M and MSM Series
cancel
Showing results for 
Search instead for 
Did you mean: 

MSM 760 Active Directory and DNS Problem

 
Highlighted
dprotonentis
Occasional Visitor

MSM 760 Active Directory and DNS Problem

I have run into a problem with my MSM760 and Active Directory.  

 

A little backgound.  Our environment has two wireless SSIDs one for guest access, internet online.  One is internal access for employees.  Each had previously been using a key to access each network.  As this became more and more difficult to maintain for our guest network we decided to use active directory integration and allow anyone with an AD account to login through HTML on the controller.  We use an internal DNS server that routes internal subnets to local resources like AD, exchange, websites we host.  Guest wireless access should use the DNS information provided by our ISP.

 

Now for the problem.  In the controller under Controller > Network > DNS if I use the dynamically assigned DNS servers (which are the ISPs) when I attempt to join the controller to AD it fails.  If I set the DNS to override and use internal DNS it joins just fine.

 

If, after it is joined to AD, I attempt to access the Guest Network I am prompted for username and password and everything connects properly.  I can surf internet sites without incident.  However, if I attempt to connect to any internal resource with an external IP Address it fails.  For example if I attempt to connect to the corporate website from the guest wireless it attempts to route it into the internal IP address, which fails.  THis holds true for resources like exchange as well.

 

If, once joined to AD, I switch the DNS to our ISP DNS setting any attempts to authenticate fail.  If I leave the DNS at the internal and switch DNS interception off, DHCP provides proper DNS settings, the HTML login redirect never opens, and webpages time out.  However in the previous case if a user is already authenticated they can navigate to both inernet resources and our corporate sites (through there internet facing IP Addresses).

 

I need to be able authenticate against AD, and access all possible resources.  Is there a way to set this up to work correctly?

 

Thanks in advance.

Dirk Protonentis

5 REPLIES 5
Highlighted
Glen Willms
Frequent Advisor

Re: MSM 760 Active Directory and DNS Problem

You should be able to resolve this problem by using a DHCP relay specified in the VSC rather than allows the MSM controller to hand out addresses. 

 

The trick here is that you need to ensure that the DHCP server has a route to the guest subnet range. Also ensure that your DHCP server is specifying external DNS servers. 

Highlighted
dprotonentis
Occasional Visitor

Re: MSM 760 Active Directory and DNS Problem

@Glen Willms

 

This is already the case we do use our internal DHCP Server as a relay.  The problem arises because in order to get to the HTML login page you have to set the MSM760 DNS interception.  Without that it never redirects to the colubris login page.  Because the DNS interception is set it uses the DNS servers assigned to the MSM760 it uses our internal DNS servers.  If you allow it to use the ISPs DNS servers and keep DNS interception turned on the system will not authenticate the user because the MSM760 can't find a path to the AD server due to its DNS not resolving to a local server.

 

If you make changes to any one of those three things it breaks in a different way.  Change DNS interception = no login page. Change DNS Settings = No Active Directory Authentication.  Leave both = No way to access corporate resources (Website, Exchange).  It is really an odd catch-22 each piece is dependent on another.  I'd really like to make this work without have to introduce something like radius for authentication.

 

Thanks for your help.

Highlighted
oweng
Advisor

Re: MSM 760 Active Directory and DNS Problem

is the guest and employee separate by vlan?
Highlighted

Re: MSM 760 Active Directory and DNS Problem


dprotonentis wrote:This is already the case we do use our internal DHCP Server as a relay. The problem arises because in order to get to the HTML login page you have to set the MSM760 DNS interception. Without that it never redirects to the colubris login page. Because the DNS interception is set it uses the DNS servers assigned to the MSM760 it uses our internal DNS servers. If you allow it to use the ISPs DNS servers and keep DNS interception turned on the system will not authenticate the user because the MSM760 can't find a path to the AD server due to its DNS not resolving to a local server.

This is exactly the problem I faced with some versions above 5.7.2.0-12736. I updated to several 5.x and 6.x versions, but I had to downgrade each time to get  back a functional MSM. Does anybody have a solution jet? I try to explain this problem to HP, but they did not respond so far.

Highlighted
Per Hamrin
Occasional Visitor

Re: MSM 760 Active Directory and DNS Problem

We had the same problem until today. We use DHCP relay and could not understand why internal addresses were resolved by an external DNS server.

 

The solution was to fill in the external DNS servers in the override dynamically assigned DNS fields. We had our interlal DNS servers there before.

 

DNS Interception is of course enabled to be able to load the login page.

 

We struggled so many hours with this before this thread gave us the hint where the problem ws, because we could not understand the behavior first.