Wireless Access

Hi all,

I have 7210 controllers with latest IOS; they currently use L2TP pools when users utilise the VIA client on our VPN.

The pools work fine but I would like to assign the addresses they get via an external server on our network. It’s external in the sense it’s not a dhcp pool on the controller - this will be a windows server with DHCP service enabled.

So ideally the flow would be:

Users connect through VIA
Hit clearpass and given a role
Role in the controller is set to use dhcp (not the current L2TP pool)
The windows dhcp server assigns address

Is there a way to configure the above? :-)

No.  Via clients can only acquire an ip address from a pool.  That pool can include ip addresses in a subnet on an ip interface of the controller and work just fine.  You could exclude some ip addresses from the dhcp pool and only supply those addresses via the l2tp address pool.

Thanks for your response

My real issue is we assign a dhcp reservation for some of our users to keep the same IP address every time they log in.

This then allows a firewall rule giving that IP address unique access to part of our network.

This is only needed for a couple of our users ... but is still needed.

Dhcp reservation from a windows server is all I can think of so far ... but if it can’t be done; maybe something more elegant using clearpass? Maybe that user has a custom security group in AD and then clearpass directs them to a static address etc?

Thanks

This might be a pain, but you can try it:

 

Create 1 pool with only the ip address you need for the first user

Create another pool with only the ip address you need for the second user

Create a role for the first user and attach the first VPN pool to that role

Create another role and attach the second VPN pool to that role

When the first user authenticates with VIA, the radius server should return the aruba-user-role attribute with the first role and assign the first pool

When the second user authenticates with VIA, the radius server should return the aruba-user-role attribute with the second role and assign the second pool.

Everyone else you do not return a role and they should get the default pool

 

We’re using clearpass ... would this need a custom attribute in active directory so that clearpass can recognise the individual users that require this special pool?

You would not.

 

In clearpass you could add an enforcement policy rule that says "authentication username equals <that username>" and then execute the enforcement policy that would send back the aruba-user-role attribute.  

I would contact TAC to get you squared with that so that you do not affect the user's regular 802.1x authentication.  Again, this is complex.  I would try to get the VIA certificate authentication working on the default port, first, which is equally complicated.

Ah ok - that sounds good.

Would this simple be an enforcement policy additional to the current profile that matches a username, then sends a custom role depending if the user matches the username ... if it does not match then user simple gets the normal role?

Thanks

It would be a LINE in the current enforcement policy, and it would send back an enforcement profile that returns the role.  Again, those users also authenticate via 802.1x so you would have to have an additional condition to differentiate between 802.1x authentication and VIA authentication.

Thanks :-)

Hello Everyone!

 

I was searching for this issue, and I can see that it cannot be done apparently (use external DHCP server for via). But here is the kick for me: How does the VIA client get its default-gateway?

 

After VIA establishes the IPsec point-to-point tunnel to controller, how can I handle traffic and send it to a firewall for traffic filtering and routing? If I would be able to use external DHCP for via client, then I could push down dgw, but in this scenario I cannot do that apparently.

 

Basically thhe scenario I want to achieve is kind of like when you have wireless access and a controller in an L2 mode. The associated Wireless client (in our case VIA client) traffic is sent to controller through the AP GRE tunnel (in our case IPsec tunnel) and then gets sent to the default gateway for routing.

 

Can this be done?

 

Br.

Daniel

Since the ip address is supplied via an ipsec pool, there is no default gateway, per se.  If the ipsec pool is in the ip address range of a VLAN on the controller, it will use the default gateway on that VLAN.  If the ipsec pool is not on a VLAN on the controller, you need to source-nat the client traffic via an ACL.