Controllerless Networks

Reply
Occasional Contributor II
Posts: 10
Registered: ‎01-28-2015

iAP Captive Portal only working on Virtual-Master-AP

Hi guys,

I've got some issues with my iAP Setup...

It provides two Wireless Networks, an internal one for employees (which works great) and guest access wich is behaving strange...

It uses "Virtual Controller Assigned" Network and has a "Internal - Authenticated" Captive Portal, which also works great but only on the actual Virtual-Master AP...

If I connect to this WiFi using any other Access-Point i get a correct IP-Address assigned (which I configured in System -> DHCP) but the Captive portal Redirect won't work :(

 

And some Background Information (I suppose this is where something's wrong)

We have multiple VLANs, for example wen use VLAN30 to manage the iAP's. That's why Virtual-Master and all the other AP's have 192.168.30.xx IP-Addresses. Employees on the internal network use 192.168.70.xx (VLAN70) and Guets use 192.168.80.xx (VLAN80). Every AP gets theese VLAN's tagged and our Core-Switch seems to route everything properly...

 

Any ideas?

 

Here's the config

Spoiler
version 6.3.1.0-4.0.0
syslocation XXX
virtual-controller-country XX
virtual-controller-key XXXXX
name "Instant AP"
virtual-controller-ip 192.168.30.50
virtual-controller-vlan 30 255.255.255.0 192.168.30.1
terminal-access
ntp-server 192.168.50.3
clock timezone XXXX
clock summer-time CEST recurring last sunday march 00:00 last sunday october 03:00
rf-band all

allow-new-aps
allowed-ap XX
allowed-ap XX
allowed-ap XX
allowed-ap XX
allowed-ap XX
allowed-ap XX
allowed-ap XX
allowed-ap XX


snmp-server community XXXX
snmp-server host XX version 2c public inform

arm
 wide-bands 5ghz
 min-tx-power 18
 max-tx-power 127
 band-steering-mode prefer-5ghz
 air-time-fairness-mode fair-access
 client-aware
 scanning

ip dhcp pool
 subnet 192.168.80.0
 subnet-mask 255.255.255.0
 dns-server 192.168.50.3
 domain-name internal.local
 lease-time 720


syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless






user gast XXXX portal
user testgast XXXX portal

user XX XXXX radius
user XX XXXX radius
user XX XXXX radius
user XX XXXX radius

mgmt-user XX XXXX

wlan access-rule default_wired_port_profile
 index 0
 rule any any match any any any permit

wlan access-rule InternalUser
 index 1
 rule any any match any any any permit

wlan access-rule guestUser
 index 2
 rule 192.168.50.3 255.255.255.255 match udp 53 53 permit
 rule 192.168.80.0 255.255.255.0 match any any any permit
 rule 192.168.30.1 255.255.255.255 match any any any permit
 rule 192.168.0.0 255.255.0.0 match any any any deny
 rule 172.16.0.0 255.240.0.0 match any any any deny
 rule 10.0.0.0 255.0.0.0 match any any any deny
 rule any any match any any any permit

wlan access-rule wired-instant
 index 3
 rule 192.168.30.51 255.255.255.255 match tcp 80 80 permit
 rule 192.168.30.51 255.255.255.255 match tcp 4343 4343 permit
 rule any any match udp 67 68 permit
 rule any any match udp 53 53 permit

wlan ssid-profile InternalUser
 enable
 index 0
 type employee
 essid InternalUser
 wpa-passphrase XXXX
 opmode wpa-psk-tkip,wpa2-psk-aes
 max-authentication-failures 0
 vlan 70
 auth-server InternalServer
 rf-band all
 captive-portal disable
 mac-authentication
 hide-ssid
 dtim-period 1
 inactivity-timeout 1000
 broadcast-filter none
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 0
 max-clients-threshold 64

wlan ssid-profile guestUser
 enable
 index 1
 type guest
 essid guestUser
 opmode opensystem
 max-authentication-failures 0
 vlan guest
 auth-server InternalServer
 rf-band all
 captive-portal internal
 dtim-period 1
 inactivity-timeout 1000
 broadcast-filter none
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 0
 max-clients-threshold 64

auth-survivability cache-time-out 24



wlan captive-portal
 background-color 16750848
 banner-color 3368703
 decoded-texts terms
 redirect-url "http://www.company.tld""
 banner-text "COMPANY"
 terms-of-use "57;69;6c;6c;6b;6f;6d;6d;65;6e;20;7a;75;6d;20;56;65;72;6c;61;2d;50;68;61;72;6d;20;47;e4;73;74;65;20;57;4c;41;4e;2e;"
 use-policy "XXXX"
 authenticated

wlan external-captive-portal
 server localhost
 port 80
 url "/"
 auth-text "Authenticated"


wlan walled-garden
 white-list "^https?://([A-Za-z0-9.-]*\.)?COMPANY\.TLD/?"

