ArubaOS and Controllers

Reply
Contributor II

Captive Portal Help!

Hey all,

I'm trying to setup Captive Portal with LDAP authentication, but for some reason I'm stuck at the first stage and can't even get the Welcome page to open up on the client side, let alone even try the LDAP authentication part :(

Anyone have any ideas? I've tried following the user guide and have done the steps. I'm able to join the open SSID no problem, but opening up a browser and making a port 80 request doesn't bring up the Portal welcome page.

It's probably something easy I missed but I'm out of ideas, are they any commands I can use to check things out? If I manually input the Portal page URL into the browser I do hit the welcome page...but obviously I can't leave it like that.

Using a Aruba 200 controller with OS 5.0.0.1 (tried on 3.4.2.1 as well with no luck).

Thanks.
Aruba Employee

Re: Captive Portal Help!

Mike,

A couple things to check. First, check the Initial role for the AAA profile by clicking on Configuration > AP Configuration > Edit (by your AP group name). Then, open Wireless LAN, Virtual AP, and then your Virtual AP name. You will see your AAA profile there. Click on it. Note the setting for Inital role.

Now, click on Access Control, then click Edit beside the name of your Inital role above.

Make sure you have a Firewall Policy called "captiveportal" in the list. Also, make sure you have a Captive Portal Profile assigned (you may have to scroll down to see that option). The "captiveportal" policy is a default, so you can add it if it is not already there.

Do you have the Policy Enforcement Firewall (PEF-NG) license?
Aruba Employee

Re: Captive Portal Help!

Also, you can test your LDAP authentication by clicking Diagnostics > AAA test server. Just drop the Server Name box down and choose your LDAP server, then enter your credentials.
Contributor II

Re: Captive Portal Help!

Thanks for the tips.

I've gone through what you mentioned and it looks like those are setup correctly. I made I also have the PEF license enabled and under my Initial Role name in the Access Control section I already had the

logon-control
and
captiveportal

firewall policies selected. Does it matter what order these policies are in? Should I only have captiveportal selected?
Occasional Contributor II

Re: Captive Portal Help!

Most likely a dns problem. Try 1.1.1.1 in your browser see if that redirects you
Contributor II

Re: Captive Portal Help!

No redirection when I try 1.1.1.1

Confirmed I have the DNS record for the controller name setup, and I even hardcoded the controller name in the host file and still nothing.

Is 1.1.1.1 supposed to bring up the Portal page?
Contributor II

Re: Captive Portal Help!

Ignore my last Question about the 1.1.1.1, I'm guessing you were just trying to see if a valid http request would redirect me to the portal ;)

Anyway at this point it looks like it's not DNS, I was actually hoping it was that easy :(
Guru Elite

DNS, Rights, Datapath

Ok,

When the user associates, what role does the user get? And when he gets that role, find out what firewall policies he is subject to by doing this on the commandline:

"show rights "

Please post the output of that command.

In addition, post the output of the command "show ip cp-redirect-address"


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II

Re: Captive Portal Help!

When the user associates they get placed into a role called "portal", and I just copied the firewall policies from "guest-logon"

Derived Role = 'portal'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Assigned VLAN = 3007
Periodic reauthentication: Disabled
ACL Number = 47/0
Max Sessions = 65535


access-list List
----------------
Position Name Location
-------- ---- --------
1 logon-control
2 captiveportal

logon-control
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 user any udp 68 deny Low
2 any any svc-icmp permit Low
3 any any svc-dns permit Low
4 any any svc-dhcp permit Low
5 any any svc-natt permit Low
captiveportal
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 user controller svc-https dst-nat 8081 Low
2 user any svc-http dst-nat 8080 Low
3 user any svc-https dst-nat 8081 Low
4 user any svc-http-proxy1 dst-nat 8088 Low
5 user any svc-http-proxy2 dst-nat 8088 Low
6 user any svc-http-proxy3 dst-nat 8088 Low


Expired Policies (due to time constraints) = 0

Here is the output of the CP redirect command,

(Aruba-Test) #show ip cp-redirect-address

Captive Portal redirect Address ... 10.49.0.2
Guru Elite

Question

Okay.

Can the client even reach 10.49.0.2? That is the IP address that it is redirected to to open the captive portal. You said dns works right (nslookup)?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: