We currently have a Guest wireless setup at my company, instead of using a anchor controller we have dual contorllers with each having one interface connecting out into our dmz and then going out. it's a pure L2 connection and exits out to the internet via a DMZ interface on our ASA. We recently purchased a PA-200 Palo Alto firewall to use for this Guest network, and configured everything exactly how it's all ready setup on our dmz switch and asa with the same ip addresses. When we connect the outside interfaces from the controller to a L2 switch that's connected to the Palo Alto firewall we can't get dhcp requests thru and have no connectivity, even if we set a static IP on our client we still have no connectivity and it won't redirect us. We use Web-Auth for our authenication with this network and I know once you get an IP address it will only allow dns to redirect to the virtual IP for authenication before it allows anything else but it is the exact same setup as we had before just with a different firewall so I'm stuck. Also if I plug directly into the switch via ethernet cable I can get an IP address and get out to the internet. Is there anyone who has experience with this type of setup, or might know what I need to allow on the firewall for it to work? I've attached a diagram of the basic topology we have setup.
Is the FW giving out the DHCP to the guest network? If so, you need to disable DHCP proxy on the WLC. This will change the behavior of the WLC so that it bridges the DHCP request to the VLAN, instead of sending it on behalf of the client.
config dhcp proxy disable - CLI
Controller > Advanced > DHCP - GUI
***When you do this, make sure you have the ip helper-address configured under the L3 for your other interfaces/VLAN, so that DHCP will continue to work for your other SSID.***
Yes, I'm serving dhcp from the firewall, and the dhcp proxy is already disabled, would it be anything else that's blocking these requests from the firewall? Also, what if I serve dhcp from the controller instead?
There shouldn't be anything else blocking, unless there were an ACL in the way, but I would think the wired client wouldn't get an address either.
you could serve the DHCP from the WLC, enable proxy, and point the guest interface at the management interface as the DHCP server.
but you shouldn't need to. Are there any logs or debugs you can run on the PA-200, to see if it's getting the request?
Thats a tough one. You did a direct replacement from ASA to the PAL and she just breaks. Sounds like its time for a packet capture between the WLC and the FW.
We should see is a request coming out of the WLC hitting the gateway and then to the DHCP server and then a reposnse coming back.
I contributed to a DHCP blog post on CWNP that might help as a refresher while you look at the captures.
After thinking about the issue, I started to question whether the controller knows about the new device(PAN firewall). Do you think it could be as simple as clearing the arp cache on the controller after I make the swap??? I did some packet anaylsis using the ASA to get a baseline for what the debugs and packet captures show so if one side is not responding I should see it once I start to test again.
Update: After troubleshooting for a few hours and working with Palo Alto Support, we determined that the controller tagging the frames was causing traffic not to flow properly or not at all. It was the way the Palo Alto L2 interfaces were set up and recieving the traffic from the controller. Once we changed the L2 int. to a L3 int. and untagged the traffic I was able to get a DHCP IP address, authenticate thru web-auth, and get out to the Internet.
I'm also running into similar problems with WLC and PA 2050.
Would you be so kind as to expand on what you done to get the solution working.
Rod you do need to setup layer 3 in order for a WLC and a Palo Alto Firewall to work.
I have an SSID setup on my WLC 5508 which is output from a port on WLC and patched directly into a port on a Palo Alto 5050. I have the interface on the WLC setup with a vlan identifier number and the WLC internal DHCP server for the subnet.
That interface on the WLC is patched directly to port 9 on the PA. Setup you PA port as layer 3 and nothing else. Then create a subnet interface 1.9/## (## is your vlan number). Set the tag to you vlan number, apply your security zone to the sub-interface and set a static ip on the sub-interface. The IP I used was the default gateway of my wireless subnet.
If you need more info, reply and I'll post some screenshots.
Hi, Thanks for the response.
I've set up the PA port 10 as L3 and assigned it to my virtual router and wifi zone. I've set up port 10.50 as the L3 sub interface and assigned it to the same virtual router and zone as the port 10.
On my WLC I have SSID (guest) routing out via port 1 which is connected to port 10 on the PA. I have configured my DHCP server on the WLC to get addresses from my AD server on a different subnet (photo attached)
I've set up a ACL on the PA to allow WIFI zone access any any and Internal zone aceee to the WIFI zone.
I still can't get to the web login page when I try and connect my ipad to the guest SSID. DHCP doesn't seem right to me as I have it on a differnt subnet and don't see how the PA can pass the packets as there is no helper funciton? Shoudn't i configure DHCP on the PA? and assign it to port 10?
All screen dumps would be useful - and thanks for your help.
You WLC interface and PA interface config look correct. I assume you have policies rules on the PA to permit traffic from your guest zone to the destination. You will also require a policy on the PA to permit traffic from the guest zone to the guest zone as the default route for the subnet is on the PA and any traffic to the IP is filtered by the policies.
I have my WLC doing DHCP for my guest subnet as your guest SSID/vlan is probably central switched on the WLC its the easiest way to do this. The PA has no DHCP helper function as far as I am aware and I've never tried passing DHCP requests through a PA via a centrally switched SSID. I assume 10.118.6.112 is the management IP of your controller? if its not try changing the IP to your controller management IP if your not getting DHCP
I'm not sure how your guest system works but I have an SSID which has a web-auth policy fowarding the guest auth to an authentication server with a webconsole which the passes a radius auth session back to the WLC.
Do you have any other SSID's configured to use that physical port on the WLC? Even if there HREAP and not using the interface.
Do you also have the web policy configured correctly on the SSID? I assume you want the browser to redirect to the guest web login page when they connect to the SSID. Are you using an external server for this or the WLC?
I'm getting somewhere now. I can get the ipad to get an ip address from the DHCP server (i configured the WLC for DHCP which works) however the ipad fails to load the web authenticaiton screen. I'm using the WLC for authentication.
I have rules on my PA to allow WIFI guest SSID to any zone (this should cover WIFI to WIFI) and I have my internal zone allowed to the WIFI guest SSID zone.
The ipad gets an IP address fails to load the web authenticaiton screen and then authenticates to another AP.
I have only the guest SSID using this port. The other SSIDs I have are for LAN access and directly connected to the LAN ports on my switch.
Ok thats good we have made some progress. When testing I suggest go into ipad wifi settings and turn the auto connect off for each SSID except for your guest one. Makes testing easier.
I noticed on your second screenshot of the SSID security layer 3 tab that you don;t have the overide global config box selected. Have look at the screenshot from my post about of my setup and you will see you need to select this and enter URL for the webauth to redirect too.
You also need to create a pre-atuh ACL for the webpolicy. This can be done under Security -> ACL's -> ACL's.