Security

Hi

I am looking at setting up the guest network for the following scenario-

I have the airwave server that looks after a few sites that have the IAP.

I have a clearpass server.

I would like to setup the guest to use the centralised subnet back in the datacenter. Then i can lock down internal access and direct traffic to our proxy for filtering. 

q1 - Just to confirm, the airwave needs to be in the datacenter where i want the subnet for guests to be? q2 - Does the airwave need to be on the same subnet?

q3- For the vlan setup of the SSID, i use Virtual controller assigned and client vlan assignment default? Then under DHCP, use centralised DHCP scope, Centralised, L2?

 

thanks

David

Airwave just needs to be able to communicate with the IAP for monitoring/management functionality.

If your clients are presented on a tunneled subnet within the data centre, they will need access from this subnet to Clearpass to access the captive portal page (presuming this is what you are using for your Guest pages). So Clearpass needs to be accessible from the user subnet. Airwave does not.

 

Your DHCP options sounds correct.

Hi David

 

Thanks for the reply. Im presented with 2 options for the DHCP server, distributed or centralised scopes.  I take its distributed L2, (snip from documentation - Distributed, L2— On selecting Distributed, L2, the Virtual Controller acts as the DHCP Server but the default gateway is in the data center. Traffic is bridged into VPN tunnel.)

The one thing im confused about, is how does the traffic build its tunnel back to the subnet you specify.

 

As an example, the airwave is on vlan 1 192.168.1.1, i want the clients at a site on 192.168.200.1 to use another vlan thats in the same site as the airwave on vlan 2 192.168.2.1. Ive done this before with Cisco controllers which uses a capwap tunnel and clients drop back onto a vlan

 

hope this makes sense, i just dont find any case examples or processes. i will be testing it tomorrow anyhow

DavidWatson,

 

Do you have ClearPass or an external captive portal server (Airwave cannot serve as an external captive portal server)?  The DHCP options you mention are only available when the IAP makes a VPN connection back to a controller.  If you do not have a controller, your guest option is your clients need to be able to route to an external guest server like ClearPass or a Web Server with your guest HTML page.

Hi
Airwave is managing the iaps and we have clearpass internally that will have a portal with an access code.
I would like all guests for all sites to use this one subnet as I can direct it to a web filter.

Sent from Outlook Mobile

Your guests need to be able to route to the ClearPass Captive Portal so that they can retrieve the page.  You can either (1) create an SSID that bridges the users to a subnet that provides them an ip address that is fully routable, or you can (2) create an SSID on IAP that makes a Virtual Controller-Assigned VLAN.

In scenario 1, the DHCP address for the client must be provided by an external DHCP server and you typically would trunk the user to a VLAN where they would get an ip address.

In scenario 2, you would configure a Captive Portal SSID that is Virtual Controller assigned;  the Virtual Controller would provide DHCP for your guest clients and nat the traffic out of the Virtual Controller.  The ip address of the Virtual Controller would need to be routable to the ip address of the ClearPass server for the users that are natted to be able to bring up the web page.

Please see the post here:  http://community.arubanetworks.com/t5/Aruba-Solution-Exchange/IAP-ClearPass-Guest-Captive-Portal/ta-p/202675

Thanks, i have actually followed the video which has helped the guest portal configuration. On the video he mentions the other Guest services access templates under the Servies menu. I only have the one guest, so i dont know if that will cause an issue. (dont have guest access - web login pre-auth is missing as example)

 

Each site has the one IAP master setup as a Virtual controller where all IAP and controllers are managed by airwave. Is this where im getting confused? Should i only have VC setup in the datacenter and have all IAPs connecting back to this?

thanks

After further reading, i see the VC is just the dummy IP for the AP master that i can use at site. The airwave system just is a central controller for monitoring and pushing config (like a Cisco wlc). 

 

Can the airwave act like a controller where you setup the VPN option back to the controller and all the VCs terminate all the guests back into one subnet in the Datacenter? 

Basically for the guest, i want to direct all their web filtering to a proxy automatically as everyone on the network uses a WPAD with authentication but dont want this for guests

 

thanks

I take it that you need a mobility controller in the datacenter if you want to tunnel all the traffic back to a central location (centralised switching)?

Airwave and Clearpass are in DC and all VC IAPs are at sites.

I dont want to have to setup new VLANs at each site and lock them down(this is after they guest authenticates). I just want them basically to pop out in a DMZ that we can limit at one point.

thanks

David

You need a central controller to tunnel the traffic from the IAPs to the datacentre. The only other way to do this would be with a VPN of some sort from switch/routers.

ok cool thanks. So i could possibly look at an ipsec to the inside interface of the Cisco ASA firewall?

 

David