04-18-2017 10:50 AM
Hey everyone, I tried searching around but couldn't find something close to the issue I was having.
Essentially, I have a Aruba Mobility Controller (10.0.0.3), as well as a CPPM server (10.0.20.200). What I am trying to accomplish, is that if a endpoint isn't known in CPPM, it gets put into a "Registration vlan" (10.0.70.0/24) and redirected to a portal hosted on CPPM so that way they can log in with their AD account, and the endpoint gets updated to known, and the appropiate policies performed.
My only issue, is I cant seem to get the redirect to work from the controller. I have the gateway configured, (10.0.70.1), as well as what I believe to be the correct ACL. (See Attachments). I have read over multiple guides on Airheads, but can't seem to get this working. I figured it must be something simple I just forgot. Any input is greatly appreciated.
Solved! Go to Solution.
04-18-2017 06:56 PM
I was trying to look at it again, and it appears the controller is redirecting me, but it is trying to redirect me to the controller's captive portal, instead of CPPM.
I belive this is because I am being assigned the user role "logon" instead of my special role with the redirects in there. Is there a way to make sure I get the initial role that i specified when coming from the vlan?
I already tried associating the aaa profile with the vlan on the port channel, but that didn't do the trick either.
04-19-2017 02:13 AM
The captive portal is bound to the role that is assigned to the user (as you found out that the logon role was assigned in your case).
In order to get your external captive portal selected, you need to create a role for that (I would try to avoid changing default/built-in roles or configuration), and make sure that is assigned.
The role is assigned in the aaa profile, which in turn is selected in the virtual-AP profile (WLAN) or the VLAN (wired). For wired, the port must be untrusted, as for a trusted port all authentication is disabled.
With the show user-table mac <mac> or show user-table ip <ip> or show user-table verbose, you can find what profiles are assigned and from there, if it is incorrect move backward in your configuration to find out why these are assigned. From there, you probably can see the error and correct it.
One more thing with captive portal, but that seems already correct as you see a redirect (but the wrong redirect), is that you need to have either an IP address assigned to the VLAN where the clients come in or you need to have tri-state-nat enabled in order for the controller to perform the actual redirection. This only applies if you don't see the redirect happen.
If you have urgent issues, please contact your Aruba partner or Aruba TAC.