Security

When our client use their devices (Mobile Phone, Laptop...etc) connected to our Guest Network which has captive portal for Authentication, they can get the IP Address successfully but the captive portal sometimes cannot be prompted up. I tried to ping the gateway but request time out. The temporary solution is to Turn off the WiFi of this mobile device for a period and let the device get another IP Address.

 

Is there any option in Aruba Controller that need to be enable? Does anyone have some idea on this problem?

 

Here is some cnofiguration of our Aruba WiFi Network:

- The default gateway of the Clients, Access Point and contoller is the VLAN Interface in the Layer3 Switch 

- We have 1 Master Controller and 1 Local Controller and all Access Points are mounted to the Local Controller

- All Controllers are running as trunk and directly connected to the Layer3 Switch.

 

Do you have an IP address set for the user vlan on the controller?

Can you ping that address from the client when you are having issues?

It could be a DNS inestability.

What DNS are you using?

If you cannot translate a name for example when the user pop up a webpage if the computer at that momment cannot translate for example www.google.com it wont display the captive porta...

 

So check that.  I had clients using crappy DNS from their ISPs and this kind of thing use to happen to them.

I told them to change them to another one maybe the google ones 8.8.8.8  and well it stop happening to them..

Im not telling you its this but it could be though.

If you can check yourself and if it happens to you check if you can translate names when it doesnt work with ping... doing ping to www.cnn.com or stuff like that.

 

Correct DNS funtionality is really imporant for the captive porta... if DNS does not work properly the captive portal doesnt work either.   IF DNS works now and then, then the captive portal will work now and then.

 

IF you seee this behavior just happen with apple devices try this

https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-1680

 

cheers

Carlos

When a device fails to bring up captive portal, what is the state of the device?  What role does the device have when captive portal fails?  Is it able to do anything?

 

Also, what happens if you type http://1.1.1.1 as a URL?   If Captive Portal loads, then it is a DNS issue.

I've come across this a few times and it was due to a combination of a high user idle timeout and prohibit IP spoofing.  Basically, a guest would disconnect from the SSID and release his IP.  A new guest would connect and receive the same IP before the previous guest timed out of the user table.  If IP spoofing is detected by the controller, it will be logged: show log all | inc ip_address_here.  I forget the message, but it will be obvious.  If you don't see any messages indicating a spoofed IP, check the user table to see if the problem client has an entry: show user-table | inc ip_address.

Thank you for all replies, I will tried to test in the above methods if the problem occurs.

 

I have also find a post in this forum http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Captive-Portal-cannot-showup-amp-802-1x-authentication-problem/td-p/120493 and mentioned about enable "Allow Tri-session with DNAT". What is the use of this option?

 

Thanks~~