Hi Colin,
Well, this is a migration from Instants, running IAP-VPN, so the datacenter controllers and GRE Tunnels were already in place. Default gateway for WiFi clients is always a datacenter firewall, whether we're talking about corporate or guest clients.
Due to some features the customer wants to use we are trying out local controllers in the satellite locations, but the base architecture remains - from the client's perspective the whole Aruba infrastructure provides simple layer-2 connectivity to the default gateway in the datacenter.
What baffles me is that the Instants provide a much easier way to do this, without weird looking ACLs with destination NAT to custom ports.
Regarding the "ip cp-redirect-address", I have no such configuration. After creating a L3 interface in the guest vlan a client gets redirected automatically (granted, I tested only with a windows machine, but still, it works). You said I need to configure the "ip cp-redirect-address" to the IP of the controller in the guest vlan, is that it? Shouldn't be an issue in my current scenario, but what if I had multiple guest vlans?
--EDIT--
Ah, I see what it does, it's the address the controller responds with when intercepting DNS responses for securelogin.arubanetworks.com (or some other name you have in the Captive portal certificate). Ok, it makes some sense now.
But the question about multiple guest networks is still valid. It's not an issue for me, but might happen to someone else.
------------------------------
Miguel Goncalves
------------------------------
Original Message:
Sent: Jul 21, 2021 07:07 AM
From: Colin Joseph
Subject: Captive Portal redirect
The ip address in a guest network is because the client needs to request the captive portal page from somewhere, and many do not want guests to have access to the actual management ip address of the controller.
You mention that you are GRE tunneling back to a single controller. I am not sure if that is just aspirational or if you have it already configured. If that is the case, you would only need an ip address on the guest VLAN on that single controller. If you are enforcing captive portal on the WLAN controllers, you would instead need an ip address on the guest VLAN on those controllers. You will also need to configure the "ip cp-redirect-address" parameter for each controller to point to the ip address on each controller: https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=42139
The ACLs pointing to ports 8080 and 8081 redirect client traffic to the captive portal instance on the controller and are required.
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
Original Message:
Sent: Jul 21, 2021 06:47 AM
From: Miguel Goncalves
Subject: Captive Portal redirect
Hi,
It's been a while since I have configured a controller, being more focused on Instant for some time.
I'm in the process of migrating an Instant cluster to a properly controlled AP group and I'm facing some difficulties with Captive Portal redirection - it works perfectly on Instant, it does not work at all on the 'real' controller.
This old post here gave me a clue:
Airheads Community
Having a L3 interface in the guest network for each controller is a major nuisance. In this project I'm going to have several locations with controllers, and the guest network is centralized via GRE tunnels to a datacenter controller. I'm going to use a bunch of addresses, when in reality all I should need is layer-2 connectivity.
Can someone explain the necessity of this L3 interface? If Instants don't need it, why would the controller? I guess this has something to do with this part of the access list:
user any svc-http dst-nat 8080 user any svc-https dst-nat 8081
And maybe an internal process in the controller ends up forming the HTTP 302 response to the client. But honestly, why such complication?
Sorry for the rant...
------------------------------
Miguel Goncalves
------------------------------