AAA, NAC, Guest Access & BYOD

Reply
Contributor I
rgarlin
Posts: 59
Registered: ‎02-22-2011
Accepted Solution

Guest access without Captive Portal

I would like to configure guest access, using the ArubaOS, with some tcp/udp ports and bandwidth restrictions, however, I do not want to use a captive portal. So when a guest users connects to the guest ssid, and when they launch their web browser, I want them to go to their home page and not be redirected to a captive portal web page. I thought I had it configured correctly, but when I launch my browser, I'm being redirected to securelogin.arubanetworks.com and I get the error web authentication is disabled. 

 

Bob 

Moderator
cjoseph
Posts: 12,357
Registered: ‎03-29-2007

Re: Guest access without Captive Portal

.  Go to Configuration> Security> Authentication> AAA profile.  Find the AAA profile for that WLAN and change the initial role to "authenticated"

Colin Joseph
Aruba Customer Engineering
Contributor I
rgarlin
Posts: 59
Registered: ‎02-22-2011

Re: Guest access without Captive Portal

Thanks for the quick reply. That worked better, because now I'm not getting re-directed to the captive portal web page. However, my http and https traffic is not working. DNS works fine, because I can resolve DNS names, but the http and https traffic is not making it pass the controller. Would that be a configuration in my guest access policy? I only have 3 rules, but that should be enough to get http and https traffic to work: 

user -> any -> svc-dns-> permit

user -> any -> svc-https -> permit

user -> any -> svc-http -> permit

 

Or is there some where else that could be blocking it?  I also tried changing the source from user to any and it still didn't work. 

 

Bob 

 

Moderator
cjoseph
Posts: 12,357
Registered: ‎03-29-2007

Re: Guest access without Captive Portal

Are you sure that is the role that your client is getting?  Type "show user" and see what role your client is in, and then type "show rights" to see what ACLs are being applied.  If you made a change to the initial role, you need to remove or disconnect the client from the user table for it to get the "authenticated" role.

Colin Joseph
Aruba Customer Engineering
Aruba Employee
awl
Posts: 455
Registered: ‎04-02-2007

Re: Guest access without Captive Portal

Are those the only three rules? And is DNS actually working (nslookup)? I'm just wondering if you're blocking ICMP, etc. The machine needs to ARP to find the default router, and the firewall has an implicit deny at the end. Also, are you sure you're getting an IP via DHCP and not using a static or 169 address? Seems like you'd also be blocking DHCP. From the CLI on that role it might help to do a 'show rights <role>' so we can have a look at the role. 

 

-awl

Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
Contributor I
rgarlin
Posts: 59
Registered: ‎02-22-2011

Re: Guest access without Captive Portal

DNS is working fine, also with everything else, so I'm not sure why I had the problems yesterday and not today. Maybe after  I changed the initial role, I didn't save the configured, or forgot to disconnected and reconnect. However, changing the initial role to either authentication or my AuthGuest-Role fixed the problem. 

 

Bob 

 

 

 

Aruba Employee
awl
Posts: 455
Registered: ‎04-02-2007

Re: Guest access without Captive Portal

If it's master local not saving the config could have been the issue. The configuration won't be pushed down to the local until it's saved on the master. Glad it's working for you.

 

-awl

 

 

Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
Aruba Employee
olino
Posts: 661
Registered: ‎04-15-2009

Re: Guest access without Captive Portal

A disconnect/reconnect may not be all that is needed. If you change an ACL that is used by a role, you have to flush the users from the controllers user table before the change will be noticed by the users. I typically use the "aaa user delete x.x.x.x" command (where x.x.x.x is the users IP address) from the CLI. When you disconnect and reconnect, the user record on the controller most likely doesn't get flushed. It takes a few minutes to notice that the client disconnected. If the reconnect happened before the user record got flushed, it would still use the same ACLs. Thats probably why it didn't work yesterday and does today (the user records would have most likely timed out over night).
Search Airheads
Showing results for 
Search instead for 
Do you mean