I can't seem to make 3rd Party AP work.


Userlevel 3
Hi,

We have 15 aruba IAP devices which I want to use them as 3. party AP on C5210 controller to utilize internal captive portal.



I hook up the esa1 port to the swich and set the vlan tagging. Then I created a wlan on aruba and set it to vlan 60 tagged. Configured all the switches to pass vlan 60 so it can reach controller. I also created a dhcp pool on our dhcp server and configured it so vlan 60 clients use EWC interface ip (10.100.60.2) as their gateway.

So, I tried to connect to aruba but I can't seem to get ip address and connect to wlan. So what is wrong with my setup? Any hint on this is mostly wellcome.

Thanks,

Rahman

34 replies

Userlevel 5
Hi Rahman

I would suggest that you configure a "untagged" port (Access port) in vlan 60 first and connect a laptop to this port to see if you receive a IP address.

If you do not receive a IP address, provision your laptop with a static IP in the 10.100.60.x range and see if you can ping the IP interface on the controller.

The problem might be with your DHCP server, or with the vlan not being tagged in your network infrastructure.

One thing to note is that the 3rd Party interface acts like a router, so for your DHCP server to be able to reach this subnet you will need to add some route to get to the 10.100.60.x network, route to the wireless controller.
Userlevel 7
Try it first with no authentication to check whether you get an IP.

Does the DHCP server knows the route back to the 10.100.60.x network.
Go in > Controller > Network > Utlities > put in the IP of the DHCP , checkmark "use specific source interface" and select the esa1 interface to check whether you'd ping from the controller ESA1 to the DHCP.
BTW, why are the APs in network 172.16.64.x and not 10.100.60.x ?

-Ron
Userlevel 3
Hi Andre,

I will try your suggestions. But let me ask about routing. When I set dhcp relay, EWC will relay package via its esa1 interface or via other interface which default route is set (esa0)?
Userlevel 7
With DHCP relay the controller will "collect" the DHCP broadcast packets on ESA1 and forward it to the DHCP IP as a unicast - he'll lookup his routing table to get to this IP.
So if there is no entry for the DHCP server network in your static routing table the default gateway route is used.

The issue is the return packet - the DHCP is sending the packet back to 10.100.60.x using his own routing table (default gateway) but if you don't have a route to this network on your i.e. core switch the packet will be dropped.
Userlevel 5
What Ronald said 😉
Userlevel 3
Ronald,

EWC's default routing interface is on esa0 (192.168.10.122). So I need to write a static route like this; 10.100.60.0/24 192.168.10.122 ?

>BTW, why are the APs in network 172.16.64.x and not 10.100.60.x ?

Because these aruba devices also broadcast eduroam(802.1x) WLAN and it is on 172.xxx.xxx.xxx subnet. CP WLAN is tagged as vlan 60 so it is a seperate network even the ap's management network subnet is different.
Userlevel 7
Ronald,

EWC's default routing interface is on esa0 (192.168.10.122). So I need to write a static route like this; 10.100.60.0/24 192.168.10.122 ?

>BTW, why are the APs in network 172.16.64.x and not 10.100.60.x ?

Because these aruba devices also broadcast eduroam(802.1x) WLAN and it is on 172.xxx.xxx.xxx subnet. CP WLAN is tagged as vlan 60 so it is a seperate network even the ap's management network subnet is different.
Correct, you add the route to the router in the 192.168.10.x network and then you should be able to ping from the DHCP server to 10.100.60.2 and vice versa.
Userlevel 5
Rahman,

This article should help with getting the captive portal to work with the 3rd party AP's. There needs to be a change to allow out-of-network traffic to bypass that rule.

https://gtacknowledge.extremenetworks.com/articles/Solution/IdentiFi-3rd-Party-VNS-not-working-with-...

Thanks,
Jason
Userlevel 3
So after trying lots of thing I can't even ping EWC 3. party interface ip. I changed topology to vlan 60 untagged. Then get a laptop, gave it 10.100.60.100/24 and plugged it directly to esa1. But I could not ping esa1 ip (10.100.60.2). I plugged laptor to the same switch with esa1, in a port of vlan 60 untagged, can't ping 10.100.60.2 either.

If any of you has a working setup, can you share screenshots of
Virtual Networks
WLAN Services
Roles
Topologies sections of 3rd party service?

Thanks,

Rahman
Userlevel 3
Also Do I need to create complete set of "Virtual Networks", "Auth/nonAuth roles" etc? Or I just create a 3rd party phisical interface and create 3rd party WLAN service? BTW how does EWC use 3rd party ip IPs and mac addresses? CP clients will use EWC ip as gateways so our Aruba AP's ip or mac address won't reach to EWC.
Userlevel 5
Hello Rahman,

You will want to create a Virtual Network Service (VNS), Role and WLAN service in addition to the physical 3rd Party Topology.
I created the Topology, then Role, then the WLAN Service and then the VNS.
Map the VNS to the WLAN Service and Role to allow traffic.

I have this working with a similar setup as your VLAN 60, with a local DHCP server.

  • In my setup I have a mgmt IP of 120.120.120.179/16 on esa0 (Port1) and the 3rd Party AP Topology is 20.20.20.1/24 on esa2 (Port3). As you and Ron discussed, I have a route set up to get back to the topology: 20.20.20.0/24 120.120.120.179
  • The Role is configured as a Contain to VLAN (for use with a Captive Portal). Make sure that the AP Filter box in the Policy Rules tab is unchecked, since we are filtering at the EWC.
  • Once that is set up, you will see any clients that get an IP in the Active Clients by VNS.
  • You shouldn't need the IP address of the AP, the mac address can be added by itself, as you will see in the screen shots that follow.



Regards,
Jason
Userlevel 3
Thank you Jason, but I can't make it work. Can you also share pre-authenticated role?

I setup every thing as shown here except I used same role for pre-auth role.

Here is how topology filter page looks:





I plug my laptop to the switch with vlan 60. I can't get ip address. I configured static ip 10.100.60.100 on laptop with gateway 10.100.60.2 but I can't even ping 10.100.60.2. I can ping 10.100.60.2 from different subnets so routing seems to work. Even wierd I can see my laptop and switch port mac addresses on clients reports:



Also there is something really wrong here. When I make changes on 3rd party vns setting and save it, all the other vns clients lose connection. When they scan wifi all ssid show up and disappear continuously and new users can't connect. There is no log about any error on EWC. Only rebooting EWC solves this situation.

So I fear to make any furter changes as it affects all users.
Userlevel 7
Could you please post the role configuration.....
Userlevel 7
... and also the client report but this time please include the "default action" column.
Userlevel 3
It is the same as what Jason posted. Here all the screenshots

:





Userlevel 3
here clients with more columns:

Userlevel 5
Rahman,

I don't think you can ping the 10.100.60.2 address because your clients are not authenticated. On my client report, there is a "green lock" denoting authentication. (Similar to the Apple device on eduroam with the 172.x.xx. address) On your list, I see the clients have a grey "unlocked" icon.

Can you disable authentication temporarily to test?

For an Internal Captive Portal deployment, you will want a Non-Auth Role (similar to the screen shot below, referenced in the knowledgebase link in my original post)



Regards,
Jason
Userlevel 3
Thank you Jason for your helps. This seems the missing bit in my config. I will try it and inform you if it works.


Btw, any idea why ewc misbehave and need a reboot as I described?
Userlevel 5
Rahman,

Yes, let me know if that works for you. I have a basic set up on a 4110 with no authentication working (with a client directly connected or connected with a VLAN 20 port) .

I suspect the reason for the EWC misbehaving is some type of forwarding path issue where the reboot clears that until another config change?
Also, is it possible that your VLAN 60 has another route back to the 10.100.x.x network that is on the switch side, and not through the 192.x.x.x esa0 port?
I would recommending deleting and re-configuring from the beginning if possible. If not, then we can take a deeper dive into the configuration if need be. I have not seen that behavior in my lab scenario.

