Wireless Access

last person joined: 16 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Captive Portal/Routing Issue

This thread has been viewed 1 times

  • 1.  Captive Portal/Routing Issue

    Posted Mar 14, 2018 11:04 AM

    Hello,

     

    I am trying to setup a wireless service for external visitors. The plan is for them to access a standalone ADSL network (VLAN 10 - 192.168.214.0/24) via ClearPass captive portal. Our clearpass devices sit on our main internal network (VLAN 1 - 10.1.48.0/22) on which our Aruba controller has an L3 interface. Our aruba controller also has an L3 connection to the ADSL network.

     

    The issue I am seeing is that traffic coming from VLAN 10 to the ClearPass servers is being dropped. I have added a route on our ClearPass appliances and can ping the ADSL interface of the controllers from them, if I try and ping from the controllers to the ClearPass Appliances with a source of VLAN 10, the packets appear to be dropped. Packet capture on the ClearPass appliances shows the ICMP packets coming in and being responded to but the ping shows no replies.

     

    Am I missing anything obvious on the controllers/clearpass appliances to allow inter VLAN routing?

     

    Thanks.



  • 2.  RE: Captive Portal/Routing Issue

    Posted Mar 14, 2018 11:28 AM
    Is your clearpass virtual or hardware ?


  • 3.  RE: Captive Portal/Routing Issue

    Posted Mar 14, 2018 11:31 AM

    Virtual.

     

    Thanks.



  • 4.  RE: Captive Portal/Routing Issue

    Posted Mar 14, 2018 11:39 AM
    You have two options:
    - Make clearpass guest portal public (reachable via public dns)
    - Use an NAT ACL to send https/http traffic to clearpass via the Controller
    Internal IP (the only issue with this solution is that you only will be
    able to reach clearpass guest portal via IP)


  • 5.  RE: Captive Portal/Routing Issue

    Posted Mar 14, 2018 11:45 AM

    Thanks Victor,

     

    The second option is what we are trying to do but if the ClearPass servers cannot be pinged by the controller on the ADSL source then surely an ACL will not work either? 



  • 6.  RE: Captive Portal/Routing Issue

    Posted Mar 14, 2018 12:12 PM
    If you do a ping source vlan you will be able to
    ping it

    you will need to define the ip nat pool (so the traffic will go through the
    controller internal IP)

    ip NAT pool GUEST-NAT-IP

    !

    netdestination CLEARPASS-SERVER-DEST

    host

    !

    ip access-list session CLEARPASS-NAT-ACL

    user alias CLEARPASS-SERVER-DEST svc-http src-nat pool GUEST-NAT-IP

    user alias CLEARPASS-SERVER-DEST svc-https src-nat pool GUEST-NAT-IP

    !

    user-role guest-logon

    access-list session CLEARPASS-NAT-ACL position 3

    access-list session captiveportal position 4

    access-list session captiveportal position 5

    !


  • 7.  RE: Captive Portal/Routing Issue

    Posted Mar 14, 2018 12:17 PM

    Victor thanks for this but as I siad in my original post, if I do a ping source vlan, I cannot ping it.

     

    I will try the config you have sent though and see how I get on.

     

     



  • 8.  RE: Captive Portal/Routing Issue

    Posted Mar 14, 2018 12:21 PM
    Can you share your routing config on the controller?