Re: MAG and Auth Server using vlan.

Konrad_ · ‎12-10-2013

I have Mag6610 chassis + MAG-SM160.

I have internal port with address 192.168.1.5/24 (and gateway 192.168.1.1) + vlan port with address 192.168.10.5/24 (and gateway 192.168.10.1).

My Active Directory authentication server have address 192.168.10.50/24.

Whet I test connection in Troubleshooting > Tools > Ping:

- from internal port I can ping to gateway in internal port (vlan untagged works);

- from internal port I can ping interface vlan 192.168.10.5 (the same device);

- from internal port I can't ping any object from VLAN (Active Directory for example);

- from vlan port I can ping my Active Directory server (vlan tagged works OK);

- from vlan port I can ping interal port address 192.168.1.5 (the same device);

- from vlan port I can't ping any object in LAN 192.168.1.0/24;

I try to add auth server 192.168.10.50 - unfortunately: Primary Domain Controller 192.168.10.50 is not reachable.

Ok i found information - You must add static route!
I added static route to internal port table:

192.168.10.0 255.255.255.0 192.168.10.1 VLAN - unfotunately: Primary Domain Controller 192.168.10.50 is not reachable.

I found information - You must enable vlan on User Roles - unfortunately: Primary Domain Controller 192.168.10.50 is not reachable.

I debuged this traffic and i found that the source address for this traffic sending to auth server comes from 192.168.1.5 (internal port)

Then I found this topic https://forums.pulsesecure.net/topic/pulse-connect-secure/50689-vlans-and-auth-servers/highlight/tru... with information - you must buy IVS license!

OK! I try to find IVS license for this MAG - and found information that there is no IVS for MAG!!!!

I'm totally depressed - why i can't connect with auth server, what I need to buy or need to enable to achieve connection with autentication server using vlan?

ruc_ · ‎12-11-2013

So you want to send traffic to '192.168.1.5' over the VLAN port/interface?

The VLAN options on MAG are currently limited to sending user traffic to backend servers and not meant for authentication or system traffic. (User traffic can be sent via a VLAN by using the Role level -> Source IP option). The only crude workaround for your requirement is to add a static route like you did on the MAG internal interface route table and then add a static route (return route) on the 192.168.1.5 device directing it to send traffic from internal interface IP to the VLAN interface.

Konrad_ · ‎12-11-2013

Thanks ruc for your reply!

Maybe I was imprecise, I have interface:
internal 192.168.1.5/24 gateway 192.168.1.1
and vlan port on this internal interface:
VLAN 120 192.168.10.5 255.255.255.0 192.168.10.1

At the other end of this cable inserted to the internal port I have EX switch with port ge-0/0/44:

description MAG-InternalPort;
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ VLAN ];
}
native-vlan-id VmyLAN;
}
}

On this EX switch I have direct connection do AD controller with ip 192.168.10.50/24.

What I want to do is configured this AD controller as authentication server for one realm.
Unfortunately even if I added routing to port internal rouiting table, to send traffic with destination address from 192.168.10.0/24 to vlan interface MAG does not do this - he send all traffic (not paying attention to ANY statis routing) to gateway (192.168.1.1) set to internal port (not to vlan)!

Is that possible - force MAG to send authentication traffic to vlan interface - or not?

ruc_ · ‎12-11-2013

Yes a static route on internal interface routing table will force traffic destined to 192.168.10.0 through VLAN port (i.e. traffic will be tagged and sent). However the source-ip of these packets will be 192.168.1.5 (hence the need for return route on AD backend server)

To verify if packets are going out via VLAN interface please capture packets either on switch or on the backend AD server. The tcpdump on MAG records packets before the VLAN tagging happens so you wont see the VLAN tags on captures taken directly on SA.

I have tested this in my lab (a few months ago) and this has worked.

Konrad_ · ‎12-11-2013

Thaaaaaank you very much

Now works great!

ruc_ · ‎12-12-2013

Glad it working in your network now. Was it the return route?

Aks16_ · ‎09-09-2014

Hi Ruc,

Could you please specify as to what route are we supposed to add on AD for the above said case?

The route will be pointing to which next hop?

If you could elborate with example, it will be very helpful.

Thanks.

ruc_ · ‎09-09-2014

Sure. Assuming your SA/MAG physcial internal interface has ip 192.168.10.100 (/24) and your VLAN interface on SA/MAG has IP 172.27.10.5 (/24) and the AD server is at 172.27.10.6 then:

1. On SA/MAG add a route to internal interface route table:

Destination = 172.27.10.6

mask: 32 bit

Gateway: 172.27.10.1

Interface: Select the VLAN interface

2. On your AD server and all intermediate Hops add routes that sends traffic for 192.168.10.100 back to 172.27.10.1 gateway and an entry on that gateway to send this traffic to SA VLAN interface 172.27.10.5.

#2 above is because SA/MAG will still source traffic from internal port IP address, the only thing #1 does is changes the outgoing interface on SA/MAG for 172.27.10.6 traffic.