Expect severe issues with captive portal and non-public trusted certificates. Users will need to click through warnings, and some devices like modern Apple devices will refuse to automatically redirect. If it works, you are lucky.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Jul 27, 2022 07:59 PM
From: owais iqbal
Subject: RAP with Guest - Split tunnel or tunnel
Please ignore my previous post about redirect. Its solved, actually the logout window popup was appearing before the main window so i got the impression redirection wasnt working. I disabled it under L3 Auth -> Captive portal.
Original Message:
Sent: 7/27/2022 4:22:00 PM
From: cjoseph
Subject: RE: RAP with Guest - Split tunnel or tunnel
While the client is doing an nslookup, you can type "show datapath session table <ip address of client>". It will show any sessions to/from that client and the tcp ports used. You will want to make sure that the "bytes" column has traffic on both the outbounds and inbounds sessions.
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
Original Message:
Sent: Jul 27, 2022 03:25 PM
From: owais iqbal
Subject: RAP with Guest - Split tunnel or tunnel
Dear Colin,
I completed testing in my lab and seems split tunnel is working fine. Can you help to advise which command or method we can use to check if the permitted traffic has been passed by controller without any ambiguity? like if we want to check or proof that DNS traffic from client is forwarded or passed by controller onto the wire, which command or method shall we use to confirm
Original Message:
Sent: 7/27/2022 11:15:00 AM
From: cjoseph
Subject: RE: RAP with Guest - Split tunnel or tunnel
Captive Portal requires DNS to function. If you cannot get it to work in tunnel mode when you are just permitting dns (not route-src-nat), captive portal will not be able to work on that VLAN.
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
Original Message:
Sent: Jul 27, 2022 10:29 AM
From: owais iqbal
Subject: RAP with Guest - Split tunnel or tunnel
Dear Colin,
No, with tunnel mode, they are not able to access/ping/resolve DNS nor the local LAN IPs. With split tunnel they are able to ping the local LAN IPs but 8.8.8.8 is not pingable
Original Message:
Sent: 7/27/2022 9:55:00 AM
From: cjoseph
Subject: RE: RAP with Guest - Split tunnel or tunnel
Does it work when you use full tunnel? Start with that.
There are further instructions on how to make split tunnel work here: https://higherlogicdownload.s3.amazonaws.com/HPE/MigratedAssets/split-tunnel-captive-portal-pdf.pdf
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
Original Message:
Sent: Jul 27, 2022 09:41 AM
From: owais iqbal
Subject: RAP with Guest - Split tunnel or tunnel
Dear Experts,
Please need your advise for below scenario.
- RAP is installed in the branch behind the router. WAN/Internet is not terminated on the RAP but the router. RAP is given IP on the branch LAN.
- RAP IP is routable and can ping Controller placed in HO.
- Full internet is provided on Controller uplink.
- Guest Vlan is created on Controller and Controller is acting as DHCP server for Guest.
- SSID is created with guest option and forwarding mode is split-tunnel. Default role of Test_guest_logon is created automatically.
- I have not changed anything in above role
- I have created another rguest role which simply permits the dhcp, and second rule route-source nat all other traffic (2 entries total)
- Now when the user connects to SSID, he gets the ip address. But DNS (8.8.8.8) resolution or ping to DNS IP (8.8.8.8) doesn't work.
- Client have to open the browser and manually enter the controller ip address to get the login page, enters the username/password (configured in internal db) and authenticates.
- Now Client is able to ping and resolve DNS (8.8.8.8)
Can someone advise me what could be the problem, in addition please advise on below
- For Guest RAP, do we need to keep the SSID forwarding mode to be tunnel or split-tunnel
- Any idea why initial role is not able to ping or resolve DNS even though both services are allowed.