cancel
Showing results for 
Search instead for 
Did you mean: 

VLANs and Auth. Servers

ogobetse_
New Contributor

VLANs and Auth. Servers

I'm working with an SA-2500 with an internal port address 192.168.52.5/24. The customer is interested in sharing the device between multiple environments so I was looking at the VLAN options.


The VLAN interfaces work as expected; after the VLAN and VLAN interface has been added to the device I can ping and https:// from that particular environment with no problem.


The issue comes in when I try to add an auth server in one of those VLANs. I found the following forum describing a similar issue (https://forums.pulsesecure.net/topic/pulse-connect-secure/21090-sa-vlan-configuration/highlight/true...), but after looking at pcaps from both IVE and the DC I'm seeing the packets are received at the auth server (172.16.5.100/24), but instead of having the source IP of the VLAN interface they have that 192.168.52.5 address.

I opened a JTAC case, but they are telling me without a 'IVS' license this is expected behavior and I have to be able to route to the internal interface of the IVE in order use an authentication server in another VLAN.

The tech actually shared his desktop up to show me the demo unit with the license applied. It looks like this is what is needed, but is actually correct? It also seems like the license is only an option on the larger chassis.

Thanks!

4 REPLIES 4
zanyterp_
Respected Contributor

Re: VLANs and Auth. Servers

That is correct, on both counts. The IVS license is available only on the larger platforms and auth traffic is sourced only from the internal port.
stine_
Super Contributor

Re: VLANs and Auth. Servers

It would not be elegant, but a NAT box between the internal interface and the Auth servers should be able to solve your problem.

ogobetse_
New Contributor

Re: VLANs and Auth. Servers

zanyterp; that's what i figured. I'm guessing that the post referenced didn't have ACLs or something between the two networks so the routing solution worked. Can't change the packet with this chassis so that definitely explains it.

stine; i was thinking along those lines. I'll probably just propose a plan with an utility-type subnet that doesn't contain anything other than the IVE internal interface and would be routable to the different Auth. Servers. They have a pretty substantial (simple AND under utilized) layer 3 setup.

Thanks for the input guys!

zanyterp_
Respected Contributor

Re: VLANs and Auth. Servers

You are welcome; glad to help Smiley Happy....though, I am sorry I didn't have better answers for you.