Wireless Access

last person joined: 5 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Bridge Mode CAP And Captive Portal

This thread has been viewed 27 times
  • 1.  Bridge Mode CAP And Captive Portal

    Posted Jul 07, 2021 10:34 AM
    We have a requirement where we have a Mobility Controller Cluster, managed by a Mobility Master pair in a head office site. The client has a number of branch sites with a number of APs each. They would like to implemt CAPs in the sites, whereby the CAPs communicate to the controllers in the main site. They would also like the wireless clients to have a local GW and a local DHCP, residing on the site firewall. 

    To our understanding, Captive portal is now supported in Bridge Mode. what is your take on this please? is it stable? does it work? we have ClearPass to manage wireless authentication at the head office site. 

    Thank you

    Sara Zarb

  • 2.  RE: Bridge Mode CAP And Captive Portal

    Posted Jul 07, 2021 11:23 AM
    Please work with your Aruba partner, as this doesn't sound like an optimal design. If you want to have a local break-out in a branch, in a controller solution, it is recommended to put a controller on the site. If the site is too small, or there is not need to deploy a controller, Aruba Instant will do your local breakout instead.

    Bridge mode on CAP is deprecated.

    From a design perspective, I would not do this. If there are reasons (like political) to nevertheless deploy it, be aware of the limitations of bridge mode on CAP, and carefully test what you do. I don't expect many customers having deployed like this.

    Herman Robers
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

  • 3.  RE: Bridge Mode CAP And Captive Portal

    Posted Jul 08, 2021 10:03 AM

    This is pure nonsense. An Ethernet packet has two MAC addresses - source and destination. Routers don't forward MAC addresses, only IP addresses. And a router doing NAT will replace the outgoing IP with it's own. Nobody can know how many hops if any are behind the device they are talking to. So there is no way for a captive portal to know if it is talking to a router doing NAT vs a single wireless client.

    Cole Mett

  • 4.  RE: Bridge Mode CAP And Captive Portal

    Posted Jul 08, 2021 11:41 AM
    In a AOS8 controller-based environment captive-portal is not supported in bridge mode. This because the captive-portal DNS redirection is handled by the mobility controllers internal firewall. In bridge-mode the traffic locally breakout and doesn't reach the internal firewall of the controller and can't enforce the portal redirection.

    With Aruba Instant (controller-less) it is possible because the firewall is in the access points but this is a different design concept (distrubuted vs centralized design). Both concepts have there own pros and cons.

    Marcel Koedijk | MVP Guru 2021 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opionions are my own