Controllerless Networks

Reply
Highlighted
Frequent Contributor II

Re: [Tutorial] RAPNG (IAP-VPN) deployment with AirWave central monitoring and management #mhc

Hi,

 

As far as I know VC IP should always be local.

If you src nat the traffic from the controller then you only need to allow the inner IP as a RADIUS Client. If you happen to use per AP tunnel from the IAP cluster then you have to allow each one of them.

You may also add a route on the controller to the local subnet using the inner IP as next hop and use VC IP and Dynamic RADIUS Proxy on the IAP side. This way your RADIUS will see the RADIUS packets proxied from the VC IP.

 

Zsolt

Highlighted
Contributor II

Re: [Tutorial] RAPNG (IAP-VPN) deployment with AirWave central monitoring and management #mhc

 

 

Since each IAP in the cluster is aware about the VPN routes, I dont see why this would be a problem. The master will still be sending the traffic back to the radius server via tunnel to controller. If you look at the following commands on your IAP's that are not a master. You will be able to see the routes that are injected into the routing table, and they will pass radius requests to the next-hop as the master. From here the Master should route the traffic over the tunnel and your traffic from clearpass will display the VPN Tunnel (Inside) address. 

- show vpn config

- show datapath route

 

- show iap table

Justin Kwasnik | ACMX# 598 | ACCX# 638
Highlighted
All-Decade MVP 2020

Re: [Tutorial] RAPNG (IAP-VPN) deployment with AirWave central monitoring and management #mhc

HI all,
i'm trying to setup this type of infrastructure.
seems it working fine, but when i try to use a captive portal (exposed by a clearpass server situated into datacenter) authentication seems the HTTP request cannot be handled by the IAP, and the captive portal page isn't showed.

I think that the issue can be due to the DNS configuration on the IAP.

i have tunneled all DNS traffic using *.* wildcard, because i need inspect all traffic into datacenter where is an IPS.

anyway i need the captive portal authentication, any idea to solve this issue?

Best regards
Andrea

Andrea
Contributor II

Re: [Tutorial] RAPNG (IAP-VPN) deployment with AirWave central monitoring and management #mhc

Andrea, 

 

The issue is not DNS needing to be tunneled back to HQ. As captive portal only needs to do DNS interception in order to provide a proper redirect. As long as your allowing some sort of DNS resolution to either the internet or HQ with proper NAT and FW policies, you wont have any issues resolving DNS. 

 

To proper determine the issue you may be having with why you cant fwd traffic to clearpass, I would perform the following items when you have the captive portal role selected as default profile. 

 

1) validate dns lookups work (nslookup google.com)
2) validate route exists and is tunneleed for clearpass via IAP, you should see the subnet that states tunneled to HQ, the CPPM IP must also be listed in this subnet / subnets.  (show datapath route)

3) validate connectivity to clearpass via 443 (telnet x.x.x.x 443)

 

If you are not permitted to access CPPM via the web portal then you wont be able to fwd traffic to cppm correctly for the web portal / self provisioning portal.

 

Another thing to also keep in mind is where dhcp is being performed and what type of connectivity you have to your network from the IAP. In the case I had configured I have provided an example below for you. 

 

IAP DHCP Mode: Local

IAP DHCP Subnet: 10.51.152.0/24

IAP IPSec Route: 10.51.0.0/16 next-hop controller-IP

 

Controller L2TP Pool: 172.51.51.0/24

 

The clearpass server *must* have a route on the network to get back to "172.51.51.0/24" that resides on the controller. If you also look at the static routes via the contorller, you should see the L2TP IP address assigned to that IAP when using VPN Mode. 

 

C    172.51.51.2/32 is an ipsec map 74.x.x.x-172.51.51.2

 

A default role via IAP has the following policies:

- Captive Portal "Enforce"

- Allow access via 443 to CPPM

- Allow access via icmp to CPPM

- Allow access to all destinations

 

When you look at the datapath session via the IAP, you should not see traffic that is denied going to CPPM. I have provided an example and you can see that a source-nat is being applied when looking at the flags via IAP. If you see a "D" flag when looking at datapath session this means that traffic is denied, and you need to permit it via FW policy on IAP. 

 

Client IP: 10.51.151.126

CPPM: 10.51.20.80

IAP L2TP: 172.51.51.2

 

Flags:

F - fast age,

S - src NAT

N - dest NAT
D - deny

Y - no syn
C - client

 

00:0b:86:xx:xx:xx# show datapath session | include 10.51.20.80
10.51.151.126 10.51.20.80 6 50337 443 0 0 0 1 dev16 d7 FSC

10.51.20.80 172.51.51.2 6 443 50337 0 0 0 1 dev16 d7 FN

 

We can also go one step further and review the session table on the controller and we will see a proper traffic flow existing as well. In my example a source-nat took place on the IAP, we will not see the clients IP actually residing on our network. Your example could be different incase your using different L2/L3 profiles for DHCP. 

