Wireless Access

last person joined: 22 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

How to direct guest traffic to DMZ controllers and DMZ ClearPass?

This thread has been viewed 43 times

  • 1.  How to direct guest traffic to DMZ controllers and DMZ ClearPass?

    Posted Oct 21, 2014 05:32 PM

    Hi all,

     

    I have two locals that are setup with a GRE tunnel to 2 DMZ controllers. Guest connects to the guest SSID and the local controllers tunnel their traffic over to the DMZ controller using the GRE tunnel. This is working great.

    I have a clearpass the sits on the DMZ. How do I direct the guest traffic to the DMZ CPPM after they are tunneled?

    From the afp.arubanetworks.com it says to set the DMZ end of the tunnel to untrusted, but it doesn't mention what else is required. I know that I need some sort of wired-aaa-profile that need to be triggered for traffic coming from that tunnel. Please advise and let me know if I can provide any info that might help you to help me ;)

     

    Thanks,

     



  • 2.  RE: How to direct guest traffic to DMZ controllers and DMZ ClearPass?

    EMPLOYEE
    Posted Oct 21, 2014 05:35 PM
    https://ase.arubanetworks.com/solutions/id/23


  • 3.  RE: How to direct guest traffic to DMZ controllers and DMZ ClearPass?

    Posted Feb 13, 2020 11:45 AM

    How do you configure a tunnel for guest traffic from local to DMZ controller when the DMZ controller has a VRRP address? Is there anything else different or needed besides making the tunnel destination the VRRP address of the DMZ controllers? If I use the physical IP of the DMZ controller the tunnel comes up but if I use the VRRP address the tunnel goes down. I want to be able to use the VRRP address to prevent loops.



  • 4.  RE: How to direct guest traffic to DMZ controllers and DMZ ClearPass?



  • 5.  RE: How to direct guest traffic to DMZ controllers and DMZ ClearPass?
    Best Answer

    Posted Oct 21, 2014 07:25 PM

    The VLAN that the guests will be assigned to on the DMZ controller needs to have a wired-AAA profile associated with it.   This AAA profile will have an initial role assigned that contains a captive portal role/profile assigned.   The DMZ end of the tunnel should be "untrusted" to trigger the AAA profile assigned to the VLAN.   An example configuration (VLAN 666 is the guest VLAN on the DMZ controller)...customize per your needs.  The changes are made on the DMZ controller.

     

    interface tunnel 5

      description guest-tunnel-5

      tunnel source 1.1.1.1

      tunnel mode gre 48

      tunnel destination 2.2.2.2

      tunnel vlan 666

      

    aaa authentication captive-portal dmz-guest-cp 

      default-role guest-role 

      server-group cppm-servers 

      redirect-pause 1 

      no logout-popup-window 

      login-page https://clearpass.domain.com/guest/guest.php

     

    user-role dmz-guest-logon

      captive-portal dmz-guest-cp

      access-list session logon-control

      access-list session captiveportal

     

    aaa profile guest-dmz

      initial-role dmz-guest-logon

     

    vlan 666 wired aaa-profile dmz-guest-logon



  • 6.  RE: How to direct guest traffic to DMZ controllers and DMZ ClearPass?

    Posted Oct 22, 2014 02:55 PM

    Perfect, thank you very much all.

    Clembo, I set it up like you mentioned and it worked perfectly.

    I have one more question:

    The DMZ controllers are Master local. Guest now get their dhcp from the DMZ master, if that one fails, how do I configure the dhcp pool between the two dmz controllers? Is it the same exact scope or do I split the scope in between the two controllers?

     

    Thank you for your help.

     

     



  • 7.  RE: How to direct guest traffic to DMZ controllers and DMZ ClearPass?

    EMPLOYEE
    Posted Oct 22, 2014 03:45 PM

    You need to split the scopes because both controllers will respond.