Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Multiple ESSIDs and VLANs over two-controller tunnel

This thread has been viewed 0 times

  • 1.  Multiple ESSIDs and VLANs over two-controller tunnel

    Posted Mar 29, 2015 10:08 PM

    Hello all, I've got a two controller setup currently, with one in the office, and one at our data centre. The office controller has two SSIDs: one for corporate, which puts the traffic on the local network, and one for guest Internet access, which tunnels the traffic down to the data centre controller and goes out to the Internet from there. It uses Captive Portal with internal accounts for guest access. I'd like to add another SSID for corporate users phones, which would also tunnel to the data centre and allow them to access the Internet from there, also through Captive Portal, but with RADIUS auth instead of internal. There will also be different firewall policies applied, so it definitely needs to be a different VLAN and SSID. I've set up the new corporate SSID in the office, and I can see the traffic tunneling down to the data centre, but the user is getting the guest access user role, rather than the corporate user role. I can't seem to find where I tell it that when access is coming from the guest VLAN or SSID, to use the guest role, and when it's coming from the corporate VLAN or SSID, to use the corporate role. Can anyone advise? Cheers, John Moe



  • 2.  RE: Multiple ESSIDs and VLANs over two-controller tunnel

    EMPLOYEE
    Posted Mar 29, 2015 10:13 PM

    Do you have a GRE tunnel to transport traffic between controllers for that SSID?  Is one side of the tunnel untrusted?

     



  • 3.  RE: Multiple ESSIDs and VLANs over two-controller tunnel

    Posted Mar 29, 2015 10:17 PM

    Yes, there is an existing GRE tunnel between the two controllers, which is (and has been for a while) working fine for guest access. It is configured for both VLANs, and the data centre tunnel is configured as untrusted, office side is trusted.



  • 4.  RE: Multiple ESSIDs and VLANs over two-controller tunnel

    EMPLOYEE
    Posted Mar 29, 2015 10:24 PM

    Making one side of a tunnel untrusted means that the controller will put that traffic leaving the tunnel be  into the role under Configuration> Advanced Services> Wired Access.  If that role is a captive portal role, and that far side of the tunnel is untrusted, that means that both sets of traffic in the same tunnel are being place into the same captive portal role.  You would have to create a separate tunnel that is trusted and place the new Vlans' traffic into that tunnel.



  • 5.  RE: Multiple ESSIDs and VLANs over two-controller tunnel

    Posted Mar 29, 2015 11:06 PM

    Oh, well I thought I had found it; in the VLAN, I can specify a wired AAA profile, and gave it my corp profile. Now my phone gets the correct user role and profile. But while I'm getting an IP address, and can use Fing to see My Phone, the Aruba controller, and the PAN firewall on that VLAN, when I try to browse, it's not giving me the Captive Portal logon page. Can I use the "Wired AAA Profile" selection in the VLAN? Or do I need to change it to two tunnels?



  • 6.  RE: Multiple ESSIDs and VLANs over two-controller tunnel

    Posted Apr 06, 2015 04:43 PM

    I was able to use the Wired AAA Profile of the VLAN to make this work. It turned out to be a problem with the firewall rules after all; the security group re-checked and found some problems, and once they were fixed, everything started to work.