Security

Reply
Contributor II

Why should I set up vlan interface IP ?

Hi Guys,

 

I set up a Captive portal profile today, but the portal couldn't pop up.

After I've checked everything, I found I didn't set up a vlan interface for the user's VLAN.

But I have a MAS as my default route, why should I need a vlan interface IP?

 

 

Please someone tell me why.

 

Thanks.

Guru Elite

Re: Why should I set up vlan interface IP ?

An IP is required for dst-nat which is used to redirect the user.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor II

Re: Why should I set up vlan interface IP ?

Thanks,

And why the user can't use the controller ip to do the dst-nat?

Guru Elite

Re: Why should I set up vlan interface IP ?

Because the controller IP is not in their datapath.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor II

Re: Why should I set up vlan interface IP ?

Thanks, 

Could you tell a little bit more about it?

 

From the Policy, we can see this:

 

358: user any  6  0-65535  80-80   d1f90,0000 f80021:permit dnat  

 

Anyone from the User-table tried to reach any IP with a tcp port 80, then hit this policy.

From the WebUi, it shows dst-nat 8081. 

Does this dst-nat 8081 mean the vlan interface IP only?

 

Guru Elite

Re: Why should I set up vlan interface IP ?

I'm not sure what you're asking. Traffic destined for port 80 and 443 are dnat'ed to the controller's IP on the user's subnet and ports 8081 or 8082.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Frequent Contributor I

Re: Why should I set up vlan interface IP ?

This kinda helps me understand why a controller hostsed captive portal config needs an IP on the client VLAN; however, would the same be true if we were redirecting to an external clearpass appliance?  

 

Couldn't I simply have an ACL rule that allows http & https traffic to the clearpass IP?

 

Thanks, 

 

--Raf
Guru Elite

Re: Why should I set up vlan interface IP ?

Yes, you need an IP address when doing any kind of redirect.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: