Wireless Access

 View Only
last person joined: 4 days ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Expand all | Collapse all

src-nat on user role

This thread has been viewed 15 times
  • 1.  src-nat on user role

    Posted Sep 20, 2023 06:08 AM

    Hello,

    First time trying to do this so looking for a little guidance (or link to helpful docs).

    We want to src-nat a particular user role on our Guest (captive portal) SSID. These particular guest users would authenticate via Azure (this is working) and ClearPass sends back a special role, this role exists on the AOS 8.10 cluster. That much seems to work. I have added a pool and a line to an ACL in the role:

    ip nat pool mypool x.x.x.x x.x.x.x

    user-role specialpeople

      user any any src-nat pool mypool log

    I can connect and I get the right role but then no internet. Am I missing a step? The other question I have is about the pool - do those addresses need to exist as interfaces on the controller, or just be routable from the cluster, what are the rules for choosing the pool addresses? 

    Guy



  • 2.  RE: src-nat on user role
    Best Answer

    Posted Sep 25, 2023 10:46 AM

    The controller will change the client source IP to one address from the nat pool (mypool). You probably will need a different pool for each of your controllers and route that pool back to the controller from your router/firewall such that return traffic will get to the right controller. Also make sure that the DNS/DHCP are reachable for the NAT-ted traffic. You may need an IP address on the controller in the VLAN on which you want to perform the NAT in order to get the traffic back.

    I don't have recent experience with NAT on a gateway, so if it doesn't work and packet captures (does the traffic actually NAT, does it go out on the right interface/VLAN, is there return traffic, does that get NATted back) does not help, working with Aruba TAC may be helpful.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: src-nat on user role

    Posted Sep 25, 2023 12:07 PM

    Thanks Herman,

    Ok I'll get a public IP pool onto each controller (1 address per controller is probably enough for our needs) and we can route that on the FW. Sounds doable if a little fiddly.