blacklist-time 3600
auth-failure-blacklist-time 3600

ids classification

ids
 wireless-containment none

ip dhcp InternalUser
 server-type Local,L3
 server-vlan 70
 subnet 192.168.70.0
 subnet-mask 255.255.255.0
 exclude-address 192.168.70.1
 lease-time 28800
 dns-server 192.168.50.3
 domain-name internal.local

alg
 sccp-disable
 sip-disable
 ua-disable
 vocera-disable

wired-port-profile default_wired_port_profile
 switchport-mode access
 allowed-vlan all
 native-vlan 30
 shutdown
 access-rule-name default_wired_port_profile
 speed auto
 duplex full
 no poe
 type employee
 auth-server InternalServer
 captive-portal disable
 no dot1x

wired-port-profile wired-instant
 switchport-mode access
 allowed-vlan all
 native-vlan guest
 no shutdown
 access-rule-name wired-instant
 speed auto
 duplex auto
 no poe
 type guest
 captive-portal disable
 no dot1x


enet0-port-profile default_wired_port_profile

uplink
 preemption
 enforce none
 failover-internet-pkt-lost-cnt 10
 failover-internet-pkt-send-freq 30
 failover-vpn-timeout 180


airgroup
 disable

airgroupservice airplay
 disable
 description AirPlay

airgroupservice airprint
 disable
 description AirPrint

Thanks in advance!

Regular Contributor II
Posts: 226
Registered: ‎10-29-2014

Re: iAP Captive Portal only working on Virtual-Master-AP

can you please upload the configuration.

i am not able to find the configuration.

Occasional Contributor II
Posts: 10
Registered: ‎01-28-2015

Re: iAP Captive Portal only working on Virtual-Master-AP

[ Edited ]

yeah sure,

i put it inside a spoiler in my first post but attached it additionally on this post as xxcfg.txt

Regular Contributor II
Posts: 226
Registered: ‎10-29-2014

Re: iAP Captive Portal only working on Virtual-Master-AP

[ Edited ]

At first i would like to advice you to upgrade the IAP into the latest firmware.

 

FYI.....

http://www.arubanetworks.com/support/alerts/aruba-psa-2015-001.txt

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Security-vulnerability-advisories/td-p/176738

 

If the problem still not solved let us know...

Occasional Contributor II
Posts: 10
Registered: ‎01-28-2015

Re: iAP Captive Portal only working on Virtual-Master-AP

SumaN,

thanks for the quick reply, but it actually runs 6.3.1.8-4.0.0.8_46401 which apperas to be the latest iap firmware according to download section in aruba support portal

(see screenshot)

iap.PNG

Regular Contributor II
Posts: 226
Registered: ‎10-29-2014

Re: iAP Captive Portal only working on Virtual-Master-AP

[ Edited ]

What is your model no?

 

NOTE:  This is a downtime activity, if it is your production network be careful


gschwendti wrote:

SumaN,

thanks for the quick reply, but it actually runs 6.3.1.8-4.0.0.8_46401 which apperas to be the latest iap firmware according to download section in aruba support portal

(see screenshot)

iap.PNG


 

Occasional Contributor II
Posts: 10
Registered: ‎01-28-2015

Re: iAP Captive Portal only working on Virtual-Master-AP

there are seven iAP-105 and one iAP-93

Regular Contributor II
Posts: 226
Registered: ‎10-29-2014

Re: iAP Captive Portal only working on Virtual-Master-AP

firmware.jpg

 

 

NOTE:  Remember to take backup.

please read the release note carefully.

Occasional Contributor II
Posts: 10
Registered: ‎01-28-2015

Re: iAP Captive Portal only working on Virtual-Master-AP

[ Edited ]

Ok, I wasn't sure about this because it says "early availability" which sounds like a classy word for beta :)

I'll do that next morning beforer the heavy users are arriving and provide feedback!

Regular Contributor II
Posts: 226
Registered: ‎10-29-2014

Re: iAP Captive Portal only working on Virtual-Master-AP

you can go for this version also

firmware.jpg

Search Airheads
Showing results for 
Search instead for 
Did you mean: