Wireless Access

Hi

i trying to get guest access working in our remote AP branche offices.
For general split-tunnel for corporate devices is working. Corporate iphones are route src natted to local internet acces where rap is connected to.

So i wanted to get guest ssid working. So I followed the guide here:

Airheads Community

I created a dedicated vlan on controller for providing dhcp to the clients.

So  I have a question for DNS:
Is it possible to use external DNS Servers in the Internet?
I don't not want to have any traffic from guest users within my corporate network. 

Because of the fact my clearpass login-page is reachable over internet for my opinion there is no need to use corporate DNS servers.

So I try to keep things simple I wrote new logon role where i permit dhcp and route src-nat https traffic to cp.
Result: Spalsh page is not appearing and not reachable by manual connect.

So will external dns and external cp work?

------------------------------
Florian Kueck
------------------------------

The client traffic for Captive-Portals need to go through the controller firewall that handles the dns re-direction. Because your guest traffic is locally bridges from the AP it doesn't reach the controller firewall, so there can't be a dns re-direction.

Captive-Portals in a controller-based solution are not supported when the traffic is locally bridged. Its only supported in the tunneled forwarding mode.

------------------------------
Marcel Koedijk | MVP Guru 2021 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opionions are my own
------------------------------

Original Message:
Sent: Sep 20, 2021 09:28 AM
From: Florian Kueck
Subject: RAP Split-Tunneling and external Captive Portal

Hi

i trying to get guest access working in our remote AP branche offices.
For general split-tunnel for corporate devices is working. Corporate iphones are route src natted to local internet acces where rap is connected to.

So i wanted to get guest ssid working. So I followed the guide here:

Airheads Community

I created a dedicated vlan on controller for providing dhcp to the clients.

So  I have a question for DNS:
Is it possible to use external DNS Servers in the Internet?
I don't not want to have any traffic from guest users within my corporate network. 

Because of the fact my clearpass login-page is reachable over internet for my opinion there is no need to use corporate DNS servers.

So I try to keep things simple I wrote new logon role where i permit dhcp and route src-nat https traffic to cp.
Result: Spalsh page is not appearing and not reachable by manual connect.

So will external dns and external cp work?

------------------------------
Florian Kueck
------------------------------

Hi,
thanks for the answere, but I think there is a missunderstanding.
My VAP is configured in split-tunnel mode.

(MD1) [MDC] #show rights rap_guest-logon

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'rap_guest-logon'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 0
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
IP-Classification Enforcement: Enabled
ACL Number = 116/0
Openflow: Enabled
Max Sessions = 65535

Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name Type
---- ----

Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-rap_guest-logon-sacl session
3 LVR_Internet_cppm_prof_lis_operation_split-tun session
4 logon-control-bridge session
5 captiveportal session

global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
apprf-rap_guest-logon-sacl
--------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
LVR_Internet_cppm_prof_lis_operation_split-tun
----------------------------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 user internet_sr_cppm_prof svc-https route src-nat Low 4
2 user internet_sr_cppm_prof svc-http route src-nat Low 4
logon-control-bridge
--------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 user any udp 68 deny Low 4
2 any any svc-dhcp permit Low 4
3 any any svc-icmp src-nat Low 4
4 any any svc-dns src-nat Low 4
5 any 169.254.0.0 255.255.0.0 any deny Low 4
6 any 240.0.0.0 240.0.0.0 any deny Low 4
captiveportal
-------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 user controller svc-https dst-nat 8081 Low 4
2 user any svc-http dst-nat 8080 Low 4
3 user any svc-https dst-nat 8081 Low 4
4 user any svc-http-proxy1 dst-nat 8088 Low 4
5 user any svc-http-proxy2 dst-nat 8088 Low 4
6 user any svc-http-proxy3 dst-nat 8088 Low 4

------------------------------
Florian Kueck
------------------------------

Original Message:
Sent: Sep 20, 2021 04:40 PM
From: marcel koedijk
Subject: RAP Split-Tunneling and external Captive Portal

The client traffic for Captive-Portals need to go through the controller firewall that handles the dns re-direction. Because your guest traffic is locally bridges from the AP it doesn't reach the controller firewall, so there can't be a dns re-direction.

Captive-Portals in a controller-based solution are not supported when the traffic is locally bridged. Its only supported in the tunneled forwarding mode.

------------------------------
Marcel Koedijk | MVP Guru 2021 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opionions are my own

Original Message:
Sent: Sep 20, 2021 09:28 AM
From: Florian Kueck
Subject: RAP Split-Tunneling and external Captive Portal

Hi

i trying to get guest access working in our remote AP branche offices.
For general split-tunnel for corporate devices is working. Corporate iphones are route src natted to local internet acces where rap is connected to.

So i wanted to get guest ssid working. So I followed the guide here:

Airheads Community

I created a dedicated vlan on controller for providing dhcp to the clients.

So  I have a question for DNS:
Is it possible to use external DNS Servers in the Internet?
I don't not want to have any traffic from guest users within my corporate network. 

Because of the fact my clearpass login-page is reachable over internet for my opinion there is no need to use corporate DNS servers.

So I try to keep things simple I wrote new logon role where i permit dhcp and route src-nat https traffic to cp.
Result: Spalsh page is not appearing and not reachable by manual connect.

So will external dns and external cp work?

------------------------------
Florian Kueck
------------------------------

Hi Florian,

Yes i understand you better now.

Some questions:

• What is the initial role the client get when try to authenticate.
  • show user mac ##:##:##:##:##:##
• Can the client ping the received DNS server
• Can the client resolve the ClearPass DNS name by this server
• Have the guest client vlan an IP interface on the controller?

Did you see this topic? https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=23801
​

------------------------------
Marcel Koedijk | MVP Guru 2021 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opionions are my own
------------------------------

Original Message:
Sent: Sep 21, 2021 01:37 AM
From: Florian Kueck
Subject: RAP Split-Tunneling and external Captive Portal

Hi,
thanks for the answere, but I think there is a missunderstanding.
My VAP is configured in split-tunnel mode.

(MD1) [MDC] #show rights rap_guest-logon

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'rap_guest-logon'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 0
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
IP-Classification Enforcement: Enabled
ACL Number = 116/0
Openflow: Enabled
Max Sessions = 65535

Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name Type
---- ----

Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-rap_guest-logon-sacl session
3 LVR_Internet_cppm_prof_lis_operation_split-tun session
4 logon-control-bridge session
5 captiveportal session

global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
apprf-rap_guest-logon-sacl
--------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
LVR_Internet_cppm_prof_lis_operation_split-tun
----------------------------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 user internet_sr_cppm_prof svc-https route src-nat Low 4
2 user internet_sr_cppm_prof svc-http route src-nat Low 4
logon-control-bridge
--------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 user any udp 68 deny Low 4
2 any any svc-dhcp permit Low 4
3 any any svc-icmp src-nat Low 4
4 any any svc-dns src-nat Low 4
5 any 169.254.0.0 255.255.0.0 any deny Low 4
6 any 240.0.0.0 240.0.0.0 any deny Low 4
captiveportal
-------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 user controller svc-https dst-nat 8081 Low 4
2 user any svc-http dst-nat 8080 Low 4
3 user any svc-https dst-nat 8081 Low 4
4 user any svc-http-proxy1 dst-nat 8088 Low 4
5 user any svc-http-proxy2 dst-nat 8088 Low 4
6 user any svc-http-proxy3 dst-nat 8088 Low 4

------------------------------
Florian Kueck

Original Message:
Sent: Sep 20, 2021 04:40 PM
From: marcel koedijk
Subject: RAP Split-Tunneling and external Captive Portal

The client traffic for Captive-Portals need to go through the controller firewall that handles the dns re-direction. Because your guest traffic is locally bridges from the AP it doesn't reach the controller firewall, so there can't be a dns re-direction.

Captive-Portals in a controller-based solution are not supported when the traffic is locally bridged. Its only supported in the tunneled forwarding mode.

------------------------------
Marcel Koedijk | MVP Guru 2021 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opionions are my own

Original Message:
Sent: Sep 20, 2021 09:28 AM
From: Florian Kueck
Subject: RAP Split-Tunneling and external Captive Portal

Hi

i trying to get guest access working in our remote AP branche offices.
For general split-tunnel for corporate devices is working. Corporate iphones are route src natted to local internet acces where rap is connected to.

So i wanted to get guest ssid working. So I followed the guide here:

Airheads Community

I created a dedicated vlan on controller for providing dhcp to the clients.

So  I have a question for DNS:
Is it possible to use external DNS Servers in the Internet?
I don't not want to have any traffic from guest users within my corporate network. 

Because of the fact my clearpass login-page is reachable over internet for my opinion there is no need to use corporate DNS servers.

So I try to keep things simple I wrote new logon role where i permit dhcp and route src-nat https traffic to cp.
Result: Spalsh page is not appearing and not reachable by manual connect.

So will external dns and external cp work?

------------------------------
Florian Kueck
------------------------------

Hi,

the logon role is the correct one.

I can resolve public Clearpass adress.

And yes the controller has an ip adress in same vlan as the clients.

For my understanding:
in logon role client has to resolve dns, otherwise it cannot reach captive portal.

I am wondering there is a rule which is added to my logon role automatically something my_guest_ssid_list_of_operations.
I cannot delete it. I got following message "can't be removed from user-defined role"

I have to route src nat for the reaching cp in the internet but this list of operations rule will only permitand not src nat.
In my following screenshot the aliases lvr_internet_cppm_prof and cppm_guestportal points to the same host. The lvr_internet rules are comming from this list of operations rule which i cannot delete. Maybe this is the cause why cp redirect is not possible because it is not route src natted.





------------------------------
Florian Kueck
------------------------------

Original Message:
Sent: Sep 21, 2021 05:10 PM
From: marcel koedijk
Subject: RAP Split-Tunneling and external Captive Portal

Hi Florian,

Yes i understand you better now.

Some questions:

• What is the initial role the client get when try to authenticate.
  • show user mac ##:##:##:##:##:##
• Can the client ping the received DNS server
• Can the client resolve the ClearPass DNS name by this server
• Have the guest client vlan an IP interface on the controller?

Did you see this topic? https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=23801
​

------------------------------
Marcel Koedijk | MVP Guru 2021 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opionions are my own

Original Message:
Sent: Sep 21, 2021 01:37 AM
From: Florian Kueck
Subject: RAP Split-Tunneling and external Captive Portal

Hi,
thanks for the answere, but I think there is a missunderstanding.
My VAP is configured in split-tunnel mode.

(MD1) [MDC] #show rights rap_guest-logon

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'rap_guest-logon'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 0
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
IP-Classification Enforcement: Enabled
ACL Number = 116/0
Openflow: Enabled
Max Sessions = 65535

Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name Type
---- ----

Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-rap_guest-logon-sacl session
3 LVR_Internet_cppm_prof_lis_operation_split-tun session
4 logon-control-bridge session
5 captiveportal session

global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
apprf-rap_guest-logon-sacl
--------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
LVR_Internet_cppm_prof_lis_operation_split-tun
----------------------------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 user internet_sr_cppm_prof svc-https route src-nat Low 4
2 user internet_sr_cppm_prof svc-http route src-nat Low 4
logon-control-bridge
--------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 user any udp 68 deny Low 4
2 any any svc-dhcp permit Low 4
3 any any svc-icmp src-nat Low 4
4 any any svc-dns src-nat Low 4
5 any 169.254.0.0 255.255.0.0 any deny Low 4
6 any 240.0.0.0 240.0.0.0 any deny Low 4
captiveportal
-------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 user controller svc-https dst-nat 8081 Low 4
2 user any svc-http dst-nat 8080 Low 4
3 user any svc-https dst-nat 8081 Low 4
4 user any svc-http-proxy1 dst-nat 8088 Low 4
5 user any svc-http-proxy2 dst-nat 8088 Low 4
6 user any svc-http-proxy3 dst-nat 8088 Low 4

------------------------------
Florian Kueck

Original Message:
Sent: Sep 20, 2021 04:40 PM
From: marcel koedijk
Subject: RAP Split-Tunneling and external Captive Portal

The client traffic for Captive-Portals need to go through the controller firewall that handles the dns re-direction. Because your guest traffic is locally bridges from the AP it doesn't reach the controller firewall, so there can't be a dns re-direction.

Captive-Portals in a controller-based solution are not supported when the traffic is locally bridged. Its only supported in the tunneled forwarding mode.

------------------------------
Marcel Koedijk | MVP Guru 2021 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opionions are my own

Original Message:
Sent: Sep 20, 2021 09:28 AM
From: Florian Kueck
Subject: RAP Split-Tunneling and external Captive Portal

Hi

i trying to get guest access working in our remote AP branche offices.
For general split-tunnel for corporate devices is working. Corporate iphones are route src natted to local internet acces where rap is connected to.

So i wanted to get guest ssid working. So I followed the guide here:

Airheads Community

I created a dedicated vlan on controller for providing dhcp to the clients.

So  I have a question for DNS:
Is it possible to use external DNS Servers in the Internet?
I don't not want to have any traffic from guest users within my corporate network. 

Because of the fact my clearpass login-page is reachable over internet for my opinion there is no need to use corporate DNS servers.

So I try to keep things simple I wrote new logon role where i permit dhcp and route src-nat https traffic to cp.
Result: Spalsh page is not appearing and not reachable by manual connect.

So will external dns and external cp work?

------------------------------
Florian Kueck
------------------------------

I tried to reorder the rules so src nat will be hitted at first.
No Luck.

On controller show rights output shows the list of operations will be hitted first:

[MDC] #show rights guest-branch-logon

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'guest-branch-logon'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 2
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
IP-Classification Enforcement: Enabled
ACL Number = 164/0
Openflow: Enabled
Max Sessions = 128

Check CP Profile for Accounting = TRUE
Captive Portal profile = LVR_Internet_branch

Application Exception List
--------------------------
Name Type
---- ----

Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 LVR_Internet_branch_list_operations session
2 global-sacl session
3 clearpass_guest_branch session
4 apprf-guest-branch-logon-sacl session
5 clearpass-guest session
6 captiveportal session
7 guest-branch-logon-access session

LVR_Internet_branch_list_operations
-----------------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 user lvr_internet_cppm_prof svc-http permit Low 4
2 user lvr_internet_cppm_prof svc-https permit Low 4
global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
clearpass_guest_branch
----------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 any cppm_guestportal svc-https route src-nat Low 4
2 any cppm_guestportal svc-http route src-nat Low 4
apprf-guest-branch-logon-sacl
-----------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
clearpass-guest
---------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 user cppm_guestportal svc-http permit Low 4
2 user cppm_guestportal svc-https permit Low 4
captiveportal
-------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 user controller svc-https dst-nat 8081 Low 4
2 user any svc-http dst-nat 8080 Low 4
3 user any svc-https dst-nat 8081 Low 4
4 user any svc-http-proxy1 dst-nat 8088 Low 4
5 user any svc-http-proxy2 dst-nat 8088 Low 4
6 user any svc-http-proxy3 dst-nat 8088 Low 4
guest-branch-logon-access
-------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 user any udp 68 deny Low 4
2 any any svc-dhcp permit Low 4
3 user public_dns_server any route src-nat Low 4
4 any public_dns_server any route src-nat Low 4

------------------------------
Florian Kueck
------------------------------

Original Message:
Sent: Sep 23, 2021 06:07 AM
From: Florian Kueck
Subject: RAP Split-Tunneling and external Captive Portal

Hi,

the logon role is the correct one.

I can resolve public Clearpass adress.

And yes the controller has an ip adress in same vlan as the clients.

For my understanding:
in logon role client has to resolve dns, otherwise it cannot reach captive portal.

I am wondering there is a rule which is added to my logon role automatically something my_guest_ssid_list_of_operations.
I cannot delete it. I got following message "can't be removed from user-defined role"

I have to route src nat for the reaching cp in the internet but this list of operations rule will only permitand not src nat.
In my following screenshot the aliases lvr_internet_cppm_prof and cppm_guestportal points to the same host. The lvr_internet rules are comming from this list of operations rule which i cannot delete. Maybe this is the cause why cp redirect is not possible because it is not route src natted.





------------------------------
Florian Kueck

Original Message:
Sent: Sep 21, 2021 05:10 PM
From: marcel koedijk
Subject: RAP Split-Tunneling and external Captive Portal

Hi Florian,

Yes i understand you better now.

Some questions:

• What is the initial role the client get when try to authenticate.
  • show user mac ##:##:##:##:##:##
• Can the client ping the received DNS server
• Can the client resolve the ClearPass DNS name by this server
• Have the guest client vlan an IP interface on the controller?

Did you see this topic? https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=23801
​

------------------------------
Marcel Koedijk | MVP Guru 2021 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opionions are my own

Original Message:
Sent: Sep 21, 2021 01:37 AM
From: Florian Kueck
Subject: RAP Split-Tunneling and external Captive Portal

Hi,
thanks for the answere, but I think there is a missunderstanding.
My VAP is configured in split-tunnel mode.

(MD1) [MDC] #show rights rap_guest-logon

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'rap_guest-logon'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 0
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
IP-Classification Enforcement: Enabled
ACL Number = 116/0
Openflow: Enabled
Max Sessions = 65535

Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name Type
---- ----

Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-rap_guest-logon-sacl session
3 LVR_Internet_cppm_prof_lis_operation_split-tun session
4 logon-control-bridge session
5 captiveportal session

global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
apprf-rap_guest-logon-sacl
--------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
LVR_Internet_cppm_prof_lis_operation_split-tun
----------------------------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 user internet_sr_cppm_prof svc-https route src-nat Low 4
2 user internet_sr_cppm_prof svc-http route src-nat Low 4
logon-control-bridge
--------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 user any udp 68 deny Low 4
2 any any svc-dhcp permit Low 4
3 any any svc-icmp src-nat Low 4
4 any any svc-dns src-nat Low 4
5 any 169.254.0.0 255.255.0.0 any deny Low 4
6 any 240.0.0.0 240.0.0.0 any deny Low 4
captiveportal
-------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 user controller svc-https dst-nat 8081 Low 4
2 user any svc-http dst-nat 8080 Low 4
3 user any svc-https dst-nat 8081 Low 4
4 user any svc-http-proxy1 dst-nat 8088 Low 4
5 user any svc-http-proxy2 dst-nat 8088 Low 4
6 user any svc-http-proxy3 dst-nat 8088 Low 4

------------------------------
Florian Kueck

Original Message:
Sent: Sep 20, 2021 04:40 PM
From: marcel koedijk
Subject: RAP Split-Tunneling and external Captive Portal

The client traffic for Captive-Portals need to go through the controller firewall that handles the dns re-direction. Because your guest traffic is locally bridges from the AP it doesn't reach the controller firewall, so there can't be a dns re-direction.

Captive-Portals in a controller-based solution are not supported when the traffic is locally bridged. Its only supported in the tunneled forwarding mode.

------------------------------
Marcel Koedijk | MVP Guru 2021 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opionions are my own

Original Message:
Sent: Sep 20, 2021 09:28 AM
From: Florian Kueck
Subject: RAP Split-Tunneling and external Captive Portal

Hi

i trying to get guest access working in our remote AP branche offices.
For general split-tunnel for corporate devices is working. Corporate iphones are route src natted to local internet acces where rap is connected to.

So i wanted to get guest ssid working. So I followed the guide here:

Airheads Community

I created a dedicated vlan on controller for providing dhcp to the clients.

So  I have a question for DNS:
Is it possible to use external DNS Servers in the Internet?
I don't not want to have any traffic from guest users within my corporate network. 

Because of the fact my clearpass login-page is reachable over internet for my opinion there is no need to use corporate DNS servers.

So I try to keep things simple I wrote new logon role where i permit dhcp and route src-nat https traffic to cp.
Result: Spalsh page is not appearing and not reachable by manual connect.

So will external dns and external cp work?

------------------------------
Florian Kueck
------------------------------