Wireless Access

Hi

Hope someone can help...

We have a 3400 controller at our datacentre.

We have a several AP's at branch sites which connect via a MPLS back to our datacentre.

We have internet breakout via a VLAN configured on our ISP's router.  i.e. traffic on this VLAN is allowed out via the ISPs firewall and does not need to be routed via a datacentre proxy as per internet traffic on our normal VLAN.

We have AP's using bridge mode successfully, and server derivation roles assigning VLANS where appropriate.  This works great.

However I am trying to get Captive Portal working from a branch AP in the same way, i.e. the internet traffic uses the internet VLAN and does not need to travel back to the datacentre.  With the exception of DHCP, devices on the internet VLAN are not able to route to the production network, where the controller and captive portal page sit.

With bridge mode on the VAP, I am able to get an IP, but the captive portal does not load, due to the lack of routing to the controller (intentional).  So I assume I need split tunnel.

I am following the Captive Portal guide and have setup the following:

A Captive Portal Profile (standard settings - user login ticked) A new policy with the following configured: -local internet VLAN network configured to permit. -user/any action SRC-NAT (expecting any other traffic to SRC-NAT back to the controller)

A user role, configured with: -Logon-Control -Captive Portal -Policy as above

A AAA profile, with the intial role set to the role above. This AAA profile assigned to a VAP The VAP set to split tunnel, with the internet VLAN configured. The internet VLAN is tagged correctly on the switch.

However I cannot get an IP address, I just get cannot join network.  No user role shows up in show user-table.

Should this work?

Many Thanks

Steve

Please run

show rights <nameoflogonrole>

Where do you want the client to get an IP from; local or the controller-side?

Also, just to confirm, is the AP at the remote site configured as a RAP?   split-tunnel only works on RAPs.

Hi,

:smileyhappy: Some info:

A. Bridge mode will not make captive portal work.

B.you should config your ap's as RAPS (IPSEC/CERT)

C.Config your working mode as SPLIT-TUNNEL and not bridge. (choose a vlan from the controller - make sure it got dhcp working settings..and that it can reach the internet and resolve dns)

D.Build an access role with logon-control + captive portal | dont forget to choose at the bottom the right captive and press apply

E.build an access role with all the needed ports/service from user to XXX with route-src-nat (because u want that all the user traffic will go locally to those ports/services)

here as an access role example for u: (But u can keep is simple :) this is just a huge post auth acl list for all our remote users...

I hope it gave u some idea.

Have a lovley night.

me

BTW: in split-tunnel working mode:

PERMIT in ACL = Traffic allowed back to the tunnel (Controller)

ROUTE SRC-NAT = Traffic allowed via local AP.(Not going back to the Controller...)

Hi All

My test AP was not a RAP so I have now re-provisioned it.  Unfortunatly no change.

Here is the initial user role:

(arw-001) #show rights SplitCP_Logon

Derived Role = 'SplitCP_Logon'  Up BW:No Limit   Down BW:No Limit  L2TP Pool = default-l2tp-pool  PPTP Pool = default-pptp-pool  Periodic reauthentication: Disabled  ACL Number = 60/0  Max Sessions = 65535

 Captive Portal profile = CP_Prof

access-list List ---------------- Position  Name                      Location --------  ----                      -------- 1         SplitCP_Policy 2         logon-control 3         captiveportal

SplitCP_Policy ------------------------ Priority  Source  Destination       Service   Action   TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6 --------  ------  -----------       -------   ------   ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------ 1         any     any               svc-dhcp  src-nat             Yes           Low                                                           4 2         user    any               any       src-nat                           Low                                                           4 3         any     SunlightInternal  any       permit                            Low                                                           4 logon-control ------------- Priority  Source  Destination  Service   Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6 --------  ------  -----------  -------   ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------ 1         user    any          udp 68    deny                             Low                                                           4 2         any     any          svc-icmp  permit                           Low                                                           4 3         any     any          svc-dns   permit                           Low                                                           4 4         any     any          svc-dhcp  permit                           Low                                                           4 5         any     any          svc-natt  permit                           Low                                                           4 captiveportal ------------- Priority  Source  Destination  Service          Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6 --------  ------  -----------  -------          ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------ 1         user    controller   svc-https        dst-nat 8081                           Low                                                           4 2         user    any          svc-http         dst-nat 8080                           Low                                                           4 3         user    any          svc-https        dst-nat 8081                           Low                                                           4 4         user    any          svc-http-proxy1  dst-nat 8088                           Low                                                           4 5         user    any          svc-http-proxy2  dst-nat 8088                           Low                                                           4 6         user    any          svc-http-proxy3  dst-nat 8088                           Low                                                           4

Expired Policies (due to time constraints) = 0

(arw-001) #

Just noticed - my test AP shows as Rc2I (inactive).

When I change the VAP to bridge mode from split tunnel, it goes to Rc2 (active RAP).

Strange??

What is the VLAN on your Virtual AP?

Its our internet only VLAN (with a DHCP server).

This is the VLAN which is "local" in this sense.

It is not defined on the controller, as we normally use it for bridge mode only.

If I define it on the controller, will the traffic exit the controller, or exit on the local switch attached to the AP?

The idea with Split Tunnel Captive portal is to have it hit the controller for Captive Portal authentication, but your "success" or resulting role can then send the traffic out of the interface of the AP by using any any route src-nat.

OK so the VAP VLAN should be the initial "authenticating" VLAN, i.e. one where a DHCP server is reachable and one where the controller is reachable?  Where should I configure the internet only VLAN? A server derivation rule?

Have I setup my roles wrong - my initial role is the one which holds the source nat, should it be the post authentication role?

Thanks for your help.

---

@steveh_2001 wrote:

OK so the VAP VLAN should be the initial "authenticating" VLAN, i.e. one where a DHCP server is reachable and one where the controller is reachable?  Where should I configure the internet only VLAN? A server derivation rule?

 

Have I setup my roles wrong - my initial role is the one which holds the source nat, should it be the post authentication role?

 

Thanks for your help.

---

The internet traffic is source-natted out of the ip address of the local access point's ip address.

You are correct on the role switch.

is thre any chance to bridge with the RAP in Split Tunnel mode? Not to route?!

i have a RAP in vlan1 and need  and need vlan11 split to tunnel cp traffic and bridge the data like dns, http and so on to vlan 11.

if i use "route"  the RAP routes out on his vlan1 interface not in the user vlan 11. I see the vlan 11 ip in vlan 1 :(

if i use "route src nat" i see the RAP IP in VLAN 1 with the request from the client in vlan 11.