ArubaOS and Controllers

Reply

Deploying proxy PAC via Aruba Controller

Hi All,

I work for an Aruba partner and we have a number of schools as customers. They all require 2 networks, 1 for internal users and 1 for guests.

As they are schools and kids tend to try to get to site they're not allowed to go to, an upstream proxy is required to gain access to the internet. This proxy address is not allowed to be given out to guest. This is fine for internal users as the proxy is applied to PCs via group policy. However this is an issue for guest users.

The guest network is configured to use the captive portal & internal database for authentication.

What I need the controller to do is, once the guest users has authenticated via the captive portal, push out a proxy PAC file to the guests PC enabling them to browse the internet.

I know this is possible but cannot find any doccumentaion to support this. :confused:

Can someone please help?
Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Guru Elite

Proxy.pac


Hi All,

I work for an Aruba partner and we have a number of schools as customers. They all require 2 networks, 1 for internal users and 1 for guests.

As they are schools and kids tend to try to get to site they're not allowed to go to, an upstream proxy is required to gain access to the internet. This proxy address is not allowed to be given out to guest. This is fine for internal users as the proxy is applied to PCs via group policy. However this is an issue for guest users.

The guest network is configured to use the captive portal & internal database for authentication.

What I need the controller to do is, once the guest users has authenticated via the captive portal, push out a proxy PAC file to the guests PC enabling them to browse the internet.

I know this is possible but cannot find any doccumentaion to support this. :confused:

Can someone please help?




James,

There are two things that you need to do:

- Upload the Proxy.pac file to the Aruba Controller
- Add a DHCP option 252 pointing to the proxy.pac

Upload the proxy.pac file using configuration> Management> Captive Portal> Upload (ArubaOS 3.4 and above. Upload proxy.pac file using Maintenence> Upload custom login pages (any other ArubaOS 3.x except 3.4). Upload the proxy.pac file as content on that page to your captive portal profile.

When you create you DHCP option, remember that the URL that you need to point to is a function of the captive portal profile that you uploaded it to. If the Captive Portal profile is default, you would add the DHCP option on the Aruba Controller like this (with 172.16.8.4 being the Aruba Controller):

config t
ip dhcp pool guest
option 252 text "http://172.16.8.4/upload/default/proxy.pac\n


When the clients get a DHCP address from the Aruba Controller, or whatever DHCP server it should point them to the proxy.pac file.

A big shout out to the Engineer in EMEA who I got this from!


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Thanks!

Many thanks! I'll give it a go and post back how I get on.
Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.

Re: Deploying proxy PAC via Aruba Controller

I can't get this to work.

I've used the method you suggested but I cannot see option 252 being assigned to the workstations.

I can see that the option is set on the controller by looking at the dhcp database:

#show ip dhcp database

DHCP enabled
# vlan_13
subnet 192.168.1.0 netmask 255.255.255.0 {
option domain-name "guest1.com";
option vendor-class-identifier "ArubaAP";
option vendor-encapsulated-options "10.1.10.100";
option domain-name-servers 10.254.1.21;
option routers 192.168.1.1;
option user-option-252 code 252 = text;
option user-option-252 "http://192.168.1.1/upload/custom/james-cp_prof/proxy.pac\n ";
range 192.168.1.2 192.168.1.254;
authoritative;
}

I've also tried it without the carriage return but that also doesn't work.

In wireshark I can see that option 252 is not being offered.

The controller I'm testing this on is on ArubaOS 3.4.0.5.

(I'm actually on an Aruba training course and the trainer didn't think it was possible for the controller to do this.. I'd love to prove him wrong.)
Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Guru Elite

3.4.0.6


I can't get this to work.

I've used the method you suggested but I cannot see option 252 being assigned to the workstations.

I can see that the option is set on the controller by looking at the dhcp database:

#show ip dhcp database

DHCP enabled
# vlan_13
subnet 192.168.1.0 netmask 255.255.255.0 {
option domain-name "guest1.com";
option vendor-class-identifier "ArubaAP";
option vendor-encapsulated-options "10.1.10.100";
option domain-name-servers 10.254.1.21;
option routers 192.168.1.1;
option user-option-252 code 252 = text;
option user-option-252 "http://192.168.1.1/upload/custom/james-cp_prof/proxy.pac\n ";
range 192.168.1.2 192.168.1.254;
authoritative;
}

I've also tried it without the carriage return but that also doesn't work.

In wireshark I can see that option 252 is not being offered.

The controller I'm testing this on is on ArubaOS 3.4.0.5.

(I'm actually on an Aruba training course and the trainer didn't think it was possible for the controller to do this.. I'd love to prove him wrong.)




I would try upgrading to ArubaOS 3.4.0.6. There was a bug fixed where the internal DHCP server accidentally puts a space in the proxy server text field. Alternatively, you can use a different DHCP server to test that is the case. This is listed in the 3.4.0.6 release notes.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: Deploying proxy PAC via Aruba Controller

cjoseph,

Can Aruba rn OS (remote OS) support this solution?
Guru Elite

RN


cjoseph,

Can Aruba rn OS (remote OS) support this solution?




It was not tested or fixed in that version. Please know that the issue is ONLY in the internal Aruba DHCP server that does not send the option back correctly. if you use an external DHCP server, you can work around this.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: Deploying proxy PAC via Aruba Controller

Thanks for the info cjoseph it's much appreciated!

I'll upgrade and test again.
Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Occasional Contributor II

Re: Deploying proxy PAC via Aruba Controller


James,

There are two things that you need to do:

- Upload the Proxy.pac file to the Aruba Controller
- Add a DHCP option 252 pointing to the proxy.pac

Upload the proxy.pac file using configuration> Management> Captive Portal> Upload (ArubaOS 3.4 and above. Upload proxy.pac file using Maintenence> Upload custom login pages (any other ArubaOS 3.x except 3.4). Upload the proxy.pac file as content on that page to your captive portal profile.

When you create you DHCP option, remember that the URL that you need to point to is a function of the captive portal profile that you uploaded it to. If the Captive Portal profile is default, you would add the DHCP option on the Aruba Controller like this (with 172.16.8.4 being the Aruba Controller):


config t
ip dhcp pool guest
option 252 text "http://172.16.8.4/upload/default/proxy.pac\n




When the clients get a DHCP address from the Aruba Controller, or whatever DHCP server it should point them to the proxy.pac file.

A big shout out to the Engineer in EMEA who I got this from!




Thanks for this - when specifying the IP address in the option 252 text command, what IP do you use if you're using a redundant controller setup with VRRP?

Thanks
Kris
Occasional Contributor II

Re: Deploying proxy PAC via Aruba Controller

So ive followed the above and now Guest users dont even get an IP adress :/
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: