Wireless Access

last person joined: 15 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Guest access via captive portal to Local internet on RAP

This thread has been viewed 7 times
  • 1.  Guest access via captive portal to Local internet on RAP

    Posted Oct 04, 2017 10:15 PM

    I've got centeral controller deployemnt and there are some branch offices with local internet connection. I'm plannig to use RAP for branches which are controlled by central contrellr at HQ office.

    How can I route internet request via local internet in branch.

     

     



  • 2.  RE: Guest access via captive portal to Local internet on RAP

    Posted Oct 05, 2017 08:27 AM


  • 3.  RE: Guest access via captive portal to Local internet on RAP

    Posted Oct 05, 2017 05:00 PM

    Thanks Victor,
    I know about using split tunnel but what it’s not fully clear to me is, what should be my default gateway and DHCP server.
    I’ve gone through different documents and the discussions were confusing or different.





  • 4.  RE: Guest access via captive portal to Local internet on RAP

    EMPLOYEE
    Posted Oct 06, 2017 11:31 AM

    You control this with the firewall rules attached to a role (access-list session). In the example:

    ip access-list session <policy>
       any any svc-dhcp permit
       any alias <name> any permit
       user any any route src-nat
    

    The first line will allow DHCP, this DHCP is from the VLAN where the client is placed and will live centrally on the controller. The second line, but basically everything with action permit, will be sent through the tunnel to the controller. The last line, with action route nat will break out on the RAP locally and that traffic source IP will be NATted to the IP address of your RAP. So IP and default gateway will be on or behind the controller, but due to NAT the client traffic can be routed directly to the internet.

     

     

    So: permit = tunnel to controller, route nat = break out locally.



  • 5.  RE: Guest access via captive portal to Local internet on RAP

    Posted Oct 25, 2017 12:40 AM

    The problem is my DHCP server is the controller in data centre and the default gateway for guest users is the firewall in branch office,



  • 6.  RE: Guest access via captive portal to Local internet on RAP

    Posted Oct 25, 2017 04:49 AM

    the default gateway given to the client by the centralised DHCP is not actually used for "internet" traffic. Note the "user any any route src-nat" at the bottom of the ACL which Herman wrote, in this case, all the traffic that doesn't go up the tunnel (e.g. everything other than DHCP) will be source-natted to the branch LAN IP of the AP and thus it will follow the default gateway that the AP itself uses. The client thinks it's sending to the default gateway but the AP intercepts it.

     

    Hence, the only requirement here is that default gateway being given to the APs by whatever DHCP server exists in the branch LAN is also the one that the clients will use to reach the internet, so it must be the firewall.