Thanks for all the input on and off-list.
One knowledgeable person wrote me:
The controller cannot do NAT w/o PEF. It can do Captive Portal w/o PEF
but after authentication all it can do is drop them on a VLAN. The
Aruba can perform DHCP relay (IP helper) w/o PEF so the IPs can come
from his existing DHCP server. But you will have to determine another
way to handle user separation and NAT (either purchase PEF or use an
external Firewall or router).
He later corrected himself to state that the "ip nat inside" command does
work w/o PEF, but if you have more than one internal VLAN then things fall
apart because there's no policy engine to force the traffic one direction or
another.
I ended up using the wizard to build the captive portal and our PIX to do
the NATing by overloading the WAN side with an additional public IP address
for all VLAN130 IP addresses. Since my internal DHCP server is on VLAN100
and I don't want traffic to be mixed between the two, even to handle DHCP, I
just used Aruba's built-in DHCP server.
Here's a high-level diagram:
Aruba 2400
- VLAN100
- using external DHCP server
- mgmt IP address for Aruba 2400 just a spare IP in that range
- system's default gateway assigned to regular gateway
- loopback address configured with a spare IP in that range
- VLAN130
- using Aruba's internal DHCP server, setting gateway to regular gateway
for VLAN 130 and DNS to external DNS server IPs
- mgmt IP address for Aruba an IP address outside the DHCP range
- ip cp-redirect-address changed from the VLAN100 mgmt IP to VLAN130 mgmt
IP
- policy-based routing (PBR) on router prevents VLAN130 traffic mixing in
with any other network
____________
| |---corporate network, VLAN100
| Aruba 2400 |
|____________|---guest access network, VLAN130
|
VLAN1 DMZ
|
Cisco 7206 with PBR
|
PIX
|
------------
| |
Public DNS Internet
So I now have a working wireless network for internal and guest access with
captive portal, but separated.
Frank
-----Original Message-----
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[email protected]] On Behalf Of Frank Bulk
Sent: Thursday, January 22, 2009 10:14 AM
To: [email protected]
Subject: [WIRELESS-LAN] Aruba question
I know that this isn't an Aruba Wireless listserv, but I know there are
enough users and there is likely someone who has this specific configuration
in place that will save me some hours of configuration.
I have an existing configuration that server our own employees, but I would
like to provide guest access. This guest access should use a web portal
using private IPs, with the Aruba 2400 doing the NATing. I would prefer to
have our own DHCP server on "private IP space 1" give out IPs, but it's OK
if the Aruba 2400 does that for me. "Private IP space 2" should have not
routable access to "Private IP space 1". I can use the DNS servers
available on "private IP space 1" or external public DNS ones.
Here's a diagram:
____________
| |---corporate network, private IP space 1
| Aruba 2400 |
|____________|---guest access network, private IP space 2
|
DMZ
|
------------
| |
Public DNS Internet
Anyone have some working configuration? The user guide has the NAT pieces,
but doesn't appear to include the web portal piece.
I should also add that I have the basic Aruba model, without Policy
Enforcement Firewall.
Regards,
Frank
**********
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
