First time trying to do this so looking for a little guidance (or link to helpful docs).
We want to src-nat a particular user role on our Guest (captive portal) SSID. These particular guest users would authenticate via Azure (this is working) and ClearPass sends back a special role, this role exists on the AOS 8.10 cluster. That much seems to work. I have added a pool and a line to an ACL in the role:
ip nat pool mypool x.x.x.x x.x.x.x
user any any src-nat pool mypool log
I can connect and I get the right role but then no internet. Am I missing a step? The other question I have is about the pool - do those addresses need to exist as interfaces on the controller, or just be routable from the cluster, what are the rules for choosing the pool addresses?
The controller will change the client source IP to one address from the nat pool (mypool). You probably will need a different pool for each of your controllers and route that pool back to the controller from your router/firewall such that return traffic will get to the right controller. Also make sure that the DNS/DHCP are reachable for the NAT-ted traffic. You may need an IP address on the controller in the VLAN on which you want to perform the NAT in order to get the traffic back.
I don't have recent experience with NAT on a gateway, so if it doesn't work and packet captures (does the traffic actually NAT, does it go out on the right interface/VLAN, is there return traffic, does that get NATted back) does not help, working with Aruba TAC may be helpful.
Ok I'll get a public IP pool onto each controller (1 address per controller is probably enough for our needs) and we can route that on the FW. Sounds doable if a little fiddly.
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.