    DPI Classification: Enabled
    Youtube education: Disabled
    Web Content Classification: Enabled
    IP-Classification Enforcement: Enabled
    ACL Number = 116/0
    Openflow: Enabled
    Max Sessions = 65535

    Check CP Profile for Accounting = TRUE

    Application Exception List
    --------------------------
    Name Type
    ---- ----

    Application BW-Contract List
    ----------------------------
    Name Type BW Contract Id Direction
    ---- ---- ----------- -- ---------

    access-list List
    ----------------
    Position Name Type Location
    -------- ---- ---- --------
    1 global-sacl session
    2 apprf-rap_guest-logon-sacl session
    3 LVR_Internet_cppm_prof_lis_operation_split-tun session
    4 logon-control-bridge session
    5 captiveportal session

    global-sacl
    -----------
    Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
    -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
    apprf-rap_guest-logon-sacl
    --------------------------
    Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
    -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
    LVR_Internet_cppm_prof_lis_operation_split-tun
    ----------------------------------------------
    Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
    -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
    1 user internet_sr_cppm_prof svc-https route src-nat Low 4
    2 user internet_sr_cppm_prof svc-http route src-nat Low 4
    logon-control-bridge
    --------------------
    Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
    -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
    1 user any udp 68 deny Low 4
    2 any any svc-dhcp permit Low 4
    3 any any svc-icmp src-nat Low 4
    4 any any svc-dns src-nat Low 4
    5 any 169.254.0.0 255.255.0.0 any deny Low 4
    6 any 240.0.0.0 240.0.0.0 any deny Low 4
    captiveportal
    -------------
    Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
    -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
    1 user controller svc-https dst-nat 8081 Low 4
    2 user any svc-http dst-nat 8080 Low 4
    3 user any svc-https dst-nat 8081 Low 4
    4 user any svc-http-proxy1 dst-nat 8088 Low 4
    5 user any svc-http-proxy2 dst-nat 8088 Low 4
    6 user any svc-http-proxy3 dst-nat 8088 Low 4

    ------------------------------
    Florian Kueck
    ------------------------------



  • 4.  RE: RAP Split-Tunneling and external Captive Portal

    Posted 28 days ago
    Hi Florian,

    Yes i understand you better now.

    Some questions:
    • What is the initial role the client get when try to authenticate.
      • show user mac ##:##:##:##:##:##
    • Can the client ping the received DNS server
    • Can the client resolve the ClearPass DNS name by this server
    • Have the guest client vlan an IP interface on the controller?

    Did you see this topic? https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=23801


    ------------------------------
    Marcel Koedijk | MVP Guru 2021 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opionions are my own
    ------------------------------



  • 5.  RE: RAP Split-Tunneling and external Captive Portal

    Posted 27 days ago
    Hi,

    the logon role is the correct one.

    I can resolve public Clearpass adress.

    And yes the controller has an ip adress in same vlan as the clients.

    For my understanding:
    in logon role client has to resolve dns, otherwise it cannot reach captive portal.

    I am wondering there is a rule which is added to my logon role automatically something my_guest_ssid_list_of_operations.
    I cannot delete it. I got following message "can't be removed from user-defined role"

    I have to route src nat for the reaching cp in the internet but this list of operations rule will only permitand not src nat.
    In my following screenshot the aliases lvr_internet_cppm_prof and cppm_guestportal points to the same host. The lvr_internet rules are comming from this list of operations rule which i cannot delete. Maybe this is the cause why cp redirect is not possible because it is not route src natted.





    ------------------------------
    Florian Kueck
    ------------------------------



  • 6.  RE: RAP Split-Tunneling and external Captive Portal

    Posted 27 days ago
    I tried to reorder the rules so src nat will be hitted at first.
    No Luck.

    On controller show rights output shows the list of operations will be hitted first:

    [MDC] #show rights guest-branch-logon

    Valid = 'Yes'
    CleanedUp = 'No'
    Derived Role = 'guest-branch-logon'
    Up BW:No Limit Down BW:No Limit
    L2TP Pool = default-l2tp-pool
    PPTP Pool = default-pptp-pool
    Number of users referencing it = 2
    Periodic reauthentication: Disabled
    DPI Classification: Enabled
    Youtube education: Disabled
    Web Content Classification: Enabled
    IP-Classification Enforcement: Enabled
    ACL Number = 164/0
    Openflow: Enabled
    Max Sessions = 128

    Check CP Profile for Accounting = TRUE
    Captive Portal profile = LVR_Internet_branch

    Application Exception List
    --------------------------
    Name Type
    ---- ----

    Application BW-Contract List
    ----------------------------
    Name Type BW Contract Id Direction
    ---- ---- ----------- -- ---------

    access-list List
    ----------------
    Position Name Type Location
    -------- ---- ---- --------
    1 LVR_Internet_branch_list_operations session
    2 global-sacl session
    3 clearpass_guest_branch session
    4 apprf-guest-branch-logon-sacl session
    5 clearpass-guest session
    6 captiveportal session
    7 guest-branch-logon-access session

    LVR_Internet_branch_list_operations
    -----------------------------------
    Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
    -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
    1 user lvr_internet_cppm_prof svc-http permit Low 4
    2 user lvr_internet_cppm_prof svc-https permit Low 4
    global-sacl
    -----------
    Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
    -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
    clearpass_guest_branch
    ----------------------
    Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
    -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
    1 any cppm_guestportal svc-https route src-nat Low 4
    2 any cppm_guestportal svc-http route src-nat Low 4
    apprf-guest-branch-logon-sacl
    -----------------------------
    Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
    -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
    clearpass-guest
    ---------------
    Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
    -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
    1 user cppm_guestportal svc-http permit Low 4
    2 user cppm_guestportal svc-https permit Low 4
    captiveportal
    -------------
    Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
    -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
    1 user controller svc-https dst-nat 8081 Low 4
    2 user any svc-http dst-nat 8080 Low 4
    3 user any svc-https dst-nat 8081 Low 4
    4 user any svc-http-proxy1 dst-nat 8088 Low 4
    5 user any svc-http-proxy2 dst-nat 8088 Low 4
    6 user any svc-http-proxy3 dst-nat 8088 Low 4
    guest-branch-logon-access
    -------------------------
    Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
    -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
    1 user any udp 68 deny Low 4
    2 any any svc-dhcp permit Low 4
    3 user public_dns_server any route src-nat Low 4
    4 any public_dns_server any route src-nat Low 4

    ------------------------------
    Florian Kueck
    ------------------------------