Controllerless Networks

Hi Everyone,

I am looking for some help. We recently tried to setup an external captive portal on an AP-93 instant the captive portal uses https and if you try to go to http it will redirect you to https.

Having setup the AP it seems to always try to push the user to http rather than https. Is it possible to stop the AP from doing this?

The reason its important is that the AP then captures the https redirect and attempts to push to http again causing an infinat loop of the webserver and the AP trying to battle it out until we get too many redirects error.

We need more detail, please.

When you say "always tries to push the user to http", what does the user enter and what is the user redirected to?  What is the configuration on the IAP?  What is the version of Instant?

Hi and thanks for coming back.

When you say "always tries to push the user to http", what does the user enter and what is the user redirected to?  What is the configuration on the IAP?  What is the version of Instant?

The user is simply connecting to the network, the capitive portal pop up then takes over it attempts to redirect them to our external captive portal : http://www.myportalexample.com/mycp our servers receive that request and attempt to push the user on too ssl http://www.myportalexample.com/mycp the AP seems to then think oh thats not the captive portal and redirects it too http://www.myportalexample.com/mycp.

version 6.4.2.0-4.1.1
virtual-controller-country GB
name instant-C4:XX:XX
terminal-access
clock timezone none 00 00
rf-band all

allow-new-aps
allowed-ap xxxxx



arm
wide-bands 5ghz
80mhz-support
min-tx-power 18
max-tx-power 127
band-steering-mode prefer-5ghz
air-time-fairness-mode fair-access
client-aware
scanning


syslog-level warn ap-debug 
syslog-level warn network 
syslog-level warn security 
syslog-level warn system 
syslog-level warn user 
syslog-level warn user-debug 
syslog-level warn wireless 


extended-ssid




user Guest 1234567portal


mgmt-user admin 11111

wlan access-rule default_wired_port_profile
index 1
rule any any match any any any permit

wlan access-rule wired-instant
index 2
rule masterip 0.0.0.0 match tcp 80 80 permit
rule masterip 0.0.0.0 match tcp 4343 4343 permit
rule any any match udp 67 68 permit
rule any any match udp 53 53 permit

wlan access-rule splashssid
index 3
rule any any match any any any permit

wlan access-rule test
index 4
rule any any match any any any permit

wlan ssid-profile splashssid
enable
index 1
type guest
essid splashss
opmode opensystem
max-authentication-failures 0
vlan guest
auth-server InternalServer
rf-band all
captive-portal external profile SPLASH
dtim-period 1
inactivity-timeout 1000
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

wlan ssid-profile test
enable
index 2
type employee
essid test
wpa-passphrase 123
opmode wpa2-psk-aes
max-authentication-failures 0
auth-server InternalServer
rf-band all
captive-portal disable
dtim-period 1
inactivity-timeout 1000
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

auth-survivability cache-time-out 24



wlan external-captive-portal
server localhost
port 80
url "/"
auth-text "Authenticated"
auto-whitelist-disable
https

wlan external-captive-portal SPLASH
server https://myportalexample.com
port 443
url "/mycp"
auth-text "xxxxx"
server-fail-through


wlan walled-garden
white-list "*.myportalexample.com"
white-list "myportalexample.com/*"

blacklist-time 3600
auth-failure-blacklist-time 3600

ids
wireless-containment none


wired-port-profile wired-instant
switchport-mode access
allowed-vlan all
native-vlan guest
no shutdown
access-rule-name wired-instant
speed auto
duplex auto
no poe
type guest
captive-portal disable
no dot1x
inactivity-timeout 1000

wired-port-profile default_wired_port_profile
switchport-mode trunk
allowed-vlan all
native-vlan 1
shutdown
access-rule-name default_wired_port_profile
speed auto
duplex full
no poe
type employee
captive-portal disable
no dot1x
inactivity-timeout 1000


enet0-port-profile default_wired_port_profile

uplink
preemption
enforce none
failover-internet-pkt-lost-cnt 10
failover-internet-pkt-send-freq 30
failover-vpn-timeout 180


airgroup
disable

airgroupservice airplay
disable
description AirPlay

airgroupservice airprint
disable
description AirPrint

The config above is how it currently sits we have added whitelist entries for the captive portal domain just in case it was needed.

What version of instant is this?  (type show version on the commandline).

show version
Aruba Operating System Software.
ArubaOS (MODEL: 93), Version 6.4.2.6-4.1.1.8
Website: http://www.arubanetworks.com
Copyright (c) 2002-2015, Aruba Networks, Inc.
Compiled on 2015-07-25 at 05:11:32 PDT (build 50989) by p4build

AP uptime is 20 hours 35 minutes 4 seconds
Reboot Time and Cause: unknown
end of show version

The user is simply connecting to the network, the capitive portal pop up then takes over it attempts to redirect them to our external captive portal : http://www.myportalexample.com/mycp our servers receive that request and attempt to push the user on too ssl http://www.myportalexample.com/mycp the AP seems to then think oh thats not the captive portal and redirects it too http://www.myportalexample.com/mycp.

To be clear, is the server pushing users to https://www.myportalexample.com/mcp? or http://www.myportalexample.com/mcp?