Controller-less WLANs

Requirement:

Configuration/Verification  of Manual GRE between IAP & controller & to present CP page hosted on the controller to the users connected to IAP by making use of L2 centralized scope.

Solution:

The solution involves the following :

IAP:

1. Configure manual GRE by navigating to More-->VPN from Web GUI

2. Configure L2 centralized scope by navigating to More-->DHCP servers from Web GUI

3. Configure a SSID to use the L2 centralized vlan.

 

Controller:

1. Configure L2 GRE tunnel between controller & IAP.

2. The L2 centralized vlan configured on the IAP will be tunneled through the GRE tunnel. The tunnel will be untrusted.

3. Create a captive portal profile that has the page which should be presented to the clients.

3. Configure a AAA profile that has its initial role mapped to the Captive portal page hosted on the controller. This AAA profile will be mapped to the L2 cetralized vlan.

 

Configuration:

IAP :

1. Configure the manual GRE tunnel.

Web GUI-->More-->VPN

 

 

 

2. Configure the L2 centralized vlan.

 

Web GUI--->More--->DHCP Servers

 

 

3.  Configure the SSID to use the L2 centralized vlan.

 

 

 

Controller:

 

1. Configure the L2 GRE tunnel.

 

interface tunnel 107
        description "Tunnel Interface"
        tunnel mode gre 1
        tunnel source 10.17.169.163
        tunnel destination 10.17.171.190
        no inter-tunnel-flooding
        tunnel vlan 107
!
 

2.  Create the required captive portal profile.

 

I am using the default parameters.

aaa authentication captive-portal "Guest_CP"

 

3. Map the profile to a user-role .

!

user-role Guest_Pre_Auth
 captive-portal "Guest_CP"
 access-list session global-sacl
 access-list session apprf-Guest_Pre_Auth-sacl
 access-list session logon-control
 access-list session captiveportal
!
 

4. Create a AAA profile & map the role created above to the profile

!

aaa profile "Guest_AAA"
   initial-role "Guest_Pre_Auth"
!
 

4. Map the AAA profile to the client vlan.

 

Aruba# vlan 107 wired aaa-profile "Guest_AAA"

 

 

 

 

 

 

Verification

IAP:

 

1. We need to run the following command to verify the status of GRE tunnel.

 

IAP# show datapath bridge

ac:a3:1e:c5:9a:6e# show datapath bridge
Datapath Bridge Devices
-----------------------------
Flags: F - source-filter, T - trusted, Q - tagged, I - IP
       S - split-tunnel, B - bridge, M - mesh, P - PPPoE
       C - content-filter, O - corp-access, h - to HAP, f - to FAP
       h - dhcp-redirect b - blocked by STP

Dev  Name                      VLANs  PVID    ACLs            FramesRx  FramesTx        Flags
---  ------------------------  -----  ----  ---------- -  --------  --------  --------
2    bond0                              3      1          0/0   106      11494          5731               FTQB
7    gre0                                 2       0         0/0     0             0                  0                   FTQB  ---------->We should see the increment in Frames Rx/TX clients once the client is connected & traffic is passed inside GRE tunnel
 

IAP# show datapath bridge

ac:a3:1e:c5:9a:6e# show datapath bridge
Datapath Bridge Devices
-----------------------------
Flags: F - source-filter, T - trusted, Q - tagged, I - IP
       S - split-tunnel, B - bridge, M - mesh, P - PPPoE
       C - content-filter, O - corp-access, h - to HAP, f - to FAP
       h - dhcp-redirect b - blocked by STP

Dev  Name                      VLANs  PVID    ACLs            FramesRx  FramesTx        Flags
---  ------------------------  -----  ----  ---------- -  --------  --------  --------
2    bond0                              3      1          0/0   106      11494          5731               FTQB
7    gre0                                 2       0         0/0     0             12             148                FTQB

 

2. User-table:

 

ac:a3:1e:c5:9a:6e# show clients

Client List
-----------
Name                     IP Address   MAC Address        OS       ESSID   Access Point       Channel  Type  Role    Signal    Speed (mbps)
----                     ----------   -----------        --       -----   ------------       -------  ----  ----    ------    ------------
android-ef2d2321cdaa31b  192.168.1.3  f8:a9:d0:54:34:6e  Android  L2-Cen  ac:a3:1e:c5:9a:6e  6        GN    L2-Cen  95(good)

 

 

Controller:

 

1. GRE tunnel

 

(Aruba) #show interface  tunnel  107

Tunnel 107 is up line protocol is up
Description: Tunnel Interface
Source  10.17.169.163
Destination 10.17.171.190
Tunnel mtu is set to 1100
Tunnel is a Layer2 GRE TUNNEL
Tunnel is Untrusted
Inter Tunnel Flooding is disabled
Tunnel keepalive is disabled
Keepalive type is Default
tunnel vlan 107
 

 

2. GRE tunnel status

(Aruba) #show datapath tunnel table

Datapath Tunnel Table Entries
-----------------------------

Flags: E - Ether encap,  I - Wi-Fi encap,  R - Wired tunnel,  F - IP fragment OK
       W - WEP,  K - TKIP,  A - AESCCM,  G - AESGCM,  M - no mcast src filtering
       S - Single encrypt,  U - Untagged,  X - Tunneled node,  1(cert-id) - 802.1X Term-PEAP
       2(cert-id) - 802.1X Term-TLS,  T - Trusted,  L - No looping, d - Drop Bcast/Unknown Mcast,
       D - Decrypt tunnel,  a - Reduce ARP packets in the air, e - EAPOL only
       C - Prohibit new calls, P - Permanent, m - Convert multicast
       n - Convert RAs to unicast(VLAN Pooling/L3 Mobility enabled), s - Split tunnel
       V - enforce user vlan(open clients only)
       H - Standby (HA-Lite)

 #          Source       Destination    Prt  Type  MTU   VLAN       Acls                BSSID          Decaps     Encaps   Heartbeats Flags  EncapKBytes  DecapKBytes
------  --------------  --------------  ---  ----  ----  ---- -------------------  ----------------- ---------- ---------- ---------- ----- ------------- -----------
10      SPI0689A400out  10.17.169.164   50   IPSE  1500  0    routeDest 006B                                  0          0                              0           0
11      SPIF3D8C400 in  10.17.169.163   50   IPSE  1500  0    routeDest 0000                                269          0                              0           0
9       10.17.169.163   10.17.171.190   47   1     1100  0    0    0    0    0     00:00:00:00:00:00        588        107          0 LEFPR----------------------->We should see increment in Decaps/Encaps value parameter if traffic is travesing the GRE tunnel

 

3. User-table

 

The tunnel 9 in the below output corresponds to tunnel ID listed in the datapath tunnel table. Moreover, the mac-address  f8:a9:d0:54:34:6 in the user-table is for the same client which is listed in the user-table of IAP.

(Aruba) #show user-table

Users
-----
    IP                          MAC            Name              Role                  Age(d:h:m)  Auth  VPN link  AP name   Roaming  Essid/Bssid/Phy  Profile    Forward mode  Type     Host Name
----------               ------------       ------                        ----                ----------  ----  --------  -------   -------  ---------------  -------    ------------  ----     ---------
192.168.1.3      f8:a9:d0:54:34:6e            Guest_Pre_Auth  00:00:01                    tunnel 9  Wired                     Guest_AAA  tunnel        Android   ---------------------------->User is showing in Pre-auth role contained in the AAA profle

 

(Aruba) #show user

Users
-----
    IP            MAC            Name     Role      Age(d:h:m)  Auth  VPN link  AP name   Roaming  Essid/Bssid/Phy  Profile    Forward mode  Type     Host Name
----------   ------------       ------    ----      ----------  ----  --------  -------   -------  ---------------  -------    ------------  ----     ---------
192.168.1.3  f8:a9:d0:54:34:6e  Admin     guest     00:00:07    Web             tunnel 9  Wired                     Guest_AAA  tunnel                    Android ------------------------------->User moved to Post-Auth role as expected after authenticating on the CP page