Wireless Access

Hello All,

Has someone working in a Captive Portal in a RAP in mode split-tunnel? If yes, could you tell me in which AOS version?  I had tried at AOS 6.1.2.3 and 5.0.4.3 but no success.

Thanks in advance,

Ed

Ed,

It should work on both, and users on both platforms have it configured and it works.  There is a document here:  http://support.arubanetworks.com/DOCUMENTATION/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=2888 that describes how to configure it.  Please search the document for "split tunnel captive portal" and you will get detailed instructions.

At what point are you getting stuck?

Thanks Cjoseph,

I will do a double check and I will say if that configuration worked . I followed the http://support.arubanetworks.com/Default.aspx?tabid=111
answer id 825.

It is pretty much the same thing.  Are your guest users getting an ip address?  Are they bringing up the Captive Portal page?

Thanks Colin,

The procedure worked. The problem was I tested a RAP in a local network. The split not works in a same network that controller.

Am i right that if following straight the mentioned pages they only define some "splitcp-logon" role (like the normal guest-logon role) and set the VAP to split-tunnel instead of tunnel . nothing more ?

i have in mind that if you want to access local printers in your remote subnet then there was a need to change ACLs ...

some customer asked for such a solution and im happy that i found your thread here ;-)

regards

ben

Hello,

is RAP2 and Split-Tunneling working for accessing internet via the remote site ISP provider? before i waste time to checkout the remote networking guide and result in non.-functioning i would speak about my pretty simple environment :

Headquarter : Controller with AOS 5.x or 6.x

Branch : RAP2 with PSK-SSID + Guest-Captive Portal , the Voucher are created from Remote Site via seperarate Connection to the HQ-controller .

My goal is : the internet traffic from remote-users with guest-voucher should go straight out the local remote router to ISP , and not passing the RAP2-tunnel to controller and vice versa.

Is this possible ?

regards

ben

---

@bg wrote:

Hello,

 

is RAP2 and Split-Tunneling working for accessing internet via the remote site ISP provider? before i waste time to checkout the remote networking guide and result in non.-functioning i would speak about my pretty simple environment :

 

Headquarter : Controller with AOS 5.x or 6.x

Branch : RAP2 with PSK-SSID + Guest-Captive Portal , the Voucher are created from Remote Site via seperarate Connection to the HQ-controller .

 

My goal is : the internet traffic from remote-users with guest-voucher should go straight out the local remote router to ISP , and not passing the RAP2-tunnel to controller and vice versa.

 

Is this possible ?

 

regards

ben

---

If you are asking about split tunnel captive portal, yes it does work.

Hi cjoseph,

as always - thanks for you godspeed replies ;-) , im still confused how the DHCP stuff is done :

on the Branch the DSL router does DHCP and is used as DNS-forwarder, or local clients using external DNS - nevermind.

The RAP2 getting one DHCP adress, connecting to HQ_controller , receives VirtualIP from the RAP Range and enables the Wifi.

I  have in mind that 2 SSID's (one with tunnel, one with split-tunnel) isnt working. is this correct? E.g. if you want to use the other SSID to control the voucher accounts , otherwise customer should use Wired-Access to have controller accessed via some separate corporate VLAN.

Regardless of 2 SSIDs for the moment i would like to solve it with one VAP in split-tunnel mode. Regarding DHCP my wifi clients need DHCP adress too, and if they want to access internet resources via the local router then those clients need adresses of the same local subnet of the router. I dont think it's possible to use only the local router's DHCP for the wifi clients itself.

the VBN guest network has to be identified on the controller too, e.g. some separate VLAN as mentioned in the KB article mentioned few postings before.

Am i right ? sorry, im just asking confusing questions ;-)

regards

---

@bg wrote:

Hi cjoseph,

 

as always - thanks for you godspeed replies ;-) , im still confused how the DHCP stuff is done :

 

on the Branch the DSL router does DHCP and is used as DNS-forwarder, or local clients using external DNS - nevermind.

The RAP2 getting one DHCP adress, connecting to HQ_controller , receives VirtualIP from the RAP Range and enables the Wifi.

 

I  have in mind that 2 SSID's (one with tunnel, one with split-tunnel) isnt working. is this correct? E.g. if you want to use the other SSID to control the voucher accounts , otherwise customer should use Wired-Access to have controller accessed via some separate corporate VLAN.

 

Regardless of 2 SSIDs for the moment i would like to solve it with one VAP in split-tunnel mode. Regarding DHCP my wifi clients need DHCP adress too, and if they want to access internet resources via the local router then those clients need adresses of the same local subnet of the router. I dont think it's possible to use only the local router's DHCP for the wifi clients itself.

 

the VBN guest network has to be identified on the controller too, e.g. some separate VLAN as mentioned in the KB article mentioned few postings before.

Am i right ? sorry, im just asking confusing questions ;-)

 

regards

 

---

Each VAP is individual.  Let's talk about split-tunnel captive portal in specific:

- Your VAP needs to be set to split-tunnel

- Your VAP needs to be set to a VLAN that is at corporate so that your guest clients can get ip addresses.  The corporate DHCP server will give out the ip address, subnet mask, default gateway, dns ip.

- That VLAN, at corporate, will give an ip address to your guests

- The initial role of that AAA profile attached to that VAP has the "Captive Portal" ACL so that clients can be initially redirected to the Captive Portal on the controller for authentication, or whatever

- in the Captive Portal Authentication profile for this WLAN, the default guest role will have something like this:

any any dhcp permit

any any any route src-nat

That means, once the guest authenticates, all of his traffic will be source-natted out of the ip address of the AP that the guest is on.  DNS, http, https, etc all will be source-natted out of that AP.

What I just described is independent of the other VAPs on that AP.  You could have a fully tunneled VAP on the same AP.

>>The corporate DHCP server will give out the ip address, subnet mask, default gateway, dns ip.

in my case i would choose the same subnet as being used locally on the branch as trusted internet subnet. should work or ? or better using a separate network , e.g. if using corporate DHCP guest network :

normally in tunneled VAP mode i have a separate guest-network e.g. :

192.168.123.0/24

192.168.123.1 (gateway, in the normal case it's the controller)

external DNS servers (ISP dns and so on)

the re-direct to CP is working fine .

sorry for the silly question , i just didnt ever configured this and try to better understand here.

now if using split tunnel and having an own ACL as authenticated role for the split-tunnel guest users i think it would be better to have separate networks.

e.g. im using DHCP local on the branch, to have the RAP2 connected to headquarter, and if using DHCP corporate in the guest-wifi that wouldnt be that good.

well i give it a try, it's some interesting configuration, and while this is supported, you can reach a lot of customers with little branches and the need of guest-voucher, controlled centrally only RAP2 rolled out in field on silly DSL lines, and that's it ;-)

regards

ben

Short feedback :

it's working as expected, im happy ;-) . As written before i took different DHCP ranges , one range for the corporate guest users and the local range for the RAP itself who's connecting via branch network to the HQ controller interface .

The only "problem" - or aspect better said is that you dont see the user's IP regarding src-nat , so you only see in your local firewall logs the src-nat IP of the RAP and the destination adress. well i dont think it's that important for that customer to see where guests are "surfing" too.

if anyone has idea to trick here to see the guest-users logs please give feedback.

for the moment i just verified that it's working and thats more than enough

regards and thanks for your help!

ben

Does this only work with the VAP in split tunnel mode?  Will it work with RAPs that have a bridge mode VAP?

Captive Portal does not work in bridged mode, unfortunately.