 

(Aruba3200) #show datapath session | include 10.51.20.80

172.51.51.2 10.51.20.80 6 50337 443 0/0 0 0 1 tunnel 9 27 0 0 FC
10.51.20.80 172.51.51.2 6 443 50337 0/0 0 0 1 tunnel 9 27 0 0 F

Since we have validated the traffic flows exist your web redirect will have taken place as expected. If you are still having issues, it could also be due to the way the External Captive Portal Config is set on the IAP. I had provided an example below that worked.

 

External CP Profile:

Type: Radius

IP: 10.51.20.80

URL: /guest/iap-vpn-web-portal.php

Port: 443

HTTPs: Enabled

Capive Portal Failure: n/a

Auto URL Whitelist: n/a

 

Hopefully this info helps you out with getting your captive portal working via IAP VPN Tunnel to controller.

 

Justin 

Justin Kwasnik | ACMX# 598 | ACCX# 638
Highlighted
All-Decade MVP 2020

Re: [Tutorial] RAPNG (IAP-VPN) deployment with AirWave central monitoring and management #mhc

Hi, 

 

thanks, i found that the clearpass doesn't have a route to the Inner IP of the access Point, now works!

I Have other two questions now.

 

1) I have connect a second AP to the same LAN, by the master controller i can see the second ap is associated to the first, but seems the clients connected to second AP doesn't have wifi connection.
So i would understand how it works.
- I have to specify something?
- the configuration will be replicated automatically?

 

2) I have configured an airwave management server because i'll have to manage different remote locations where i'll place IAP, if I understand correctly i'll have a master AP for each location, correct?

 

Anyway i need to chose wich SSID will be propagated from wich AP, Where i can do it?

 

Thanks in advance
Best regards
Andrea

Andrea
Highlighted
Contributor II

Re: [Tutorial] RAPNG (IAP-VPN) deployment with AirWave central monitoring and management #mhc

 Andrea,

 

Glad you were able to correct the config to get everything working. Was there a reason why you were trying to use a standalone IAP vs converting the IAP's to RAP's and point to the controller? I would recommened using a RAP as it's much easier for mgmt and provisioning. As far as the IAP clusters go, yes a Master IAP would be at every location. This creating more work to manage this. You can setup centralized provisioning in Airwave, and push out templates.  

 

Typically if the same IAP's are on the same L2 vlan they will obtain config automatically and join the IAP cluster as long as your allowing IAP's to be auto-joined. Also they must be same firmware or else they will "appear" to join the IAP cluster but not be in sync correctly. Typically the IAP with the longest uptime will chose to be the master, unless you have a usb modem, or different hardware classes. You can also set a specific IAP to be a preferred master, this way if that IAP exists on the network it will always be the preferred master.

 

If your using a local DHCP server, that L2 vlan you chose for the vlan for dhcp scope will need to be tagged on every interface on the data switch you have an IAP connected, otherwise dhcp requests will not be passed to the master IAP who is controlling the DHCP server. 

 

In regards to your last questions about specific SSID's on specific IAP's. I wanted to make sure I had the correct understanding of what your trying to accomplish. It sounds like you only want a guest SSID to be advertised in specific confrence rooms vs all AP's in that L2 vlan? If this is the case the newer code on the IAP's supports zones. If you dont use zones, then any SSID you have created via the IAP cluster will broadcast on every IAP that resides on that L2 vlan. 

 

Justin

Justin Kwasnik | ACMX# 598 | ACCX# 638
Highlighted
All-Decade MVP 2020

Re: [Tutorial] RAPNG (IAP-VPN) deployment with AirWave central monitoring and management #mhc

Hi,
the unique reason to use IAP and not RAP is license price.

I have connected the IAP to Switch port configured in trunk, so the traffic can be tagged with different VALN ID.

 

and yes i want that GUEST SSID can be visible only in conference room, i'll try to understand zone utilization.

 

thanks =)

Andrea

Andrea
Highlighted
Contributor II

Re: [Tutorial] RAPNG (IAP-VPN) deployment with AirWave central monitoring and management #mhc

 Andrea, 

 

Happy I could help, and agreed on licensing. Just pm me if you have any additional questions.

 

Justin

Justin Kwasnik | ACMX# 598 | ACCX# 638
Highlighted
All-Decade MVP 2020

Re: [Tutorial] RAPNG (IAP-VPN) deployment with AirWave central monitoring and management #mhc

after adding the tagg for traffic that have to be tunneled on local switch all works fine! 

thanks!!

Andrea
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: