Security

I am trying to create an SSID, that forces all users to land on an external wepage that gives users information regarding BYOD and how to setup their devices.  So far I have created the open SSID, and have created a rule with dst-nat to my external web server, but it doesn't work well.  Shortcuts on browsers are causing weird errors from my webserver because the url doesn't exist and ssl doesn't seem to work well either.  Any ideas?  I thought this would be simple (and maybe it is) but I am hitting some bumps here.  Thanks for any help.

Could you not just a set a rule to give access to the external web server.

Then configure the 'Captive Portal' for your default User Profile for your SSID. Your 'Captive Portal' would point to the URL of your external web server

 

 

I think this should work anyway I could be missing something more obvious!

What types of browser errors are you seeing?

The way i have it configured right now, it seems the dst-nat rule is doing most of the work, but that is not overwriting the url, it just changes the destination ip, so someone going to www.google.com/something/whatever.php, it changes it to http://IPADDRESS-OF-MY-SERVER/something/whatever.php.  I guess I could do some sort of rewrite rule on apache worl work.  Still https issues, my guess is because of certificates showing wrong somain vs the certificate.  Also deosn't help that i don't yet have a certificate on the webserver yet.  If I can get http working correctly, I figure https will follow.

I've tried just that.  I have an access rule that allows to my web server.  I have captive portal login page set as the web address of my server, but that does not force a redirect.  So when someones browser comes up, it just stalls on whatever page it is trying to load.

Does the controller have a layer 3 interface in the VLAN that the user's
are in? This is required for redirection.

It does... in fact the vlan that users are being placed into is a natted network.

Make sure DNS and http/https is allowed  , you should run the following command to make sure nothing is getting blocked : show datapath session table <client ip address>

 

Confirm that you have configured the Captive portal profile under the user-role you have setup for your initial role

 

 

 

I did finally get it to work.  The main problem seemed to be the order of policies in the user role I had defined.  I had to put the http and https allow for my external web server above the captive portal policy.  After that it worked like buttah!

RMorely, 

do you have the users authenticate at all (and thus change user group) or they stay "unauthenticated" with limited access just to the webserver?

Do you have also have an ACL to block all other traffic to everywhere else appart from your web-server?

 

Thanks

No authentication going on here.  This is simply for staff and students who bring personal devices to school to get info on how to connect to our 802.1x network.  I also have an su1x install that configures windows 7 and xp that they can download from the website, since I did not want to pay for arubas quick connect.  The user role only allows them to connect to this particular website.