Wireless Access

Hi

 

This could be posted under guest, but it's more of a general design issue than providing and authenticating guest access.. I could use your input on how to accomplish this.. The essence is that we go from an internal captive portal to Clearpass and at the same time introduce a new ISP/internet connection that only the guests should use. Tried to separate the Guest network as much as possible.

 

I've read through the VRD's, but can't say that this is covered there.

 

The scenario is as follows.

 

Current setup

• Master-standby 3600
• MGMT and default gw - VLAN 23
• Layer 3 for Employee - VLAN 13
• Layer 2 for Guests - VLAN 18
• The Controller terminates both CAP and RAP's.
• Controller is Captive Portal and DHCP for Guests

 

Both guests and employee surf via same internet connection. RAP's establish tunnel through the same connection.

 

Needed setup

• Master-standby 3600
• Layer 3 for Employee - VLAN 13
• MGMT and default gw - VLAN 23
• Layer 2 for Guests - VLAN 64
• The Controller terminates both CAP and RAP's.
• New ISP connection for Guests - VLAN 38
• Clearpass Guest is Captive Portal and guest authentication server. Recides in VLAN 64

Guests should surf through a new ISP connection established on VLAN 38.

Employee should continue to surf through the connection established on their gateway in VLAN 13.

 

 

What's the best way to implement this?

Is it viable, or should we go about this differently?

In what VLAN should the controllers default Gateway be?

Where should I place the Clearpass - and should we use both MGT and LAN interfaces?

What kinda of static routes should I use?

 

The things we've done haven't really worked out.

We changed the default gateway for the controller to vlan 38, but then all our RAP's stopped working. They came in through vlan 23, but controller sendt the traffic out on vlan 38 so that was no good.

#3600

Where's VLAN 38 defined ?

What device is doing the nating ?

Vlan 38 is defined on the Controller and the switch it is connected to. The Controller is the Nat device.

If you don't have a firewall or router to do the nating what you could do is create an SVI with VLAN 38 assigned an IP address in the same range of your ISP and then create an IP nat pool pointed to that IP address .

The only issue with this setup is that your controller will now have a public address (exposed)

Thanks for your attention vfabian.

Can you elaborate around that proposed solution? We did try that both in our solution and a customer solution without success, so a concrete example that you know work is grestly appreciated. I don't have a problem with the Controller being exposed.

Ignore the clearpass placement part - it's not really relevant to the problem, just a part of the overall design.

So - to sum this up...

 

I'm trying to src-nat traffic from one VLAN (64 - the inside Guest) using the IP address on another VLAN (38 - the outside) instead of the Controller IP.

 

I'm unable to get this to work..

 

I've done:

 

ip access-list session guest-srcnat
  any any any src-nat pool pool-guest-srcnat

 

Added "guest-srcnat" as default role on my AAA profile (for now until I get this working)

 

No src-nat on either vlan 64 or 38. Thinking that should be handled by the src-nat rule on the role

 

 

See if this helps

 

interface vlan 38
ip address 169.45.34.50 255.255.255.0

ip NAT pool NAT-GUEST-POOL 169.45.34.50 169.45.34.50

ip dhcp pool GUEST-DHCP-POOL
 default-router 10.10.30.1
 dns-server 169.45.67.1
 network 10.10.30.0 255.255.255.0
 authoritative

interface vlan 64
ip address 10.10.30.1 255.255.255.0


ip access-list session GUEST-LOGON-CONTROL-ACL
  user any udp 68  deny 
  any any svc-icmp  permit 
  any any svc-dhcp  permit 
  alias GUEST-IP any svc-dns  src-nat pool NAT-GUEST-POOL 
  alias GUEST-IP   alias CLEARPASS-SERVER svc-https  src-nat pool NAT-GUEST-POOL 
  alias GUEST-IP   alias CLEARPASS-SERVER svc-http  src-nat pool NAT-GUEST-POOL
  any   alias CLEARPASS-SERVER svc-https  permit 
  any   alias CLEARPASS-SERVER svc-http  permit 

ip access-list session GUEST-SRC-NAT-ACL
  any any svc-ssh  src-nat pool NAT-GUEST-POOL
  user   alias DNS-SERVERS svc-dns  src-nat pool NAT-GUEST-POOL 
  any any svc-icmp  src-nat pool NAT-GUEST-POOL
  any any svc-https  src-nat pool NAT-GUEST-POOL 
  any any svc-http  src-nat pool NAT-GUEST-POOL
  user any any  src-nat pool NAT-GUEST-POOL

ip access-list session CAPTIVE-PORTAL-ACL
user alias CLEARPASS-SERVER svc-https src-nat pool NAT-GUEST-POOL 
user alias CLEARPASS-SERVER svc-http src-nat pool NAT-GUEST-POO 
user alias CLEARPASS-SERVER any src-nat pool NAT-GUEST-POOL

 

You have this working vfabian?

 

I have tried more or less the exact same config with no luck. Now I'm off for a week - going to Airheads in Alicante - so I'll look at this more closely when I get back.

 

I have read several old posts now that is about the same topic, but haven't really seen any of them solved.

 

 

Thanks for the help so far!

Have fun.

I don't have the same exact scenario but very similar .

I will share the whole config I missed a couple steps.

Are you able to reach the clearpass splash guest page?

What exactly is failing for you ?

I've taken the clearpass out of the equation for now to focus on just getting the guest traffic routed to the new ISP connection. With permit rule I can access internet just fine, but then with the same ISP as employees (default gw). Add in the route src-nat and I'm not getting anywhere. There is perhaps some more things to configure that I'm missing - like inter vlan routing, nat inside and such..

• Have an external router that has a leg in VLAN 38 (public connection) and VLAN 64 (guest default gateway)
• Give the controller a leg and an ip address in VLAN64
• Set an ip cp-redirect address on the controller that points to the controller's ip address in VLAN64

 

Do NOT change the routing at all for your controller and put guests on VLAN64 layer2.  Captive portal on controller stops clients on the way out on VLAN64.

 

We went by your solution Cjoseph, and of course it worked like a charm.

 

Thanks!

By the way what do you mean about where to place clearpass ?