Wireless Access

Reply
Aruba Employee

Re: How to setup a guest SSID to distribute DHCP from the local controller

Hi,

 

For network IP address type, do not use dynamic, stick with static.  

 

So, but here is what I would do. I would use the firewall in the DMZ, as the router for the clients and also as the DHCP server or relay. I would also use two different VLAN's for guests and BYOD users. IF this is not possible, you can use different roles for each of them and deny access to each other. Doing so, they are separated as well and you do not have to use multiple IP addresses in one VLAN. 

 

If you still need to use the controller for all of that, use one VLAN, with one DHCP scope and separate users with roles. 

visit our Youtube Channel:
https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ/featured
Please visit my personal blog as well:
https://www.flomain.de
Contributor II

Re: How to setup a guest SSID to distribute DHCP from the local controller

Hello 

 

 

 

 

 

 

 

4.  Then I will need to create static routes on the Aruba Controller for each Guest Access IP subnet.

       a.  According to prevoius comments and according to: https://community.arubanetworks.com/t5/ArubaOS-and-Controllers/How-to-assign-DHCP-Pool-to-VLAN/td-p/8117

       b.  The controller will be able to route traffic to the wireless clients try to access the DHCP Pools.

       c.  Route IP address for GUEST (IP DHCP Scheme) to DMZ Gateway (not the IP assgned ot the DMZ VLan).

       d.  Same routing rule for BYOD (Look at IP route pic).

 

5.  The rest of the Corprorate VLans can use the normal controller's Gateway, to route the traffci to the respected VLAN.

 

Can someone comment or verify if my plan above is correct? 

 

Also can anyone mention what the 'Hosts' field is representing and why there is a minimum of 4 required?  I am not sure if anyone answered that before. 

 

In a related but separate question: Can anyone explain to me how we can have 1 group of MAC Addresses to Authenticate to a Specific WLAN; but, not to be accepted to another SSID that also uses MAC authentication as well?  Or is there no way to associate a MAC address user account to 1 specific VLAN (Perhaps by delimeter)?

Aruba Employee

Re: How to setup a guest SSID to distribute DHCP from the local controller

Hi Pkafkas,

 

to be sure, about the VLAN, not having an Interface, can you please share a screenshot of the VSC mapping for the Guest SSID. I was deep into the MSM solution years ago and I'm sure, that the MSM controller needs an IP interface to bring up a captive portal. 

 

BR

Florian

visit our Youtube Channel:
https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ/featured
Please visit my personal blog as well:
https://www.flomain.de
Contributor II

Re: How to setup a guest SSID to distribute DHCP from the local controller

I hope the attached screen shot will give you the infrmation that you are looking for.  The 'guest' SSID uses 192.168.103.0.

 

 If not let me know and I will try to accoodate.  

 

The BYOD provides 192.168.102.0

 

When I login to the HP M760and navigate to the 'Guest' - Overview - VSC mapping section I just seeinformation regarding the: VSC Name, AP Name, SN, SSID, RAdio, BSSID, Clients, Security.  I am not sure if that is what you are looking for.

Aruba Employee

Re: How to setup a guest SSID to distribute DHCP from the local controller

I think it was in the AP Group section. There is the VSC binding. With that VSC binding, you define which VSC profile is available for that group and into which VLAN this VSC profile should bridge traffic.

If we know the VLAN, the clients are bridged to, we need to check, how this VLAN is then handled on the controller. There are multiple options, but the recommended option was, that the traffic was simply bridged through the internet port (normally as a VLAN) to the wired infrastructure, mostly a firewall. The firewall then has to deal with the clients, e.g. server IP address and be default gateway. 

 

this is what we need:

1. What is the VLAN for the clients?

2. Who is the default gateway in that VLAN?

3. Who is the DHCP Server for that VLAN? 

visit our Youtube Channel:
https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ/featured
Please visit my personal blog as well:
https://www.flomain.de
Contributor II

Re: How to setup a guest SSID to distribute DHCP from the local controller

Are the attached screen shots what you are looking for?

 

VAST is the guest SSID but there is a reference to a Bridge.

 

Perhaps VLan-252 is the Bridge?   

 

I have also attached a screen shot of:

- Network profiles

- VSC Profile of 'Bridge

- Radius server profiles

 

All Radius server profiles use the same primary and secondary servers (IP addresses ar ethe same).

 

The Bridge VSC Profile uses a Radius server for Authentication.  The BYOD SSID prompts the user with a web page login screen where they must enter their employee username and password.

 

See screen shots.

Aruba Employee

Re: How to setup a guest SSID to distribute DHCP from the local controller

Hi Pkafkas,

 

Sorry for the late response. Just needed to bring my old MSM Controller back to life. 

 

In your VSC config for VAST, you define a DHCP Server. This one is giving IP's to the clients in this SSID. The Controller is the default gateway for those clients and will route the traffic using his routing table. So most of the traffic will go the default gateway of the controller. 

 

You can simply recreate this setup on the Aruba Controller. Just create a VLAN, which is not used anywhere else and apply an IP to that VLAN. Create a DHCP Pool on the controller, matching the IP in the created VLAN. 

The last step is to assign this VLAN to the new Guest SSID. Make sure, that the role of the guest denies access to the internal network. 

visit our Youtube Channel:
https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ/featured
Please visit my personal blog as well:
https://www.flomain.de
Contributor II

Re: How to setup a guest SSID to distribute DHCP from the local controller

It sounds like we are on the same page with the VLan that using the VLans with an assigned IP address for each VLan is better design.

 

When you mentioned creating a "VLAN Pool" , I found instructions for creating a VLan Pool from: https://www.arubanetworks.com/techdocs/ArubaOS_62_Web_Help/Content/ArubaFrameStyles/Network_Parameters/Configuring_VLANs.htm

 

I would image that I will still need to create a DHCP Pool matching the IP address as well?  Just as I mentioned in my comments above correct?   Just like how Renee Joissen suggested earlier in this question:

 

We do have multiple ports available on the controllers. Perhaps the best thing to do is plug in a connection from the DMZ VLan to an available port on the Aruba Controller and assign an IP address / Subnet Mask from the DMZ link and create a VLAN.  Then use that DMZ port for all Guest internet traffic while leaving the company internet traffic alone.  It was mentioned in https://community.arubanetworks.com/t5/Wireless-Access/Need-help-routing-internet-traffic-from-our-guest-and-corporate/td-p/16759   that one may just try to add static route for internal with a lower cost, then a static route for everything else (eg. 0.0.0.0) at a higher cost.  

 

 

 

Aruba Employee

Re: How to setup a guest SSID to distribute DHCP from the local controller

Hi Pkafkas,

 

VLAN pool was a mistake, I meant DHCP pool. a VLAN pool is not needed in this scenario. 

 

You can either use a dedicated port for the DMZ connection, or just a VLAN on the normal uplink. 

 

But still you should figure out who is the gateway for the clients. My recommendation is to use the firewall in the DMZ as the router and simply bridge the clients on a L2 VLAN to the DMZ and the firewall there has to handle the rest. 

If the Controller is the geteway, you need a connection from the controller to the DMZ firewall and you would use Policy based routing to redirect traffic from the guest VLAN to this firewall. 

 

BR

Florian

visit our Youtube Channel:
https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ/featured
Please visit my personal blog as well:
https://www.flomain.de
Contributor II

Re: How to setup a guest SSID to distribute DHCP from the local controller

I found a refence to PBR in the ArubaOS 8.3.0.x User Guide.pdf

 

It is over 11,000 pages.  For our purposes it is just as simple as:

 

1.  Setup DHCP Pools for each guest SSID.

      a.  Setup 2 SSID (WLans).

 

2.  Setup 2 Vlans, 1 for each guest/byod SSID.

     a.  Assign the default 192.168... address fromt eh DHCP Pool to the VLan's IP address.

 

3.  Setup a L2 connection on an available port on the Aruba Controller to connect to the DMZ.

      a.  Create a VLAN on the Aruba Controller for the DMZ

      b.  Assign an available DMZ IP address to that new DMZ VLAn on the Aruba Controller.

 

4.  Creating a PBR policy for the 2 x IP schemes used for guest and BYOD access to route access level to the DMZ Destination?

      a.  As indicated in the Microsoft Workd Document attached?

      b.  Indicate the source and desitinattion networks.

      c.  Indicate the user role an the Aruba COntroller.

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: