Controllerless Networks

last person joined: 23 hours ago 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

IAP VPN, L3 DHCP-scope and central captive portal problem.

This thread has been viewed 1 times

  • 1.  IAP VPN, L3 DHCP-scope and central captive portal problem.

    Posted Feb 16, 2015 11:23 AM

    Hi,
    we are having issues with LOCAL L3 dhcp scope, using IAP-VPN to central controller and reaching a guest registration on a central clearpass.

    Our guest ssid is using the LOCAL L3 dhcp scope. Our vpn-routing table are routing the clearpass ip-address over the vpn. The problem is the enforce captive portal, that dont source-nat the ip when using dns like guest.customer.se, when using ip address it is getting sourced. See below acls from the enforce captive portal role.

     

    So when we see the traffic in the controller with dns, the source ip is the local l3 scope.

    When using the ip, the traffic is source-natted with the inner-ip of the IAP-VPN.

     

    Also should I mention this problem is only when using enforce captive portal. All other traffic is souce-natted with the inner-ip of the IAP-VPN as it should.

     

     

    Using ip:

    ACL Name {A-GUEST:LAB-PRELOGON} Number {109}
    1: any any 17 0-65535 8209-8211 P4
    2: any 172.31.98.1 255.255.255.255 6 0-65535 80-80 PSD4
    3: any 172.31.98.1 255.255.255.255 6 0-65535 443-443 PSD4
    4: 192.168.10.0 255.255.255.0 10.10.10.26 255.255.255.255 6 0-65535 80-80 PS4
    5: any 10.10.10.26 255.255.255.255 6 0-65535 80-80 P4
    6: 192.168.10.0 255.255.255.0 10.10.10.26 255.255.255.255 6 0-65535 443-443 PS4 hits 3
    7: any 10.10.10.26 255.255.255.255 6 0-65535 443-443 P4

     

    Using DNS:

    ACL Name {A-GUEST:LAB-PRELOGON} Number {109}
    1: any any 17 0-65535 8209-8211 P4
    2: any 172.31.98.1 255.255.255.255 6 0-65535 80-80 PSD4
    3: any 172.31.98.1 255.255.255.255 6 0-65535 443-443 PSD4
    4: 192.168.10.0 255.255.255.0 guest.aranya.se 6 0-65535 80-80 Pd4
    5: any guest.aranya.se 6 0-65535 80-80 Pd4
    6: 192.168.10.0 255.255.255.0 guest.aranya.se 6 0-65535 443-443 Pd4 hits 6
    7: any guest.aranya.se 6 0-65535 443-443 Pd4
    8: 192.168.10.0 255.255.255.0 10.10.10.26 255.255.255.255 6 0-65535 443-443 PS4
    9: any 10.10.10.26 255.255.255.255 6 0-65535 443-443 P4
    10: 192.168.10.0 255.255.255.0 8.8.8.8 255.255.255.255 17 0-65535 53-53 P4 hits 15



  • 2.  RE: IAP VPN, L3 DHCP-scope and central captive portal problem.

    EMPLOYEE
    Posted Feb 17, 2015 10:14 AM

    Do you have anything configured in System --> Enterprise Domains screen?

     

     



  • 3.  RE: IAP VPN, L3 DHCP-scope and central captive portal problem.

    Posted Feb 18, 2015 10:01 AM

    Hi,

    when i added the domain to the enterprise list it works if i am using internal dns.

    Normally you dont want you guests to hit the internal dns. So then i cant resolve that record externally?

     

     

    Any more ideas?

    The problem is the none sourcenatting rule in the acl for Enforce captive portal.

     

     

     

     



  • 4.  RE: IAP VPN, L3 DHCP-scope and central captive portal problem.

    Posted Feb 19, 2015 08:41 AM

    So we nearly have this exactly as we want now, by adding * to the enterprise domains. The Dist L3 can resolve internally domains. We switch to local dhcp scope for guest and its working if the clearpass is on private address. We have customer which are the owner of /16 pulblic network and running it internally.

    Enforce captive portal refuses to push this traffic over the tunnel when we are using dns. We can ping the clearpass ip and we can use enforce captive portal using the ip-address but not the dns.