Requirement:
Configuration/Verification of Manual GRE between IAP & controller & to present CP page hosted on the controller to the users connected to IAP by making use of L2 centralized scope.
Solution:The solution involves the following :
IAP:
1. Configure manual GRE by navigating to More-->VPN from Web GUI
2. Configure L2 centralized scope by navigating to More-->DHCP servers from Web GUI
3. Configure a SSID to use the L2 centralized vlan.
Controller:
1. Configure L2 GRE tunnel between controller & IAP.
2. The L2 centralized vlan configured on the IAP will be tunneled through the GRE tunnel. The tunnel will be untrusted.
3. Create a captive portal profile that has the page which should be presented to the clients.
3. Configure a AAA profile that has its initial role mapped to the Captive portal page hosted on the controller. This AAA profile will be mapped to the L2 cetralized vlan.
Configuration:IAP :
1. Configure the manual GRE tunnel.
Web GUI-->More-->VPN
2. Configure the L2 centralized vlan.
Web GUI--->More--->DHCP Servers
3. Configure the SSID to use the L2 centralized vlan.
Controller:
1. Configure the L2 GRE tunnel.
interface tunnel 107
description "Tunnel Interface"
tunnel mode gre 1
tunnel source 10.17.169.163
tunnel destination 10.17.171.190
no inter-tunnel-flooding
tunnel vlan 107
!
2. Create the required captive portal profile.
I am using the default parameters.
aaa authentication captive-portal "Guest_CP"
3. Map the profile to a user-role .
!
user-role Guest_Pre_Auth
captive-portal "Guest_CP"
access-list session global-sacl
access-list session apprf-Guest_Pre_Auth-sacl
access-list session logon-control
access-list session captiveportal
!
4. Create a AAA profile & map the role created above to the profile
!
aaa profile "Guest_AAA"
initial-role "Guest_Pre_Auth"
!
4. Map the AAA profile to the client vlan.
Aruba# vlan 107 wired aaa-profile "Guest_AAA"
VerificationIAP:
1. We need to run the following command to verify the status of GRE tunnel.
IAP# show datapath bridge
ac:a3:1e:c5:9a:6e# show datapath bridge
Datapath Bridge Devices
-----------------------------
Flags: F - source-filter, T - trusted, Q - tagged, I - IP
S - split-tunnel, B - bridge, M - mesh, P - PPPoE
C - content-filter, O - corp-access, h - to HAP, f - to FAP
h - dhcp-redirect b - blocked by STP
Dev Name VLANs PVID ACLs FramesRx FramesTx Flags
--- ------------------------ ----- ---- ---------- - -------- -------- --------
2 bond0 3 1 0/0 106 11494 5731 FTQB
7 gre0 2 0 0/0 0 0 0 FTQB ---------->We should see the increment in Frames Rx/TX clients once the client is connected & traffic is passed inside GRE tunnel
IAP# show datapath bridge
ac:a3:1e:c5:9a:6e# show datapath bridge
Datapath Bridge Devices
-----------------------------
Flags: F - source-filter, T - trusted, Q - tagged, I - IP
S - split-tunnel, B - bridge, M - mesh, P - PPPoE
C - content-filter, O - corp-access, h - to HAP, f - to FAP
h - dhcp-redirect b - blocked by STP
Dev Name VLANs PVID ACLs FramesRx FramesTx Flags
--- ------------------------ ----- ---- ---------- - -------- -------- --------
2 bond0 3 1 0/0 106 11494 5731 FTQB
7 gre0 2 0 0/0 0 12 148 FTQB
2. User-table:
ac:a3:1e:c5:9a:6e# show clients
Client List
-----------
Name IP Address MAC Address OS ESSID Access Point Channel Type Role Signal Speed (mbps)
---- ---------- ----------- -- ----- ------------ ------- ---- ---- ------ ------------
android-ef2d2321cdaa31b 192.168.1.3 f8:a9:d0:54:34:6e Android L2-Cen ac:a3:1e:c5:9a:6e 6 GN L2-Cen 95(good)
Controller:
1. GRE tunnel
(Aruba) #show interface tunnel 107
Tunnel 107 is up line protocol is up
Description: Tunnel Interface
Source 10.17.169.163
Destination 10.17.171.190
Tunnel mtu is set to 1100
Tunnel is a Layer2 GRE TUNNEL
Tunnel is Untrusted
Inter Tunnel Flooding is disabled
Tunnel keepalive is disabled
Keepalive type is Default
tunnel vlan 107
2. GRE tunnel status
(Aruba) #show datapath tunnel table
Datapath Tunnel Table Entries
-----------------------------
Flags: E - Ether encap, I - Wi-Fi encap, R - Wired tunnel, F - IP fragment OK
W - WEP, K - TKIP, A - AESCCM, G - AESGCM, M - no mcast src filtering
S - Single encrypt, U - Untagged, X - Tunneled node, 1(cert-id) - 802.1X Term-PEAP
2(cert-id) - 802.1X Term-TLS, T - Trusted, L - No looping, d - Drop Bcast/Unknown Mcast,
D - Decrypt tunnel, a - Reduce ARP packets in the air, e - EAPOL only
C - Prohibit new calls, P - Permanent, m - Convert multicast
n - Convert RAs to unicast(VLAN Pooling/L3 Mobility enabled), s - Split tunnel
V - enforce user vlan(open clients only)
H - Standby (HA-Lite)
# Source Destination Prt Type MTU VLAN Acls BSSID Decaps Encaps Heartbeats Flags EncapKBytes DecapKBytes
------ -------------- -------------- --- ---- ---- ---- ------------------- ----------------- ---------- ---------- ---------- ----- ------------- -----------
10 SPI0689A400out 10.17.169.164 50 IPSE 1500 0 routeDest 006B 0 0 0 0
11 SPIF3D8C400 in 10.17.169.163 50 IPSE 1500 0 routeDest 0000 269 0 0 0
9 10.17.169.163 10.17.171.190 47 1 1100 0 0 0 0 0 00:00:00:00:00:00 588 107 0 LEFPR----------------------->We should see increment in Decaps/Encaps value parameter if traffic is travesing the GRE tunnel
3. User-table
The tunnel 9 in the below output corresponds to tunnel ID listed in the datapath tunnel table. Moreover, the mac-address f8:a9:d0:54:34:6 in the user-table is for the same client which is listed in the user-table of IAP.
(Aruba) #show user-table
Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- ---------
192.168.1.3 f8:a9:d0:54:34:6e Guest_Pre_Auth 00:00:01 tunnel 9 Wired Guest_AAA tunnel Android ---------------------------->User is showing in Pre-auth role contained in the AAA profle
(Aruba) #show user
Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- ---------
192.168.1.3 f8:a9:d0:54:34:6e Admin guest 00:00:07 Web tunnel 9 Wired Guest_AAA tunnel Android ------------------------------->User moved to Post-Auth role as expected after authenticating on the CP page