Regards,
Jason
Userlevel 3
Jason,

I created nonauth role and set as pre-auth role:



I also disabled authentication on WLAN service for testing. Now I see my laptop with "green lock" But again no traffic pass.

I had controller problem again and had to reboot controller again. When the problem appears, I can access EWC, I can ping all APs, APs shown green on ewc availability report. But on ewc reports all AP statistics are lost and shown as zero. On ewc reports all APs shown as they have zero clients. On ewc clients report connected clients AP column shown as N/A.

Here are some screenshots:











I can delete all the 3. party vns configs and restart from starch if you mean this. But I can't factory reset the ewc and start from beginning.
Userlevel 3
Hi,

So it was a broken patch cord. Now when I plug my laptop to vlan 60 port, I get ip adress from dhcp. But if I use;
Non-auth role:Aruba3rdPartyNonAuth
Auth-role:Aruba3rdPartyAuth
Pre-auth:Aruba3rdPartyNonAuth
I have no internet access and no captive portal redirection. If I use;
Non-auth role:Aruba3rdPartyAuth
Auth-role:Aruba3rdPartyAuth
Pre-auth:Aruba3rdPartyNonAuth
then I connect to internet directly without any captive portal redirection.

Also if I change roles, topologies or VNS config of 3rd party vns there is no problem with controller. Only changing and saving WLAN service of 3rd party VNS broke controller and need a reboot.
Userlevel 5
Hi Rahman,

I am looking into this config change problem through the case you have opened with Brahim.

For the portal redirection, can you check your VNS settings and make sure that the client is "unauthenticated" (grey unlocked icon) and try closing any browsers and re-opening?

If that still does not work can you please try opening the browser and inputting the topology ip: http://10.100.60.2 and seeing if that redirects to the portal. If that is the case, then there is a problem resolving DNS on the 10.100.60.x network.

Thank you,
Jason
Userlevel 3
Hi Jason,

No it doesn't work. Now it is in a state that client can't even get an ip. If I set ip address statically it can't reach its gateway 10.100.60.2 either.

I monitored all the traffic, on dhcp server, on swich and on client.

1. Wireshark on the client shows that client send dhcp discover packages but does not receive any other dhcp reply packages.

2. Dhcp logs and tcpdump capture on dhcp server shows that ewc relays dhcp packages to him via 10.100.60.2 relay interface. So dhcp server gets dhcp discover package and reply with dhcp offer to ewc(10.100.60.2)

3. I mirrored ge.2.43 port of S4 which ewc esa1 connected to another port and watched with wireshark. It shows that ewc sends dhcp offer package to dstmac:client mac address and dstip:255.255.255.255. So it seems EWC config of DHCP Relay is working. But the problem is on client, wireshark shows no dhcp offer packages received. So client send dhcp discover continuously.

4. If I set ip address statically on the client and try to open http://10.100.60.2, wireshark shows that client sends ARP packages and asks "show is 10.100.60.2 tell 10.100.60.100" continuously but never gets a reply. So static ip not working either.

If it makes sense network topology is like this: EWC esa0(default route) connected to S4-ge.2.46(vlan 1 untag). EWC esa1(3.rd party vlan 60 untag) connected to S4-ge.2.43(vlan 60 utag). Client connectted to S4-ge.2.42(vlan 60 untag). dhcp server connected to S4-ge.2.45(vlan 1 untag)

Any suggestion to troubleshoot further is mostly welcome.

I tried different browsers. No portal redirection. Directly connect to internet. If I browse https://10.100.60.2 I get a page "Portal Central". There is logoff session button and get current status button. But no login page. I also tried to use logoff button but it does not get login page either.

Thanks,

Rahman
Userlevel 5
Hi Rahman,

I am looking at this a bit more in my lab today and will contact you about looking your configuration remotely so we can get this working for you.

Regards,
Jason
Userlevel 3
Hi Rahman,

I am looking at this a bit more in my lab today and will contact you about looking your configuration remotely so we can get this working for you.

Regards,
Jason
Hi, any update on this? I also wrote on GTAC but nobody answred. Case Number: 01138086

Reply