Aruba Solution Exchange

 View Only
last person joined: one year ago 

Configuration made simple through intelligent wizards
Back to Library

L2 GRE to DMZ controller with Captive Portal SSID 

Sep 17, 2014 05:09 PM

L2 GRE to DMZ controller with Captive Portal SSID

 

Summary

This solution creates a captive portal SSID where the guest traffic is tunneled from an internal controller(s) to a headend controller which in most cases is installed in the DMZ​. The tunnel is made using an L2 GRE tunnel. This solution generates configuration for both the internal controller(s) and the DMZ controller(s). The SSID configuration will be created for the internal controller(s) and the captive portal configuration will be created for the DMZ controller(s).

This solution allows you to specify either an internal captive portal hosted on the controller or an external captive portal such as ClearPass Guest. Additionally, the solution allows the guests to be authenticated using the controller's internal database or by using a specified RADIUS server such as ClearPass Policy Manager.

This solution template will generate the following configuration:

  • An Open System or Pre Shared Key SSID on the internal Aruba Mobility Controller(s).
  • A VLAN with IP address for the guest users.
  • L2 GRE tunnel between the internal and DMZ controller.
  • Optionally, NAT can be enabled to avoid any additional routing configuration.
  • A DHCP server scope for guest users.
  • A pre-authentication (i.e. initial / logon) role that allows DNS + DHCP* and allows the captive portal server IP to allow the initial redirect. For all other requests, the role will destination NAT so the clients get redirected to the captive portal page. *The role allows DHCP requests but denies DHCP offers) to prevent any station to become a DHCP server.
  • A post authentication role to assign guest users after successful authentication. The sample role allows DHCP, DNS, HTTP, and HTTPS traffic.
  • A user in the internal user database for testing if an external RADIUS server is not selected.
  • A new AP Group. You need to provision an AP into this group or assign the new Virtual AP created by this solution into your existing AP Group.

Platform Tested

Aruba Mobility Controller 3400 running AOS 6.2.1.1 build 38111

Apple iPad 3 version 6.0.1

Windows XP SP2

 

Licensing

Access Point and PEF Licenses needed by this solution template.

 

Lab Topology

 

References

AOS Guest Access App Note


#3400

Statistics
0 Favorited
17 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.