Security

Hi,

I have a setup of 6 IAP-105 managed by a virtual controller. This role is assumed by one of the IAP by master election procedure. My management traffic is going thought VLAN = 1. My IAP have an IP address in 192.168.50.0/24 and his gateway is 192.168.50.1.

Beyon the IAP, I have a pair of routers in HSRP where only one is acting as DHCP server. They server 2 pools: 192.168.50.0/24 (VLAN 1) and 172.16.0.0/24 (VLAN 2)

I have setup 2 SSID:

- A SSID 1 for employees mapped to VLAN 1 with WPA2 authentication. Clientes get IP assigned correctly and have working navigation.
- A SSID 2 for guest mapped to VLAN 2 with Captive Portal. Here is my problem.

If I activate WPA2 (or no auth) on SSID 2, I have IP address and working navigation.
If I activate Captive Portal (withouth WPA2) on SSID, I have IP from DHCP but I never have captive portal and of course I have no traffic from client to router (just DNS queries).

In summary, my problem is that the IAP never shows the captive portal when SSID is mapped in another VLAN. I have read about assigning an IP to the IAP in the VLAN 2 but unfortunately, I dont't find this command in CLI Aruba Instant.

So, is there some workaround to activate Captive Portal in a VLAN/Network where the IAP has no adddress?

Thanks!

Can users in VLAN 2 access the IAP's address (in VLAN1) using http/https? 

I haven't tested all scenarios but I'm sure users in VLAN 2 can't:

- Access http in IAP real address.

- Ping VLAN2 gateway

- Ping VLAN1 gateway

If I turn on wireshark, I only see DNS packets.

Any suggestions?

I have been doing some lab testing. I think the problem is related with DNS query. In my understanding, this is happening:

- IAP allow initial DNS query to webpage, for example google.com

- It intercept initital HTTP request and make a redirect to to securelogin.arubanetworks.om

- IAP intercetps the second DNS query to securelogin.arubanetworks.com and response with 172.31.98.1

- IAP answers to a HTTP request in 172.31.98.1 showing captive portal.

Someone could confirm this sequence?

Regards

yes, that seems right korxo.

you still have this issue?

see next post

hi

having same issue , trying to build up just 2 plain SSID's on an IAP 115 where one SSID is "standard" network assigned in an untagged VLAN where my client properly gets DHCP ip and also can access internet. that untagged vlan is just the AP management network.

so far so good, tried to add another SSID where i set "static" vlan assignment and on the physical port of the IAP there's a tagged VLAN serving DHCP and internet access aswell.

my wifi client gets DHCP ip in the tagged VLAN and only produces DNS queries , but no internet access.

the firewall which serves this untagged/tagged vlan on an interface is directly connected to the IAP . i wonder what else to configure on that plain factory default IAP . im just testing this setup for a customer and im more the controller-campus-AP guy and wonder why this kind of setup is not working for me.

wlan access-rule gast-100
 index 0
 rule any any match any any any permit

wlan access-rule default_wired_port_profile
 index 1
 rule any any match any any any permit

wlan access-rule wired-instant
 index 2
 rule masterip 0.0.0.0 match tcp 80 80 permit
 rule masterip 0.0.0.0 match tcp 4343 4343 permit
 rule any any match udp 67 68 permit
 rule any any match udp 53 53 permit

wlan access-rule mgmt-10
 index 3
 rule any any match any any any permit

wlan ssid-profile gast-100
 enable
 index 0
 type employee
 essid gast-100
 wpa-passphrase c5433dbc94f00815c693c0b32d3fc6b55ef69c813bd0df73
 opmode wpa2-psk-aes
 max-authentication-failures 0
 vlan 100
 rf-band all
 captive-portal disable
 dtim-period 1
 broadcast-filter arp
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 0
 max-clients-threshold 64

wlan ssid-profile mgmt-10
 enable
 index 1
 type employee
 essid mgmt-10
 wpa-passphrase 505d05e04c46f9c69e332fddb07cb5506055226abf614873
 opmode wpa2-psk-aes
 max-authentication-failures 0
 rf-band all
 captive-portal disable
 dtim-period 1
 broadcast-filter arp
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 0
 max-clients-threshold 64

from my opinion i would say that my wired-port profile has to be setup properly which i didnt changed to far. could that be the culprit at all ? 

wired-port-profile wired-instant
 switchport-mode access
 allowed-vlan all
 native-vlan guest
 no shutdown
 access-rule-name wired-instant
 speed auto
 duplex auto
 no poe
 type guest
 captive-portal disable
 no dot1x

wired-port-profile default_wired_port_profile
 switchport-mode trunk
 allowed-vlan all
 native-vlan 1
 shutdown
 access-rule-name default_wired_port_profile
 speed auto
 duplex full
 no poe
 type employee
 captive-portal disable
 no dot1x


enet0-port-profile default_wired_port_profile

As im more the controller campus AP guy i normally setup switch-access ports or trunk ports on an aruba campus controller , i expect i have to setup something to the IAP ethernet port aswell.

i wonder as my client - accessing the gast-ssid is getting properly DHCP ip from the tagged VLAN and is able to send DNS queries, why the other traffic is not working? The firewall policy for the outbound traffic from the tagged vlan 100 is set to any-allowed to external .

thanks for any hints,
ben

What is the default gateway of VLAN 100?

Hi C, 

default gateway for the client is the trusted interface IP adress of the firewall's vlan100 interface, set to trusted. 

as DNS requests are properly sent out from the client-assigned IP adress i wonder why no other traffic passing outbound.

is there something to edit in the wired-ap profile settings on the IAP as everything set to default values - the iAP is factory default, i only setup'ed the 2 SSID's with the untagged vlan10 and tagged vlan100 . 

some interesting info i saw in my outbound firewall log :

im able to send and receive whatsapp messages from that client which has real outgoing tcp/udp any traffic to external www

it's really strange what happens here as there are no limited ACL's on that VLAN100 trusted network. 

2016-08-26 13:37:13 Allow 10.0.100.100 174.37.199.199 xmpp-client/tcp 61403 5222 100-guest-cp-VLAN100-tagged 0-External-TCOM-193er Allowed 64 63 (Outgoing-00)  proc_id="firewall" rc="100" 

so overall , im able to access outbound whatsapp port 5222 and DNS 53 is working too, wow ;-)

Making steps forward, using another DNS server for that VLAN 100 solved it. clients now properly accessing internet from that tagged vlan100 , seems the usual Telekom DNS :

T-Online, 194.25.2.129,

isnt properly working in this setup . changing to 8.8.8.8 on the client side properly works. 

really strange as both IP's are legit DNS .

overall to say : 

changing from a public available DNS server from telekom/t-online 194.25.129.2 to google DNS 8.8.8.8 inside the VLAN 100 tagged network solved the issue. 

not sure what caused this and why this combination not working. 

i assigned afterwards to the Gast-100 a CP and that works smooth too, redirect works.

in my case i have set the access-rule to "unrestricted" .

one last question:

in the access rules there's network-based or role-based. if changing to role-based there's an option for "pre-auth" role . as the unrestricted access rule points to the CP too, i wonder if i have to change to pre-auth role when changing to role-based access rule e.g. if someone would like to restrict the guest-access directly on the IAP already.

from a controller-perspective : sure the usual pre-logon role is assigned before auth, and then guest-role after auth. is it the same doing on the IAP ?

EDIT : seems without pre-auth role in the role-based a redirect to CP also works. so i expect that if not assigning a pre-auth role it's just already the default gast-100 role with access to any destinations just dst-nat'ed to the controller until authenticated. but when there's a need to pre-auth too with lesser ACL's like dns/dhcp/ping only  (like on campus controllers) then additonal pre-auth is just put on top of the guest SSID.

so far so good, im happy that it's working now.

thanks

ben