ArubaOS and Controllers

Reply
New Contributor
Posts: 4
Registered: ‎04-30-2009

CP on GRE interface

I'm terminating a GRE-Tunnel from an small Cisco router on my controller and want to terminate users routed through it by Captive Portal. So, what I did was to trust the physical interface (and the used vlan on it) and instead untrusted the tunnel interface.

This causes some problems, since the user gets terminated correctly, but instead of the welcome page, he gets the page cp_disabled.html saying "Web authentication is disabled".

If I shutdown the tunnel and route the exact same traffic on a physical interface (which I untrust for that test), the same configuration perfectly works and I get to the CP-welcome page...

I'm using 3.4.1.0... Any ideas?
Guru Elite
Posts: 19,990
Registered: ‎03-29-2007

Untrusted


I'm terminating a GRE-Tunnel from an small Cisco router on my controller and want to terminate users routed through it by Captive Portal. So, what I did was to trust the physical interface (and the used vlan on it) and instead untrusted the tunnel interface.

This causes some problems, since the user gets terminated correctly, but instead of the welcome page, he gets the page cp_disabled.html saying "Web authentication is disabled".

If I shutdown the tunnel and route the exact same traffic on a physical interface (which I untrust for that test), the same configuration perfectly works and I get to the CP-welcome page...

I'm using 3.4.1.0... Any ideas?




Beat,

Any user on an "untrusted" port or tunnel ends up in the initial role of the AAA profile that is configured at Configuration> Wired Access> AAA Profile. The default initial role is "logon". You will see the "Web authentication is disabled" message, if there is no Captive Portal profile configured in the "logon" role. Edit the logon role and add a captive portal profile to it in configuration > Security> Access Control > Edit the Logon role and select a Captive Portal Profile.

I'm saying to edit the logon role as a quick solution to your problem, but the best practice is to clone the logon role, clone the default AAA profile and use and edit those.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
New Contributor
Posts: 4
Registered: ‎04-30-2009

Re: CP on GRE interface

Hola,

The good news: It worked with adding my captive portal to the logon user role...

But I checked the config and the controller is not supposed to use this role and the role is not mentioned to be referenced anywhere in my config...
I also changed the existing AAA profiles to go to the initial role I defined to find out which one is actually in use... But even when I changed all of them, the logon role got used...

This is the config I was using (And which works on physical interfaces):

aaa authentication wired
profile "Guest_AAA"
!
aaa profile "Guest_AAA"
initial-role "Guest-logon_UR"
no wired-to-wireless-roam
!
user-role Guest-logon_UR
captive-portal "Guest_CP"
session-acl Guest-logon_ACL

Any idea where the root of this could lie? Just a software-bug?

Thx & Greetz
Aruba Employee
Posts: 455
Registered: ‎04-02-2007

Re: CP on GRE interface

When the user has associated to the system and you issue a 'show user' on the CLI before they authenticate it's saying they are in logon and not the guest logon role you created? You do have a CP profile configured for the guest role, so they should see the CP:

user-role Guest-logon_UR
captive-portal "Guest_CP" <<<
session-acl Guest-logon_ACL

-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
New Contributor
Posts: 4
Registered: ‎04-30-2009

Re: CP on GRE interface

Jep, the user shows up in the logon-Role:

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- -------
10.231.248.2 00:0b:86:0d:64:00 logon 00:00:00 N/A

Thx & Greetz
Beat
Search Airheads
Showing results for 
Search instead for 
Did you mean: