Wireless Access

Situation:

• Client connects on wireless Guest network on remote office (local controller)
• Client gets redirected to Clearpass (10.10.10.1)
• Connection is routed through ipsec tunnel

Problem:

• It is not possible to create a route back to the client range (overlapping ranges)
• it is not possible to create route back to the local controller (overlapping ranges)

To bypass the overlapping ranges-issue, a dummy ip and vlan were created on the local controller.

This is used for radius packets:

For Radius this is working fine.

We also want to use this for showing the guest portal to the client.

Tried to change the Policy

• adding a 'route' rule:
  This results in a connection to the clearpass, but with the 'controller ip' instead of the 'dummy ip' (so the routing back doesn't work)
• adding a 'source nat' rule:
  This even doesn't result in a connection to the clearpass, or doesn't show a connection on the controller (using show datapath session table <clientip>)

Any idea on how to combine both? (using routing with a source nat, defined by the source nat pool)

A overview drawing can be found below:

Can you share the following please:

show ip nat pool

show ip interface brief

Attachment(s)

new1.txt   5 B 1 version

Hi Clembo,

Please find the output below.

(Local) #show ip nat pool

NAT Pools
---------
Name Start IP End IP DNAT IP Flags
---- -------- ------ ------- -----
nat_dummy_ip 192.168.238.10 192.168.238.10 0.0.0.0
dynamic-srcnat 0.0.0.0 0.0.0.0 0.0.0.0

(Local) #show ip interface brief

Interface IP Address / IP Netmask Admin Protocol
vlan 2 192.168.10.254 / 255.255.255.0 up up
vlan 1 10.10.0.10 / 255.255.255.0 up up
vlan 1000 192.168.238.10 / 255.255.255.0 up up
loopback unassigned / unassigned up up
mgmt unassigned / unassigned up down