ArubaOS and Controllers

Reply
Regular Contributor I
Posts: 190
Registered: ‎04-27-2009

Captive Portal / Web Authentication Disabled / after WLAN Wizard using for Guest

hi there,

im confused and dont know where i have to change something.

factory-default controller, latest AOS 5.0.2.1 ,

Trying to setup a plain guest-wifi with those wizards to see how far a customer gets .

captive portal is coming up, authentication seems ok for the guest-logon but then "web authentication is disabled" instead of getting authenticated.

any ideas where to troubleshoot, i didnt had such a message in 3.4.2.5 OS .

Controller IP and Gateway to Internet is on same subnet , the guest-logon user getting gateway IP and external DNS servers , ping to some website works, but no access, therefore CP is coming up , test-user is in "guest" role , initial role is "guest-logon" (named the one via the wizard).

im confused , some hints/ideas?

regards
Regular Contributor I
Posts: 190
Registered: ‎04-27-2009

Re: Captive Portal / Web Authentication Disabled / after WLAN Wizard using for Guest

EDIT: well the user gets authenticated, controller showing first "guest-logon" role, then after authentication it gets into "guest" role,
well but the log doesnt give me any hints "why" something is "disabled"

im confused.
Regular Contributor I
Posts: 190
Registered: ‎04-27-2009

Re: Captive Portal / Web Authentication Disabled / after WLAN Wizard using for Guest

Some config excerpts , just default :

ip access-list session captiveportal
user alias controller svc-https dst-nat 8081
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
user any svc-http-proxy1 dst-nat 8088
user any svc-http-proxy2 dst-nat 8088
user any svc-http-proxy3 dst-nat 8088

user-role guest
session-acl captiveportal
session-acl http-acl
session-acl https-acl
session-acl dhcp-acl
session-acl icmp-acl
ipv6 session-acl v6-http-acl
session-acl dns-acl
ipv6 session-acl v6-https-acl
ipv6 session-acl v6-dhcp-acl
ipv6 session-acl v6-icmp-acl
ipv6 session-acl v6-dns-acl

********

user-role gast-guest-logon
captive-portal "guest-cp_prof"
session-acl logon-control
session-acl captiveportal

the VAP is in Tunnel Mode , using same default VLAN 1 ,
Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Captive Portal Authentication Disabled

You get that message because:

- You have the session-acl "Captive Portal" in the guest role
- The guest role does not have a Captive Portal authentication profile assigned to it (as it should NOT).

Please remove the "Captive Portal" session ACL from the guest role to remedy this.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor I
Posts: 190
Registered: ‎04-27-2009

Re: Captive Portal / Web Authentication Disabled / after WLAN Wizard using for Guest


You get that message because:

- You have the session-acl "Captive Portal" in the guest role
- The guest role does not have a Captive Portal authentication profile assigned to it (as it should NOT).

Please remove the "Captive Portal" session ACL from the guest role to remedy this.




removed the cp-acl from the guest-role, now i dont get anymore the CP when falliung into guest-logon.

i checked the User-Role of guest-logon and guest , i dont need any "role VLAN ID" assignement right? both as you said dont have any CP profile assigned to. or did i missunderstand you , as you saying "message is coming if guest role "does" not have cp auth profile (as it should NOT) ." . <- so yes or no ?
Regular Contributor I
Posts: 190
Registered: ‎04-27-2009

Re: Captive Portal / Web Authentication Disabled / after WLAN Wizard using for Guest

i never understood why there's some double-assignment of profiles in those "role" edit under : security-user roles - edit "role" .

while i assign those roles normally in the AAA-area its quite complicated for me how to explain to the customers.

i hope i get some clearify for myself soon .
Regular Contributor I
Posts: 190
Registered: ‎04-27-2009

Re: Captive Portal / Web Authentication Disabled / after WLAN Wizard using for Guest

Ok i think im getting clearification here, as now the "captiveportal" ACL i attached again to the guest-role just to go back , i think i missconfigured now something in the guest-logon and the guest role , for sure i have to assign some cp-portal-profile to at least the guest-logon or both ?

i compare all the time to our internal 3.4.2.5 controller to sort this out .
Regular Contributor I
Posts: 190
Registered: ‎04-27-2009

Re: Captive Portal / Web Authentication Disabled / after WLAN Wizard using for Guest

Sorry im fool, i think i found , i removed the captiveportal-ACL in the wrong role...

let me verify, updating this shortly ;-)
Regular Contributor I
Posts: 190
Registered: ‎04-27-2009

Re: Captive Portal / Web Authentication Disabled / after WLAN Wizard using for Guest

Ok now it works, no VLAN role assignment was needed , only the CP-profile had to be assigned properly to the guest-logon role , and as you said i removed the captiveportal-ACL from the guest-role itself. there's also no assignment of any cp-profile .

now works. puh, i just was confused, let's make a break with a kit-kat ;-)
Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Captive Portal Flow

Bg,

Here is how it works:

- There are two roles when doing Captive Portal: There is a "logon" role of some sort before users authenticate, and the "guest" role which represents AFTER the user authenticates
- The wizard normally creates a role with a "logon" in its name to denote a role that has the Captive Portal ACL, which forces all http and https traffic to the controller on ports 8080 and 8081 respectively.
- When traffic hits the controller on those two ports, the controller looks for a Captive Portal authentication profile in that role to see: what kind of page to put up, what server group the user is authenticating to, how soon to redirect users, what is their welcome page, etc
- After the user authenticates, they get placed in to the Default Guest role in the Captive Portal authentication profile specified in that "logon" role. The user is then subject to the "guest" role permissions, after that


It goes like this:
User Associates to SSID, which has a "logon" role as its initial role in the aaa profile attached to that Virtual AP. A user who associates is placed into that intial role. That logon role allows DHCP, so the user gets an ip address. When the user opens up a browser, the user does a DNS lookup for his homepage. The logon role permits DNS, so the homepage URL is resolved. When the user requests that page via HTTP, that traffic is redirected by the Captive Portal ACL in the logon role to the controller on port 8081. The controller, seeing the traffic on port 8081, looks to see what role the user is in currently and applies the rules via the Captive Portal Authentication profile that is a property of that logon role. After the user authenticates, he is placed in a "guest" role, depending on the rules in the Captive Portal authentication profile that is attached to the logon role.

Glad to hear you got it working. I am attaching a powerpoint that someone created that shows graphically how to create a WPA, WEP, and Captive Portal WLAN on Aruba manually, both on the commandline and the GUI.

It might give you a better sense of the parts that are involved. The website does not allow us to upload .ppt files, so change the extension of the attachment from .doc to ppt to open it.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: