Wireless Access

Hi community. I am facing the configuration from the subject. I can not figure out how to make it work. I already test RAP in Tunnel mode with CP and works fine. Bridge mode with PSK works fine. I follow an read many posts and guides. The pre-authenticated role has logon-control and captiveportal profiles (the ones that are already configure in the controller). Then post-authenticate role (configure in the Captive Portal L3 profile) has 4 policies:

1   any     any     svc-dhcp                permit                                 
2   user    corp-dns-servers  svc-dns                 permit                   
3   user    controller        svc-https               dst-nat 8081                        
4   user    any               any                     route src-nat    

When the user connects, pre-authenticate role is assigned. User gets it IP address and DNS works OK. But nothing happend, I never reach CP page. I can ping the controller IP address.  

I hope some can guide me on how to figure this out.

Regards!

If you can ping the controller, something is wrong with your design, because the only thing that would allow ping is line 4 in your ACL, which should not be possible:

1   any     any     svc-dhcp                permit                                 
2   user    corp-dns-servers  svc-dns                 permit                   
3   user    controller        svc-https               dst-nat 8081                        
4   user    any               any                     route src-nat    

Is this

Hi! I can ping during pre-auth, I never reach post-auth role because I can not reach CP for authentication. During pre-auth logon-control has icmp policy, so It seems correct.

I double check design. I check datapath sessions and found out the following:

1) there are session from controller to user, but not from user (172.32.0.1) to controller (172.16.0.254), is OK? somehow the user reach 8081 using the policy, there is no other way.

172.16.0.254    172.32.0.1      6    8081  19838 0        0    0   0   dev16      
172.16.0.254    172.32.0.1      6    8081  19837 0        0    0   0   dev16  

2) there are DNS sessions. This seems OK.

172.32.0.1      8.8.8.8         17   56763 53

3) an other strange thing. There are session from user to public IP to port 80 and 443. This I believe is not OK.

172.32.0.1      216.58.222.42   6    19850 443   0        0    0   1   dev16      
172.32.0.1      216.58.222.42   6    19849 443   0        0    0   1   dev16

I attached the pre auth role I that is assigned to the user.

In the user the following is happening:

1) I connect to the SSID, get IP. Can ping public address and resolv too. The browser does not opened. Windows shows that there is Internet but when you try to browse you can't.

2) I put a http://public_fqdn in a browser and it redirect in the following way: http://<public IP of the FQDN>/?cmd=loging&mac= .... (the normal redirect)

However after some seconds the following redirect appears:

http://<public IP of the FQDN>/?cmd=redirect&arubaIp=12345

The browser is alternating between this two URL. I can not recognise the second one and can not explain that.

Any advise? I will do a deep analisys. I already capture traffic with wireshark. I will check it again.

Attachment(s)

pre-auth-role.txt   4 KB 1 version

What is your topology?

Hi! Thanks for your advise. I focused on topology and found some inconsistencies. Because I am using just the controller for testing (where I configure VLAN and IP interface por RAP user, VLAN and IP interface for RAP, VLAN and IP interface with NAT outside for Internet) I realise that I was having asymetric routes. I disable Interface routing in the RAP user Interface, and start working. 

I could reach the CP and authenticated, but now I do not have internet. However I will not loose any more time with my lab. Tomorrow at the office we will configure a more real scenario and test this correctly. 

Thanks a lot for your time and adivese cjoseph. Regards