Wireless Access

Reply

Re: [Tutorial] Guest only solution using IAP-GRE tunnel with Controller #mhc

I came up with this main for guest-only.  It is possible to have corp as well and you could break out the corp traffic locally, but crucially the internet traffic must go into the tunnel.

 

It is sort of easier to understand if everything goes into the tunnel.

 

Feel free to give it some kudos.

 

:smileywink:


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294
Highlighted

Re: [Tutorial] Guest only solution using IAP-GRE tunnel with Controller #mhc

Hello
i was wonderibg if its possible this scenario
having one controller in a central site
having many instant cluster in different sites
using the internet of each remote site after authenticating?

i van easily achive this in a normal controller based enviroment with split tunnel.. But it is possible doing this somehow with this????
imean tjat the internet being used on the remote site its tje one on the remote site, and not the one of the central site.

cheers
Carlos
----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp

Re: [Tutorial] Guest only solution using IAP-GRE tunnel with Controller #mhc


@NightShade1 wrote:
Hello
i was wonderibg if its possible this scenario
having one controller in a central site
having many instant cluster in different sites
using the internet of each remote site after authenticating?

i van easily achive this in a normal controller based enviroment with split tunnel.. But it is possible doing this somehow with this????
imean tjat the internet being used on the remote site its tje one on the remote site, and not the one of the central site.

cheers
Carlos

Hi Carlos,

 

Unfortunatley this is not possible due to the way that captive portal works.  Even if you have the dns traffic tunneled through the central controller, it still won't work.   What happens with captive portal is this,

 

  1. client opens browser and does a dns lookup for whatever site.
  2. response received from dns.
  3. Then client opens http to site.  --> This will go out the internet route.
  4. controller hijacks the http and sends a http-redierect back to client which says "site has moved to securelogin.arubanetworks.com".
  5. client does a dns lookup for securelogin.arubanetworks.com
  6. controller spoofs the response and gives it's own address.
  7. client opens http to controller and captive portal is presented.

So basically, because of step 3. this traffic must go through the controller in order to send the http-redirect, and hence get the captive portal.

 

I did try exactly what you suggested, but it doesn't work.  All internet traffic must be tunnelled through the controller.

 

Hope that helps.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294
Frequent Contributor II

Re: [Tutorial] Guest only solution using IAP-GRE tunnel with Controller #mhc

Dear,

 

this is working fine when we use the per-ap tunnel. But if we want to configure the GRE-tunnel from the VC-address, this isn't working anymore: All clients connected on the masterIAP (who has the VC-address at the moment) can work without any problem; but if there is a client on an other IAP than the master, the connection through the tunnel fails. Traffic is not redirected to the tunnel between VC-IP and controller-IP

What I understand is that all traffic should be redirected to the masterIAP which will send the traffic through the tunnel, is this correct?

 

Am I missing something? Is there a special configuration needed for this to work?

 

 

EDIT: Discard my question, the customer didn't tagged the Guest vlan on the uplink ports...

 

Kind regards,

Thomas
ACMX#370 ACCX#1000 ACDX#1071 AMFX#74

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: