Wireless Access

Hello,

I have two controllers (master=7210 & local=7240 running 6.4.3.4) and I'm trying to create a new guest access network with a captive portal using private address space that resides only on the local controller.  This will be natted to a public address in our dmz.  After I create this config with captive portal turned on using the wlan wizard, my test client retrieves an address from the local dhcp server but the captive portal login page never appears.  It seems like a routing issue.  My test client cannot ping the default gateway address which resides on the local controller.  I have created whitelist entries as a test for my entire network.  Do the controllers need to be on the same private subnet?  The controllers can communicate on their management addresses.  Thanks.

Does your controller have an ip address on the guest vlan?  If yes, do this command on that local controller;

config t

ip cp-redirect-address <ip address of controller on guest vlan>

Thanks for your response.  Yes, my local controller has an address within the guest vlan.  The master does not.  I've added that command on my local but my test client still does not receive the captive portal upon connecting to the ssid.  

Can that client on your local controller resolve DNS?

No, dns is failing for the client.  In my guest logon role, I do have a temporary "any any permit" policy and the captive portal profile has a whitelist entry for my entire internal address space.  The private address of the controller in my guest vlan is reachable from the rest of my network.

DNS is essential.

Just in case routing to your guest network is not working, as a temporary workaround, you can do;

config t

interface vlan <guest vlan number>

ip nat inside

So that any user traffic should be natted out of the controller.

Thanks again.  I do have source nat enabled for the guest vlan.

Then the default gateway of your guest clients needs to be the ip address of the controller on that guest subnet.

I'm using the internal dhcp server on the local controller and it's configured to deliver it's internal address on the same vlan as the default gateway to clients.  

Not sure if this helps, but if I manually move my client into the authenticated role with:

aaa user add [internal address of client] role [authenticated role name]

I still don't get Internet access.  DNS and pinging the default gateway still fail.  The authenticated role has the same "any any permit" policies and source nat is enabled on the guest vlan ip interface.

Ok, I have found something.  If I remove a related nat pool entry, dns begins to work.  I haven't fully tested this.  In this particular case for this guest network I need to source nat onto our dmz.  The local controller has an interface on this network which is different than the default management address being used for source nat.  Any advice on how to source nat out a different interface?  

Are you using a nat pool entry or ip nat inside?  You might have to contact TAC so that they can get all the information about what you have and what you are trying to do.  I'm just guessing based on the limited information that you can publish on the forum here...

If you are using ip nat inside, your guest traffic will take the path that the controller would to the internet.  If traffic from the ip address of your controller is restricted, the natted guest traffic will also be restricted.  Try this on the controller commandline:

config t

ip name-server 8.8.8.8

ip domain-name test.com

ip domain-lookup  (no need to reboot even though it says so)

Then try to ping www.yahoo.com.  If it does not resolve, your controller itself is blocked from the internet.

Thanks.  I think I'm beyond that for the moment, not sure if you saw my previous reply.  I've now turned off source nat on the guest vlan interface.

I have a nat pool configured with an appropriate address for my dmz, my dmz firewall has been updated with appropriate rules.  

On the master controller, I've created a server auth group with server rules to assign my test client to a specific role.  That specific role has a policy that says to source nat to the dmz nat pool.  When I look at the specific role on the local controller, that particular policy has 0 rules in it.  Is that normal?  The local controller has an interface connected to the dmz and configured with an ip address in my dmz range.  The master does not.

Is there a best practice for source natting to a different interface (other than management interface)?  And while I'm asking, this is going to be for a larger audience than guests and I'd prefer to source nat to multiple addresses.  Can I create server rule that matches to a range of addresses or subnet?  Thanks again.

Maybe you didn't type "write mem" or save configuration on the master?  That would be why the local has no acls.

In addition, nat pools are created and referenced locally on controllers.  If you created it on the master controller, you need to create a pool of the same name on the local controller to make it work.

***You probably need to speak to someone, possibly a VAR who can help you design a solution knowing your topology or what you are trying to do.  You can get advice from the forum, but it could take longer and be frustrating based on the interlocking pieces you have in this solution.  Anything that we advise here, could also break something you already have configured...

Thanks.  I appreciate the warning.  It seems that the nat pool is applied on the master using "ip access-list session [policy name]" but on the local when I try to create or modify it, the local controller gives me an error on the word "session".  

---

@abowen500 wrote:

Thanks.  I appreciate the warning.  It seems that the nat pool is applied on the master using "ip access-list session [policy name]" but on the local when I try to create or modify it, the local controller gives me an error on the word "session".  

---

On the local controller, you cannot modify an ACL.  You can only modify the pool after you have already named it.  It seems like you are jumping through hoops just to have traffic go in the right direction.  Do you already have a separate circuit for the guest network (like a cable modem) or are you trying to put it out of your existing corporate network?

---

@abowen500 wrote:

Thanks.  I think I'm beyond that for the moment, not sure if you saw my previous reply.  I've now turned off source nat on the guest vlan interface.

 

I have a nat pool configured with an appropriate address for my dmz, my dmz firewall has been updated with appropriate rules.  

 

On the master controller, I've created a server auth group with server rules to assign my test client to a specific role.  That specific role has a policy that says to source nat to the dmz nat pool.  When I look at the specific role on the local controller, that particular policy has 0 rules in it.  Is that normal?  The local controller has an interface connected to the dmz and configured with an ip address in my dmz range.  The master does not.

 

Is there a best practice for source natting to a different interface (other than management interface)?  And while I'm asking, this is going to be for a larger audience than guests and I'd prefer to source nat to multiple addresses.  Can I create server rule that matches to a range of addresses or subnet?  Thanks again.

---

Why would you need a server rule for a guest network?  What are you attempting to match?  The priority is first get traffic to pass so that you can even get DNS to resolve, which is essential for the Captive Portal to come up.  No Captive Portal = No guest network.  Getting the portal to come up is the priority.

With regards to the DMZ, you might want to have that DMZ controller's default gateway be the next hop to the internet, and have static routes to anything else internal.

I agree, we need to use the captive portal and I'm going to circle back to verify it's working as intended.  I was steered in the direction of server rules to do many to many source nat.  We're anticipating multiple simultaneous events bringing hundreds if not thousands of attendees and would like to nat using multiple source addresses, roughly 200 to 1.

---

@abowen500 wrote:

I agree, we need to use the captive portal and I'm going to circle back to verify it's working as intended.  I was steered in the direction of server rules to do many to many source nat.  We're anticipating multiple simultaneous events bringing hundreds if not thousands of attendees and would like to nat using multiple source addresses, roughly 200 to 1.

---

Do you have a guest network working right now, or you are building it from scratch?  If it is currently working, can you just expand it to provide capacity?  It would keep you from having to reinvent the wheel...

Yes, we have a new dmz connection for the controllers where we want to dump guest traffic.  This is a new build.  I see my internal addresses on my dmz network in firewall logs.  My traffic is getting there but it seems that my source nat to the dmz address is not quite working yet.  Should my source nat policy be the first (well, third) firewall policy in my user role?

Honestly, source-natting via ACL out of the controller just complicates whatever issue you have.  The best way to deploy guest traffic is to make it a fully routable subnet where an external device does the source natting and is the default gateway of your guest traffic, like a firewall.  Source natting using the controller can be inflexible, especially when you need to do it on multiple controller.  I would choose a device downstream that is already doing the natting and put the guest traffic on a VLAN where that device is the default gateway.  That will keep routing and source natting from interfering with management traffic  and other authentication you would have to do.

---

@abowen500 wrote:

Yes, we have a new dmz connection for the controllers where we want to dump guest traffic.  This is a new build.  I see my internal addresses on my dmz network in firewall logs.  My traffic is getting there but it seems that my source nat to the dmz address is not quite working yet.  Should my source nat policy be the first (well, third) firewall policy in my user role?

---

If your internal traffic is getting to the firewall, is the firewall returning the traffic?  Maybe the firewall does not know how to return the traffic to the controller based on source ip?

So I am pretty close to getting this to work the way I need it.  Thanks for your help.  One last thing that I'm struggling with is source nat.  I have a nat pool defined with:

ip nat pool pool1 x.x.60.205 x.x.60.210 x.x.60.254

This is on tagged vlan 60 and x.x.60.254 is the router interface/default gateway for this vlan on a different box.  I found tons of conflicting info from the forums on how this nat pool should be configured so I may still have it wrong.  My controller has address x.x.60.201 on this vlan.

It does not seem that my traffic is actually egressing the controller on vlan 60.  Is there any way I can verify this from the controller?

First things first:   Do you have a diagram or a design that you can publish here?  Otherwise the advice you receive here is just going to be a hodgepodge of suggestions for things that really don't apply to what you want to do.  

The reason why you are seeing conflicting advice because there is no way to understand if it applies to your design.

Sure thing and thanks again.  I've included a logical & physical diagram.  Sorry for the poor quality in advance but I think it shows enough detail to describe what I'm trying to do.  

Guest clients are getting a dhcp assigned address in the 172.30.112.0/24 range.  These clients are NATted to x.x.60.205 through x.x.60.210 range and should egress the controller via it's vlan 60 x.x.60.201 interface (labeled B).  The NAT seems to work but guest traffic leaves the controller via its default gateway/management interface (labeled A).  

The physical diagram shows that we are using a port channel and tagging all the vlans to the same physical ports, just in case that's relevant.  The only layer 3 router interface for the DMZ 

Attachment(s)

0046_001.pdf   55 KB 1 version

My last sentence got truncated.  It should say:

"The only layer 3 router interfaces for the DMZ network vlan 60 are on the DMZ router itself and the controller.  Vlan 60 is being passed through at layer 2."

I see your diagram.

My first question is; is any of this already existing or production right now, or is this a new design?

The guest network is new.  Everything else is in production.

Hmm, it seems to be working now.  I removed and re-added a next hop list with a policy based route acl and now my traffic is leaving the controller on the dmz vlan 60 interface.  Not sure what I did differently.  I'd still appreciate any insight into the configuration for this, in case I missed something.  I've configured this for exactly one ip address and need to scale it up to the entire subnet, too.

I may also have to make the guest pool larger and would prefer to scale say 200 users or one /24 to one dmz address.  I was thinking of using server rules to map different source address subnets to 1 of 8 user roles that are configured with different source nat addresses.  I read that the nat pool does not evenly distribute traffic across the entire pool.  Is this still true?  What I read said that all ip traffic is natted to the first address in the pool.  Any other addresses in the pool are used for non-ip traffic.

---

@abowen500 wrote:

Hmm, it seems to be working now.  I removed and re-added a next hop list with a policy based route acl and now my traffic is leaving the controller on the dmz vlan 60 interface.  Not sure what I did differently.  I'd still appreciate any insight into the configuration for this, in case I missed something.  I've configured this for exactly one ip address and need to scale it up to the entire subnet, too.

 

I may also have to make the guest pool larger and would prefer to scale say 200 users or one /24 to one dmz address.  I was thinking of using server rules to map different source address subnets to 1 of 8 user roles that are configured with different source nat addresses.  I read that the nat pool does not evenly distribute traffic across the entire pool.  Is this still true?  What I read said that all ip traffic is natted to the first address in the pool.  Any other addresses in the pool are used for non-ip traffic.

---

If natting to a pool, 65,000 sessions need to be consumed before it will move onto the next ip address in the pool.  To avoid this, perhaps you should have the firewall do the natting and the controller just bridge to a larger subnet that would be routed to a firewall that does the natting.  In an extended application, you would leave the 7240 controller "inside" and then tunnel guest traffic using a GRE tunnel to  an Aruba controller in the DMZ, where it would be natted by a firewall.  That way you would segment portions of the operation that could be serviced separately.  It would also allow you to design the network, but still allow others to service their part of the network once it is up and running.

There is an example of GRE tunneling to a DMZ controller here:  http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-I-redirect-guest-access-across-a-GRE-tunnel-to-a-DMZ/ta-p/183468 and here:  http://community.arubanetworks.com/t5/Aruba-Solution-Exchange/L2-GRE-to-DMZ-controller-with-Captive-Portal-SSID/ta-p/202649

Thanks again.  I don't have another controller to locate in my DMZ.  Dumb question:  would I be able to create a GRE tunnel between my local controller and a non-Aruba controller device such as a router?

Only a layer 3 GRE tunnel.  http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Guest-tunnel-to-Cisco-2800/td-p/8990