Security

Reply
Highlighted
Contributor I

External Captive Portal - no IP address on user VLAN

Hey everyone,

 

Is it possible to have an external captive portal if the controller does not have an IP on the user VLAN?

 

Recently testing on a system and the redirection did not work until I added an IP to the user VLAN, even though I had allow-tri-session nat enabled. Before this I was only using a IP address for the management VLAN (not 1) and  the cluster VRRP address.(currently version 8.5)

 

I had the external captive portal working on instant and instant does not have multiple IP addresses

 

Thanks in advance,

RK

MVP Guru

Re: External Captive Portal - no IP address on user VLAN

Captive portal redirection is a layer 3 function and requires an IP address on the interface.


Cheers
James
----------------------------------------------------------------------
--------------------------@whereisjrw--------------------------
---------------------------------blog-------------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
----------------------------------------------------------------------
----------------------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Contributor I

Re: External Captive Portal - no IP address on user VLAN

Thanks James!

Aruba Employee

Re: External Captive Portal - no IP address on user VLAN

RKinsp, Captive Portal authentication is a L3 authentication and the Controller needs to communicate with the client over IP, e.g. to redirect the client to the external captive portal. But the IP does not need to be in the same VLAN as the client. It is recommended to have an IP in the client VLAN, because it makes everything easier. If you do not have an IP in the user VLAN, you need to make sure, that the client can reach the controller IP from the client VLAN, e.g using the main router or firewall. You also need to make sure, that you enable Allow tri-session with DNAT in the firewall settings:

 

IAP-VPN-Guest-Allow-Tri-Session

 

Hope this helps. 


visit our Youtube Channel:
https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ/featured
Please visit my personal blog as well:
https://www.flomain.de
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: