ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 28
Registered: ‎07-29-2009

Captive Portal Problem

Hi everyone,

I have a question about Captive portal authentication : does the aruba controler must be the default gateway of the network (wireless side not wired accesss) to be redirect to the captive portal? I try to put a cisco router for default gateway but it doesn't work.

The cp-redirect-address is the vlan 1 ip address (by default) and it's route by the cisco router.

Thanks for your reply
Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: Captive Portal Problem

The captive portal is displayed when the controller sees an http or https request from an unauthenticated station, so yes, it must be the default gateway of the clients (unless they have specific routes that send traffic to the controller, but I doubt that is the case). If the controller is not the default gateway, the packets won't be seen by it (the controller) and the captive portal wont be displayed.
Guru Elite
Posts: 21,281
Registered: ‎03-29-2007

Does Not


Hi everyone,

I have a question about Captive portal authentication : does the aruba controler must be the default gateway of the network (wireless side not wired accesss) to be redirect to the captive portal? I try to put a cisco router for default gateway but it doesn't work.

The cp-redirect-address is the vlan 1 ip address (by default) and it's route by the cisco router.

Thanks for your reply




The Captive Portal does NOT need to be the default gateway of clients, but needs to be a layer-2 bump in the path:

1. The controller needs to have an IP interface in the client's subnet
2. The ip cp-redirect-address parameter needs to be set to that address so that the controller can bring up the captive portal (http://airheads.arubanetworks.com/vBulletin/showthread.php?t=543)
3. The controller needs to be in the path of the traffic by way of #1

As long as the controller is in the path, it can intercept http or https traffic and redirect an untrusted user to the captive portal ip address in #2 above. It does not need to be the default gateway. You can have a cable modem be the default gateway and this will work.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 28
Registered: ‎07-29-2009

Re: Captive Portal Problem

Thanks for your reply.

I have forgotten to put an interface in the user subnet. Another question does this interface have to set in trust or untrust mode?

Why is it necessary to have one interface in user subnet? It's the cp-redirect interface that reply to client request no this one? In my case the cp-ip-redirect address is on another subnet.

Thanks in advance
Guru Elite
Posts: 21,281
Registered: ‎03-29-2007

Trusted

Since this is wireless, the interface does not have to be trusted for this to work.

The IP cp-redirect address is the ip address on the controller that the client will be redirected to, to bring up the captive portal. If that IP address is in a subnet that is unreachable by the client, the captive portal will not come up. This is frequently the case in guest networks where you want to keep the guest traffic on a single network and not allow clients to reach other internal networks. It is also frequently the case when a cable modem, not an infrastructure router is the default gateway for clients.

If clients can reach the IP interface that the ip cp-redirect address is pointing to, the page will come up and you will be fine. It is an unwritten best practice to put it in the same subnet as the clients to put the controller in the shortest path from the client.

I hope this makes sense.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 28
Registered: ‎07-29-2009

Re: Captive Portal Problem

Ok i understand.

So I don't change the cp-redirect. It's by default on the controller-ip interface that is on another subnet than user network.

The gateway for user network is a cisco router, that route users to cp-redirect interface. So if I undersand I don't need an interface on the user network.

But the captive portal don't come. I check the log and the response is block :
user -> google.fr (for example) is nat to port 8081 to cp-redirect interface, and the response (google ip address -> user, which reply go to cp-redirect interface with an http page move) is block.

Do you have any suggestion?

Thanks in advance
Occasional Contributor II
Posts: 28
Registered: ‎07-29-2009

Re: Captive Portal Problem

Sorry I found, I forgot to enable tri-session DNAT in firewall :p

Thanks.
Regular Contributor I
Posts: 190
Registered: ‎04-27-2009

Re: Captive Portal Problem

>>You can have a cable modem be the default gateway and this will work.

@cjoseph : in this case you mean some external public ISP gw adress would be fine yes? it's some static router with /29 network and i used the gw-adress of this router to be the default-gw for the aruba_controller.

Let's start my initial post:
ah perfect, why to create a new thread if there's already some similar one .

i got some wifi guest network too (e.g. 192.168.111.0/24) , in the aruba controller i set as default-gateway the external gateway adress of the static internet subnet .

the guest stuff works but this little popup isnt shown up properly , and im not sure why this is not working.

the controller itself has some static local adress in the above mentioned network (e.g. 192.168.111.1) , some DHCP is also giving those guest-users ip's .
they get the external DNS servers of the ISP because i dont have some DNS running in this 192' network .

at the moment i would like to tweak the guest network cause i got strange issues sometimes when ppl come here and connect their notebooks and connect to their corporate lan via VPN , sometimes they report "oh the wifi lost, i got disconnect". me myself doesnt have this problem, but im not using any vpn adapter i only use the guest wifi just for internet access.

i kept quite along the default config and checked out the config's made in the aruba democonfig of those aruba demokits out in the field. the config is nearly the same , but perhaps it has something to do with the popup of the portal not proper shown up .

any ideas?

regards
ben
Occasional Contributor II
Posts: 28
Registered: ‎07-29-2009

Re: Captive Portal Problem

For the popup you may have forget to put the weblogout session acl in the user role.

I had a same problem in the past and it was firewall that blacklist users beacause of the number of tcp sessions open by vpn adapter. You can verify this by these commands :

> show ap blacklist-user
> show firewall (if you have attack rate configured you problem is problably here)

I hope this can help you
Regular Contributor I
Posts: 190
Registered: ‎04-27-2009

Re: Captive Portal Problem


For the popup you may have forget to put the weblogout session acl in the user role.
> show ap blacklist-user
> show firewall (if you have attack rate configured you problem is problably here)

I hope this can help you




the output of firewal is :

Monitor ping attack Disabled
Monitor TCP SYN attack Disabled
Monitor IP sessions attack Disabled

blacklist-clients would be the command , but i never saw there blacklisted clients but i try to verify next time i get some report of guest but mostly i get reported problems to late when everything is already working again.

am i dumb to find the weblogout acl ? there's no acl defined and set to the guest-login nor the guest-role .

the guest-login is default with captive portal and those default acl for dns/dhcp/ping , then some "guest" role is there for the authenticated guests.

that role i defined more precise i set the traffic in the following way
Search Airheads
Showing results for 
Search instead for 
Did you mean: