ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 35
Registered: ‎08-03-2009

Cpative Portal authentication issue

Clients access ap to get to the vlan 5 via authentication method captive portal.
AP is in vlan 1,and ac has vlan 1,5.
If my ac doesn't assign an address to vlan5,there is no portal which can enter the account and password.
But,after i assign an address to vlan 5,there would be a welcome portal.
So, what's the theory of this authentication method?
Any help or suggestion will be appreciated.
Guru Elite
Posts: 20,598
Registered: ‎03-29-2007

Re: Cpative Portal authentication issue

The clients must be able to:

- resolve DNS
- route to the ip address of the controller to open the page.

It is possible that the clients cannot route to the management IP address of the controller when on VLAN1. You can also change the ip address that the clients will hit the controller page on by using the "ip cp-redirect address" command. If I wanted the clients to access the controller captive portal on a different ip address on the controller, I would do this:

config t
ip cp-redirect address 192.168.5.20

This is assuming that the controller has an interface with the ip address 192.168.5.20 and clients can route to it from their assigned VLAN.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 6
Registered: ‎09-26-2011

Re: Cpative Portal authentication issue

Hi,

I am also having captive portal issues. I know clients can resolve DNS as I have seen the datapath logs of guest-logon client DNS traffic through the controller, however, routing to the controller is my concern.

Currently the users gain an IP address in the guest-logon VLAN when connecting, however, they are never presented with a login page.

My suspicion is that the following is occuring:

User logs on and is immediately placed in guest-logon role and given a DHCP address (10.1.1.21) and gateway10.1.1.1 (not located on the controller) from the VLAN associated with the guest-logon role.

The user's browser is redirected to the controller mgmt IP address (10.0.0.1) via ?HTTP redirect code 302? (I am unsure of the exact mechanism). As this is a subnet external to 10.1.1.0/24 it routes this traffic to its default gateway 10.1.1.1. From here the traffic must be routable back via the default gateway to the controller 10.0.0.1:8081 and 8082. Am I correct here in my understanding of this operation? (I am unsure of this operation as I thought the controller might snoop/intercept the traffic before it hits the default gateway, as all the wireless traffic is tunnelled back to the controller before it hits the default gateway/VLAN). If snooping/interception does NOT occur and routing via the default gateway is performed, I suspect there might be some rules blocking traffic to the controller on the default gateway (10.1.1.1) or somewhere else on the network between the default gw and the controller.

I have used the ip cp-redirect address 10.0.0.1, however, clients still get a timeout when waiting for the captive portal.

Also, I see from the User guides, that they put the captive portal VLAN under the VAP configuration and not the role. What is the logic behind this? I have not followed this convention in the configuration shown below, as when I remove the VLAN from the guest-logon role, the client automatically is assigned an IP from the controller management DHCP range.

Please find the relevant current configurations below which are not currently working for captive portal users:

ip access-list session logon-control
user any udp 68 deny
any any svc-icmp permit
any any svc-dns permit
any any svc-dhcp permit
any any svc-natt permit

ip access-list session captiveportal
user alias controller svc-https dst-nat 8081
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
user any svc-http-proxy1 dst-nat 8088
user any svc-http-proxy2 dst-nat 8088
user any svc-http-proxy3 dst-nat 8088

ip access-list session v6-logon-control
ipv6 user any udp 68 deny
ipv6 any any svc-v6-icmp permit
ipv6 any any svc-v6-dhcp permit
ipv6 any any svc-dns permit


ip access-list session captiveportal6
ipv6 user alias controller6 svc-https captive
ipv6 user any svc-http captive
ipv6 user any svc-https captive
ipv6 user any svc-http-proxy1 captive
ipv6 user any svc-http-proxy2 captive
ipv6 user any svc-http-proxy3 captive
!

user-role guest-logon
vlan GUESTS
captive-portal "Guest-cp_prof"
access-list session logon-control
access-list session captiveportal
access-list session v6-logon-control
access-list session captiveportal6

user-role guest
bw-contract GUEST_BWCONTRACT upstream
bw-contract GUEST_BWCONTRACT downstream
vlan GUESTS
access-list session "GUEST TO INTERNET"

aaa profile "Guest-aaa_prof"
initial-role "guest-logon"

aaa authentication captive-portal "Guest-cp_prof"
server-group "Guest"
logon-wait minimum-delay 1
max-authentication-failures 10
show-acceptable-use-policy

wlan virtual-ap "Guest-vap_prof"
aaa-profile "Guest-aaa_prof"
ssid-profile "Guest-ssid_prof"
broadcast-filter all
broadcast-filter arp
band-steering
wmm-traffic-management-profile "Guest_WMM"
!
wlan ssid-profile "Guest-ssid_prof"
essid "Guest"
hide-ssid
local-probe-req-thresh 20
ht-ssid-profile "Guest-htssid_prof"


For reference, the Aruba user guide 6.1 :

Configuring Captive Portal via the CLI
To configure captive portal in the base operating system via the command-line interface, access the CLI in
config mode and issue the following commands:

aaa authentication captive-portal c-portal
server-group cp-srv

aaa profile aaa_c-portal
initial-role c-portal

wlan ssid-profile ssid_c-portal
essid c-portal-ap

wlan virtual-ap vp_c-portal
aaa-profile aaa_c-portal
ssid-profile ssid_c-portal
vlan 20
Guru Elite
Posts: 20,598
Registered: ‎03-29-2007

Re: Cpative Portal authentication issue

The controller then requires a vlan ip address in the 10.1.1.x subnet and you need to point the ip cp-redirect address to that ip address.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 6
Registered: ‎09-26-2011

Re: Cpative Portal authentication issue

OK but just to clarify, if no IP is on the Guest VLAN on the controller, traffic will not be intercepted and sent directly to the default gateway?

Even if there was nothing blocking the traffic from the default gateway to the controller would this still not work without a controller IP on the guest VLAN?
Guru Elite
Posts: 20,598
Registered: ‎03-29-2007

Re: Cpative Portal authentication issue


OK but just to clarify, if no IP is on the Guest VLAN on the controller, traffic will not be intercepted and sent directly to the default gateway?

Even if there was nothing blocking the traffic from the default gateway to the controller would this still not work without a controller IP on the guest VLAN?




Just to clarify, the guest traffic must be sent to an interface on the controller so that the captive portal page can be retrieved. The interface must be routable to the subnet that guests reside on. This is typically done by putting an ip address on the VLAN of the controller that matches the guest subnet and doing an ip cp redirect to it, so that the controller forces the client traffic to bring up the page on that address. You are fully correct. Please try multiple clients and/or browsers to ensure that you are not encountering the firefox OCSP issue.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: