Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Captive Portal redirect to master

This thread has been viewed 1 times

  • 1.  Captive Portal redirect to master

    Posted Mar 27, 2013 08:19 AM

    Hi

    We have a master controller and a local controller. The local controller is located on a remote site. There are no access points terminated on the maste controller. We have a guest ssid which users connect to and get redirected to the captive portal login page. The portal page displayed is the page from the local controller. What we want though, is to have the users redirected to the captive portal page on the master controller. Is this possible?

    I though changing the cp-redirect-address on the local controller to the ip address of the master would work but this does not make any difference. We will be rolling out additional local controllers, so want to save some effort and have a custom portal page on the master controller only.

    Thanks in advance for any help.

     

    Roy



  • 2.  RE: Captive Portal redirect to master

    EMPLOYEE
    Posted Mar 27, 2013 06:35 PM

    You cannot redirect local users to a page on the master, no.



  • 3.  RE: Captive Portal redirect to master

    Posted Mar 28, 2013 08:37 AM

    Thanks for the reply. However, after much tearing of hair out, I did eventually get this to work.

     

    Here is what I did.

     

    On the logon user role, I applied these rules:

    ip access-list session cp-guest
      alias NW-Guest   alias masterswitch svc-https  dst-nat 8081
      alias NW-Guest any svc-http  dst-nat 8080
      alias NW-Guest any svc-https  dst-nat 8081

    One the guest auth role, I applied these rules:

    ip access-list session captiveportal
      any   alias masterswitch svc-https  redirect tunnel 800
      any any svc-http-proxy1  redirect tunnel 800
      any any svc-http-proxy2  redirect tunnel 800
      any any svc-http-proxy3  redirect tunnel 800
      any any svc-http  redirect tunnel 800
      any any svc-https  redirect tunnel 800

     

    What appears to happen, is that the client connects to the guest ssid on the AP attached to the Local controller. The traffic is then redirected through the GRE tunnel. As the logon role is used by the GRE tunnel connection, restricting the source to the guest network prevents other users from unnecessarily accessing the captive portal. When the client opens a browser, the CP hijack kicks in and the Master controller captive portal login page appears. The user can then login normally and access the Internet as expected.

     

    I need to carry out more tests, to confirm these changes have not messed up anything else but initial tests do look promising.

     

    Roy