Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Aruba Instant and double WAN connection

This thread has been viewed 2 times

  • 1.  Aruba Instant and double WAN connection

    Posted Sep 03, 2015 06:26 AM

    Hello all,

     

    in our scenario, we have a branch office with an internet connection and an MPLS connection to the HQ where Clearpass is installed. Knowing that the internet connection is on VLAN 2 and MPLS connection is on VLAN1, we would like to deploy a guest SSID where when you connect, you're able to reach the CPPM server an make the authentication (even with facebook) with a pre-auth role, and then the client will be hopped to the VLAN2 in order to be able to surf on internet.

     

    Knowing that for certain clients VLAN hopping is not working great, how would you manage this situation?

    We thought about clients natting on the AP or publishing the CPPM on internet.

     

    Thank you.

    Gabriel 



  • 2.  RE: Aruba Instant and double WAN connection



  • 3.  RE: Aruba Instant and double WAN connection
    Best Answer

    Posted Sep 03, 2015 11:49 AM
    @victorfabian wrote:
    This is why that setup is not working properly:
    http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Can-I-return-a-different-user-Vlan-after-L3-Captive-portal-based/ta-p/245813

    Hi Victor, thank you for the info.

     

    Actually we thought to use the NAT way, so create another VLAN e source NAT all the client AP address to the CPPM HQ portal and data port.

     

    Anyone has already implemented this scenario?

     

    Gabriel



  • 4.  RE: Aruba Instant and double WAN connection

    Posted Sep 03, 2015 11:59 AM
    The issue is that when you change the VLANX to VLANY and you are expecting the client to change IP address , the wireless client still thinks that it has the same IP address but once it registers is now on another VLAN.

    To fully change the IP address the device will need to be rebooted.

    If you can keep the client from changing IP address then you should be fine


  • 5.  RE: Aruba Instant and double WAN connection
    Best Answer

    Posted Sep 11, 2015 03:41 AM

    We tested the NAT scenario and it's working great. So a client is able to reach the corporate HQ network via MPLS (on a certain VLAN) for the authentication stuff and then able to surf on internet via the WAN connection (on another VLAN).

     

    This obiously require an IP routing between the virtual controller IP address and the subnet/hosts that you want to reach.

     

    Cheers,

    Gabriel