AAA, NAC, Guest Access & BYOD

Script to rewrite the switchip parameter in the Redirect URL to Controller Hostname

by on ‎04-01-2015 09:14 PM

Summary : This article provides the PHP script to re-write the switchip parameter in the Captive Portal Initial Redirect URL to a hostname which is useful in multi-controller deployments

 

Introduction : We might run into scenarios where we have multiple controllers pointing to the same ClearPass URL for Captive Portal and each of them having a Public CA Signed certificate with a different hostname. In that case POST to securelogin.arubanetworks.com would not work as DNS query for it would not return the controller's IP address.Controllers would always look for the CN of the certificate installed in them and start responding to DNS queries for the CN with their IP address. In order for us to POST the credentials securely to the respective controller over HTTPS without any warning on the client, we need to modify the POST destination dynamically looking at the switchip in the captive portal redirect URL to the respective CN in the certificate they hold.That is what this script does

 

Environment : Applicable to any version of both Clearpass and Amigopod . Applicable to any Aruba controllers which include the switchip in the redirect URL

 

Network Topology  : We need to configure two Clearpass pages for this to work.1st page set as the Captive portal URL on the controller which has the logic to rewrite the switchip to hostname and it redirects the user to a 2nd page. 2nd page has the setting to look into the switchip and perform a POST to the switchip which is modified to be the hostname. 

Configuration Steps:  We need to make sure that the controller includes the switchip in the redirect URL for this to work.
That setting is in the Captive portal profile in the Aruba Controller under Security>>Authentication>>L3 Authenitcation>>Captive Portal Authentication
Check the box that says "Add switchip in the redirect URL"

rtaImage (1).png

The 1st page is configured as the Captive Portal URL in all controllers.The script below will go into the 1st page 


{literal}
<style>
.nwaContent {
display: none;
}
</style>
{/literal}
{if $extra_fields.switchip == "192.168.1.1"}
{assign var="hostname" value ="controller1.xyz.com"} 
<meta http-equiv="refresh" content="0;url=/guest/webloginwithswitchipascn.php?switchip={$hostname}&mac={$mac}&essid={$essid}&url={$url}">
{elseif $extra_fields.switchip == "192.168.1.2"}
{assign var="hostname" value ="controller2.xyz.com"}
<meta http-equiv="refresh" content="0;url=/guest/webloginwithswitchipascn.php?switchip={$hostname}&mac={$mac}&essid={$essid}&url={$url}">
{elseif $extra_fields.switchip == "192.168.1.3"}
{assign var="hostname" value ="controller3.xyz.com"}
<meta http-equiv="refresh" content="0;url=/guest/webloginwithswitchipascn.php?switchip={$hostname}&mac={$mac}&essid={$essid}&url={$url}">
{else}
{assign var="hostname" value ="securelogin.arubanetworks.com"}
<meta http-equiv="refresh" content="0;url=/guest/webloginwithswitchipascn.php?switchip={$hostname}&mac={$mac}&essid={$essid}&url={$url}">
{/if}

 

Please note that you need to replace the switchip and the hostname values with the respective controller details according to the setup. The values in the script are indicative of how the values normally look like. The URL in the script also needs to be changed to the 2nd page URL

 

We are re-writing the redirect URL which has the controller's IP address as the switchip to its respective hostname and redirecting them to the 2nd page.


In the 2nd page we need a setting to be turned on within ClearPass which makes it look for the switchip and POST the credentials to that destination.

Under Weblogin settings check the box that says Dynamic Address

rtaImage (2).png

 

Answer- Once the configuration steps are followed we should be able to POST to the respective controllers' hostname securely over HTTPS without any warnings 

 

Verification- We can verify this is working by passing a switchip parameter in the 1st page URL as 192.168.1.1 or 192.168.1.3 and notice the URL changing to 2nd page and re-writing the switchip to the respective hostname.

Test Case 1
Original captiveportal URL
https://10.17.164.137/guest/WebloginInitial.php?switchip=192.168.1.3&mac=60:67:20:5b:38:d8&url=http%3A%2F%2Fwww%2Eyahoo%2Ecom&essid=test

Captive Portal URL after switchip re-write
https://10.17.164.137/guest/webloginwithswitchipascn.php?switchip=controller3.xyz.com&mac=60:67:20:5b:38:d8&essid=test&url=http://www.yahoo.com&_browser=1

Test Case 2 
Original captiveportal URL
https://10.17.164.137/guest/WebloginInitial.php?switchip=192.168.1.1&mac=60:67:20:5b:38:d8&url=http%3A%2F%2Fwww%2Eyahoo%2Ecom&essid=test

Captive Portal URL after switchip re-write
https://10.17.164.137/guest/webloginwithswitchipascn.php?switchip=controller1.xyz.com&mac=60:67:20:5b:38:d8&essid=test&url=http://www.yahoo.com&_browser=1
  

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.