Log in to ask questions, share your expertise, or stay connected to content. Don’t have a login? Join now.
This can be implemented on the setup where CPPM is used for the captive portal authentication of the clients connecting to AOS controller/AP
Environment : This is tested on Aruba 7220/AP-225.
Network Topology :
1. Create a captive portal profile with the CPPM login page URL with IP as controller interface IP which is routable to the CPPM server
2. Add an ACL to dst nat the user traffic initiated for controller to CPPM server and map the acl in the initial role
We connected a client and it got the captive portal page and can authenticate, even though the client's gateway is uplink switch , which could not reach CPPM server
(Aruba) #show user-tableUsers----- IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- ---------10.17.34.10 88:1f:a1:67:e3:c5 Logon 00:00:00 9c:1c:12:c0:a2:e4 Wireless cppm-redirect/9c:1c:12:8a:2e:52/a-HT cppm-redirect tunnel iPhoneUser Entries: 2/2Curr/Cum Alloc:3/16 Free:0/13 Dyn:3 AllocErr:0 FreeErr:0(Aruba) #show rights LogonDerived Role = 'Logon'Up BW:No Limit Down BW:No LimitL2TP Pool = default-l2tp-poolPPTP Pool = default-pptp-poolPeriodic reauthentication: DisabledACL Number = 2/0Max Sessions = 65535Check CP Profile for Accounting = TRUECaptive Portal profile = CPPM-REDIRECTaccess-list List----------------Position Name Type Location-------- ---- ---- --------1 logon-control session2 cppm session3 captiveportal sessionlogon-control-------------Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------1 user any udp 68 deny Low 42 any any svc-icmp permit Low 43 any any svc-dns permit Low 44 any any svc-dhcp permit Low 45 any any svc-natt permit Low 46 any 169.254.0.0 255.255.0.0 any deny Low 47 any 240.0.0.0 240.0.0.0 any deny Low 4cppm-----Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------1 user 10.17.32.246 tcp 443 dst-nat ip 10.162.114.94 443 Low 4captiveportal-------------Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------1 user controller svc-https dst-nat 8081 Low 42 user any svc-http dst-nat 8080 Low 43 user any svc-https dst-nat 8081 Low 44 user any svc-http-proxy1 dst-nat 8088 Low 45 user any svc-http-proxy2 dst-nat 8088 Low 46 user any svc-http-proxy3 dst-nat 8088 Low 4Expired Policies (due to time constraints) = 0(Aruba) #show ip interface briefInterface IP Address / IP Netmask Admin Protocolvlan 32 10.17.32.246 / 255.255.255.0 up upvlan 34 10.17.34.247 / 255.255.255.0 up uploopback unassigned / unassigned up up(Aruba) #show ip cp-redirect-addressCaptive Portal IPv4 redirect Address ... 10.17.32.246Captive Portal IPv6 redirect Address ... ::1(Aruba) #show userUsers----- IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- ---------10.17.34.10 88:1f:a1:67:e3:c5 a@a guest 00:00:01 Web 9c:1c:12:c0:a2:e4 Wireless cppm-redirect/9c:1c:12:8a:2e:52/a-HT cppm-redirect tunnel iPhone
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.