Wireless Access

last person joined: 5 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

multiple vlan on captive portal issue

Jump to Best Answer
  • 1.  multiple vlan on captive portal issue

    Posted Aug 27, 2012 07:56 AM

    Hello, I'm new to the board as we just procured our first Aruba controller.  We're setting up a captive portal and I have 5 VLANs configured.  The first VLAN I am using is for the controller, and my goal is to use the other 4 VLANs for the captive portal.  I have successfully used each of the 4 VLANs on the captive portal individually, but when I atttempt to use multiple VLANS on the portal by adding a 2nd, 3rd, or 4th VLAN to the portal, any device that obtains a DHCP address for one of these additional VLANs cannot access the portal authentication page.  I'm not sure what I'm missing, hoping someone here has successfully configured this and can help me out.  Thanks!



  • 2.  RE: multiple vlan on captive portal issue

    Posted Aug 27, 2012 08:19 AM

    Go to Configuration> Advanced Services> Stateful Firewall.  Enable "Alow-tri-session with DNAT" and click on apply.

     

    Here is the description of the feature in the user guide - "

    Allows three-way session when performing destination NAT. This option should be enabled when the controller is not the default gateway for wireless clients and the default gateway is behind the controller. This option is typically used for captive portal configuration"

     

     



  • 3.  RE: multiple vlan on captive portal issue

    Posted Aug 27, 2012 08:27 AM

    Thanks for the quick reply, cjoseph.  That didn't work for me.  Regarding the description you posted, my controller is the default gateway for all of the VLANs



  • 4.  RE: multiple vlan on captive portal issue

    Posted Aug 27, 2012 08:31 AM

    @tgillon wrote:

    Thanks for the quick reply, cjoseph.  That didn't work for me.  Regarding the description you posted, my controller is the default gateway for all of the VLANs


    Allright.  You might need to pick one of the ip addresses on the user vlans and make it the "ip cp-redirect-address" ip on the controller.

     

    Choose on the of the VLAN ip addresses on the controller that the user will be using:

     

    config t

    ip cp-redirect-address <ip address of controller on one of those vlans>

     

     

    You also need to be careful, because the controller's internal DHCP server is only rated for 512 DHCP leases maximum.  After that you might have to use an external DHCP server to serve your addresses.

     

     



  • 5.  RE: multiple vlan on captive portal issue

    Posted Aug 27, 2012 08:37 AM

    512 DHCP maximum?  That's not going to work for me, I'll need double that.  I'll reconfigure to use my internal DHCP server.

     

    I had the cp-redirect-address set to 10.180.0.2



  • 6.  RE: multiple vlan on captive portal issue

    Posted May 28, 2013 12:26 AM
    Hi, Joseph,

    Hope you are doing good. I was going through with some old post to searching about NATTing and i come to know the following..

    You also need to be careful, because the controller's internal DHCP server is only rated for 512 DHCP leases maximum. After that you might have to use an external DHCP server to serve your addresses.

    Please advice will this be still valid or capacity of internal DHCP server has now been increased.

    Thanks


  • 7.  RE: multiple vlan on captive portal issue

    Posted May 28, 2013 12:31 AM

    The current release notes for ArubaOS sets the limit to 512.  There is no indication that will ever change.  The internal DHCP server is only intended for small guest networks.



  • 8.  RE: multiple vlan on captive portal issue

    Posted May 29, 2013 03:34 AM

    Thanks

     

    But I remember once i configure /16 Pool and 3600 series controller allowed me to do so..

     

    May be the reason is that, controller allows to configure Pool of any limit but it do not provide addressed to more than 512 devices.

     

    Is it ?



  • 9.  RE: multiple vlan on captive portal issue

    Posted May 29, 2013 08:00 AM

    It does not restrict you from configuring it, but you will run into problems down the road if it exceeds more than 512.

     



  • 10.  RE: multiple vlan on captive portal issue

    Posted May 30, 2013 06:01 AM
    Got it . Thanks :-)


  • 11.  RE: multiple vlan on captive portal issue

    Posted Aug 27, 2012 08:29 AM

    Take CJosephe solution he is the expert :)



  • 12.  RE: multiple vlan on captive portal issue

    Posted Aug 27, 2012 08:26 AM

    hi

     

    how did you add the other vlans to the captive portal ? did you use:

     

    vlan-name "captive-pool" pool

    vlan captive-pool 3-6    ; where 3-6 are vlans numbers

     

    then you have to add this pool (captive-pool) to the guest VAP;

     

    wlan virutal-ap "guest-ap"

    vlan captive-pool

     

    please note that it is recommended that the MC is the DHCP server for the guest/captive portal users.

     

    then you have to create 4 DHCP servers for vlan 3,4,5,6

    !

    !

    interface vlan 3

    interface vlan 3 ip address 192.168.200.1 255.255.255.0

    ip nat inside

    !

    interface vlan 4

    interface vlan 4 ip address 192.168.201.1 255.255.255.0

    ip nat inside

    !

    interface vlan 5

    interface vlan 5 ip address 192.168.202.1 255.255.255.0

    ip nat inside

    !

    interface vlan 6

    interface vlan 6 ip address 192.168.203.1 255.255.255.0

    ip nat inside

    !

    ip dhcp pool "guestpool3"

    default-router 192.168.200.1

    dns-server 208.67.222.222 208.67.222.220

    network 192.168.200.0 255.255.255.0

    !

    ip dhcp pool "guestpool4"

    default-router 192.168.201.1

    dns-server 208.67.222.222 208.67.222.220

    network 192.168.201.0 255.255.255.0

    !

    ip dhcp pool "guestpool5"

    default-router 192.168.202.1

    dns-server 208.67.222.222 208.67.222.220

    network 192.168.202.0 255.255.255.0

    !

    ip dhcp pool "guestpool6"

    default-router 192.168.203.1

    dns-server 208.67.222.222 208.67.222.220

    network 192.168.203.0 255.255.255.0

    !

    service dhcp

     

     

    have you tried something like this ?



  • 13.  RE: multiple vlan on captive portal issue

    Posted Aug 27, 2012 08:35 AM

    Here's the relevant parts of my config:

     

    vlan 180

    vlan 186

    vlan 187

    vlan 188

    vlan 189

     

    vlan-name CCMPool pool

    vlan CCMPool 180,186-189

     

    interface gigabitethernet  1/3        

    description "GE1/3"        

    trusted        

    trusted vlan 1-4094        

    switchport mode trunk        

    switchport trunk native vlan 180        

    switchport trunk allowed vlan 1-4094

    !

    interface vlan 180        

    ip address 10.180.0.2 255.255.0.0

    !

    interface vlan 1

    !

    interface vlan 187        

    ip address 10.187.0.2 255.255.0.0        

    ip helper-address 10.187.0.2

    !

    interface vlan 188        

    ip address 10.188.0.2 255.255.0.0        

    ip helper-address 10.188.0.2

    !

    interface vlan 186        

    ip address 10.186.0.2 255.255.0.0        

    ip helper-address 10.186.0.2

    !

    interface vlan 189        

    ip address 10.189.0.2 255.255.0.0        

    ip helper-address 10.189.0.2

    !

    ip default-gateway 10.180.0.1

    uplink disable

     

    ip dhcp pool CCM  

    default-router 10.189.0.1  

    dns-server 10.25.0.120  

    domain-name xxx.com  

    lease 0 1 0 0

    network 10.189.0.0 255.255.0.0  

    authoritative

     !

    ip dhcp pool CCM2  

    default-router 10.188.0.1  

    dns-server 10.125.0.20  

    domain-name xxx.com  

    lease 0 1 0 0  

    network 10.188.0.0 255.255.0.0  

    authoritative



  • 14.  RE: multiple vlan on captive portal issue

    Posted Aug 27, 2012 08:38 AM

    I have a question, but let's start with the basics:

     

    The clients that cannot retrieve the captive portal, do they get an ip address, and can they resolve DNS?  That is required to bring up the captive portal.

     



  • 15.  RE: multiple vlan on captive portal issue

    Posted Aug 27, 2012 08:40 AM

    Any client that gets a 10.189.0.xx address can get the CP auth page and logon and access the internet.  Any client that gets a 10.188.0.xx address cannot.  Those are the 2 VLANs I have setup on CP.



  • 16.  RE: multiple vlan on captive portal issue

    Posted Aug 27, 2012 08:42 AM

    189 clients can resolve DNS, 188 clients cannot.



  • 17.  RE: multiple vlan on captive portal issue

    Posted Aug 27, 2012 08:44 AM

    @tgillon wrote:

    189 clients can resolve DNS, 188 clients cannot.


    Okay.  The .188 clients, what is the default gateway, the controller?  Are those clients allowed outbound on your perimeter firewall?

    Does your internal network have a route to the controller for that subnet?



  • 18.  RE: multiple vlan on captive portal issue

    Posted Aug 27, 2012 08:49 AM

    default gateway for 188 clients is 10.188.0.2, which is one of 5 controller IP addresses (10.xxx.0.2)

    default gateway for 189 clients is 10.189.0.2

     

    yes my internal network can ping all 5 controller IP addresses

     

    As I mentioned in my original post, all of the individual VLANs work when they are the only VLAN configured, I tried all 4 and clients got the auth page and accessed the internet.



  • 19.  RE: multiple vlan on captive portal issue
    Best Answer

    Posted Aug 27, 2012 08:55 AM

    We need to figure out why your clients cannot resolve DNS, because that is crucial.

     



  • 20.  RE: multiple vlan on captive portal issue

    Posted Aug 27, 2012 09:02 AM

    Perhaps if I put in the correct DNS server address, it would work.  DOH!  I'm going to test adding 2 more VLANs and see if it works.  Thanks for the help, I'll let you know how I make out.



  • 21.  RE: multiple vlan on captive portal issue

    Posted Aug 27, 2012 09:05 AM

    We will be waiting for your next reply :smileyindifferent:, if you managed to solve it do not forget to choose the correct solution to give an indication of solved issue or adding the solution that used to solve the issue.



  • 22.  RE: multiple vlan on captive portal issue

    Posted Aug 27, 2012 10:38 AM

    That was the problem, wrong DNS address.  I now have all 4 VLANs active on the captive portal and I have offloaded the DHCP server to an internal server.  Thanks for the help!



  • 23.  RE: multiple vlan on captive portal issue

    Posted Aug 27, 2012 10:39 AM

    Nice!



  • 24.  RE: multiple vlan on captive portal issue

    Posted Aug 27, 2012 08:48 AM

    you have two dns servers one for each vlan, is not it ?

     

    dns-server 10.25.0.120 

     

    and

     

    dns-server 10.125.0.20

     

    just for testing can you try and use the same dns-server for vlan 88 as vlan 89 which should be

    dns-server 10.25.0.120 , just to verfiy that the problem is not from the DNS server