L2 GRE to DMZ controller with Captive Portal SSID
This solution creates a captive portal SSID where the guest traffic is tunneled from an internal controller(s) to a headend controller which in most cases is installed in the DMZ. The tunnel is made using an L2 GRE tunnel. This solution generates configuration for both the internal controller(s) and the DMZ controller(s). The SSID configuration will be created for the internal controller(s) and the captive portal configuration will be created for the DMZ controller(s).
This solution allows you to specify either an internal captive portal hosted on the controller or an external captive portal such as ClearPass Guest. Additionally, the solution allows the guests to be authenticated using the controller's internal database or by using a specified RADIUS server such as ClearPass Policy Manager.
This solution template will generate the following configuration:
- An Open System or Pre Shared Key SSID on the internal Aruba Mobility Controller(s).
- A VLAN with IP address for the guest users.
- L2 GRE tunnel between the internal and DMZ controller.
- Optionally, NAT can be enabled to avoid any additional routing configuration.
- A DHCP server scope for guest users.
- A pre-authentication (i.e. initial / logon) role that allows DNS + DHCP* and allows the captive portal server IP to allow the initial redirect. For all other requests, the role will destination NAT so the clients get redirected to the captive portal page. *The role allows DHCP requests but denies DHCP offers) to prevent any station to become a DHCP server.
- A post authentication role to assign guest users after successful authentication. The sample role allows DHCP, DNS, HTTP, and HTTPS traffic.
- A user in the internal user database for testing if an external RADIUS server is not selected.
- A new AP Group. You need to provision an AP into this group or assign the new Virtual AP created by this solution into your existing AP Group.
Aruba Mobility Controller 3400 running AOS 126.96.36.199 build 38111
Apple iPad 3 version 6.0.1
Windows XP SP2
Access Point and PEF Licenses needed by this solution template.