M and MSM Series
cancel
Showing results for 
Search instead for 
Did you mean: 

HTML Authentication on Guest VSC/VLAN

 
Highlighted
PhilCawley
Occasional Contributor

HTML Authentication on Guest VSC/VLAN

I'm trying to use HTML authentication for our Guest wireless on an MSM765zl controller in an E5406zl switch.

 

I have a currently existing Guest Internet VLAN that is basically run by our firewall - the firewall appliance dishes out DHCP and acts as the default gateway.  The DNS addresses dished out by the DHCP are generic Internet DNS servers.

 

I can get clients connected to the Guest wireless and they can surf the web just fine, but the HTML splash/authentication page never shows up.

 

Does the MSM765zl need to be acting as the Guest default gateway in order for the HTML authentication to work?  Does the MSM765zl Internet port need to be untagged on the Guest Internet VLAN?

 

Thanks!

7 REPLIES 7
Highlighted
Manfri
Frequent Advisor

Re: HTML Authentication on Guest VSC/VLAN

Does the MSM765zl need to be acting as the Guest default gateway in order for the HTML authentication to work? 

 

afaik yes..

Highlighted
HakanD
Occasional Visitor

Re: HTML Authentication on Guest VSC/VLAN

Just came here to reply. I have been looking at the same issue for some time and also would like a definitive answer or how to.
All the tests I've covered showed that guest network (the web portal) only worked when the controller dished out dhcp for it's guest network.
This by default also gives it's own IP address within that network as a dns server.
When using dhcp relay or no dhcp on the controller, the controller has no IP address within that VLAN (so you can't assign it with your dhcp server).
This solution means that the guest connectivity goes as follows:
Client > Access Point > Controller > Internet.

We have remote sites where we would rather use their local internet connection instead of the leased line.
Because this is not pleasant for the customer:
Client > Access Points > Leased Line > Controller > Internet

I will forward this forum ticket to our HP contact in the hope that we all might get a solution.
Will keep you up to date.

Regards,
Hakan
Highlighted
Manfri
Frequent Advisor

Re: HTML Authentication on Guest VSC/VLAN

I think you're right when you say

 

"This solution means that the guest connectivity goes as follows:
Client > Access Point > Controller > Internet."

 

but i'm thinking that you can connect the AP directly to internet, connect the MSM with the AP thru internet so the traffic goes as follow

 

Client > AP > Internet Customer > Internet Central Site > MSM > Internet...

 

It will double the internet bandwidth at central site but it may be acceptable ( WAN usually is much expensive )

 

By the way the traffic AP - MSM can be encrypted...

 

As to use a DHCP relay ( in fact if you have MSM in team you MUST USE IT ) you must:

 

Create a scope for a different network for the address that you assign to guest. (ALL the guest will use these IP so use a BIG scope with short DHCP lease time

 

Assign the VSC to the scope ( they call it subnet selection) setting here

 

 

subnet selection 

 

an IP address and netmask of the same subnet as the range ( but not in the range ) assignet to wifi client

 

this IP must be used as default gateway and dns server for wifi guest clients.

 

Obviously you must configure in the MSM a DNS server that will be used as forwarder of DNS request

 

In this scenario i configure broadcast filtering in the VSC that i think reduce the traffic a lot.

 

 

 

 

Highlighted
Manfri
Frequent Advisor

Re: HTML Authentication on Guest VSC/VLAN

PS: the ip address ( in the example 192.168.47.1 ) must be reacheble via routing from the DHCP server.

i usually route add 192.168.47.1 mask 255.255.255.255 <lan ip address of MSM ) this way the lan is more or less isolated by wifi client...
Highlighted
HakanD
Occasional Visitor

Re: HTML Authentication on Guest VSC/VLAN

Manfri,

 

You are right. The solution you proposed will also work. But as you mention it will double the wan link on the main site. For this reason this solution was discarded by the client.

I was looking for a way to solve this without causing 'extra' usage.

 

I'm still waiting for an answer from HP on this case as well.

 

Regards,

Hakan

Highlighted
sambit_h
Occasional Visitor

Re: HTML Authentication on Guest VSC/VLAN

What happens if we do the same with teaming enabled? Do I put here the Team IP? If so, what if I have teaming enabled on internet port and have my DNS server to Lan port?

 

Also do I really need to create a VLAN, assign it to the internet ports for both controllers in the team, assign a different IP for each controller under that VLAN and make sure the DHCP server is assigning both IPs as GW and DNS for the clients ?? if both IPs are working then why I can only ping the 1st IP which is assigned to Controller 1 and also is the same IP under the “subnet selection” option under the VSC ?

 

If you have a latest MSM mobility implementation guide for the latest firmware, please share.

Highlighted
Manfri
Frequent Advisor

Re: HTML Authentication on Guest VSC/VLAN

>>What happens if we do the same with teaming enabled? Do I put here the Team IP? If so, what if I have teaming enabled >>on internet port and have my DNS server to Lan port?

 

>>Also do I really need to create a VLAN, assign it to the internet ports for both controllers in the team, assign a different >>IP for each controller under that VLAN and make sure the DHCP server is assigning both IPs as GW and DNS for the >>clients ?? if both IPs are working then why I can only ping the 1st IP which is assigned to Controller 1 and also is the same >>IP under the “subnet selection” option under the VSC ?

 

>>If you have a latest MSM mobility implementation guide for the latest firmware, please share.

 

In my example  i use the teaming on LAN side so it's different

 

the address 192.168.47.1 is a virtual ip in the ip range assigned to guests, and this is used as default gateway and dns server for the guests.

the msm have set up the dns server and act as dns proxy

 

 

to do this you must also configure the DNS on MSM to intercept the dns query ( and act so as proxy )

 

this address also being used as range selection for dhcp relay must be reacheable by dhcp server ( that must be external in a teaming config ) and i use  the virtual ip of teaming as router used to reach the msm

i'm not really sure that it works in all condition of failover ( i think i have a problem after the msm team manager come back after a failure and the other msm control the ap ) you can try to point to all msm using routes with different priority