Controller Based WLANs

How do I configure Captive Portal with a browser that uses a proxy server?

Product and Software: This article applies to all Aruba controllers and ArubaOS versions.

 

If the wireless client web browser is configured to use a proxy server running on port <X>, you need to change the captive portal policy like below:

 

ip access-list session captiveportal

user alias mswitch svc-https permit  user any tcp <X> dst-nat 8088  user any svc-http dst-nat 8080  user any svc-https dst-nat 8081

  

Explanation

 

user any tcp <X> dst-nat 8088

The value of <X> corresponds to the TCP port that Web Proxy listens on.

user any svc-http dst-nat 8080

To capture non-proxy http traffic

user any svc-https dst-nat 8081

To capture non-proxy https traffic

 

 

Note: When 'capturing' https traffic, most browsers display a security warning saying that the certificate does not match the hostname that the user is trying to connect to. For example, if a user attempts to connect to https://www.secureportal.com/, the browser complains that the subject name of the certificate is, for example, securelogin.arubanetworks.com (if the default cert is used). This is unavoidable. There won't be a problem if the user connects to a site without SSL (http).

 

If the web client proxy configuration is being distributed via a proxy script (a .pac file), make sure that the 'captiveportal' firewall rule allows the client to download that file or else the client behavior will be unpredictable.

In this scenario, add the following line in the 'captiveportal' rule before the two dst-nat rules:

ip access-list session captiveportal

user host <IP address of proxy> svc-http permit

Note: Captive portal logout with proxy server configured is not supported. This is a known limitation. After authentication, all user traffic is directed to the external proxy server, even for the captive portal logout URL. The controller will receive a request from the IP address of the proxy server instead of the real client. The real IP address of the client is not known.

 

The only way to work around this is to set-up 'no-proxy' rules on the browser to exclude the IP address of the Aruba controller to be proxied. The most convenient way to do this is to use an automatic proxy script (.pac file or DHCP option 252).

Version history
Revision #:
1 of 1
Last update:
‎07-01-2014 04:48 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.