Security

Hi everybody,

I configured a SSID with captive portal authentication, everything works fine.

I also tried to configure wired user guest access. I found this is the user guide:

"About Trusted and Untrusted VLANs
You can also classify traffic as trusted or untrusted based on the VLAN interface and port/channel. This
means that wired traffic on the incoming port is trusted only when the port’s associated VLAN is also
trusted, otherwise the traffic is untrusted. When a port and its associated VLANs are untrusted, any
incoming and outgoing traffic must pass through a predefined ACL. For example, this setup is useful if your
company provides wired user guest access and you want guest user traffic to pass through an ACL to
connect to a captive portal."

Now I'm stuck with the ACL. I supposed that the "logon" and the "captive-portal" ACLs merged into one ACL should redirect traffic to the captive portal, but all I get is a strange firefox message ("Redirect Loop Error, Redirection limit for this URL exceeded. Unable to load the requested page. This may be caused by cookies that are blocked."). Internet explorer just fails to connect to the internet.

Any suggestion is appreciated...

What role is the wired user in when the failures occur?

You can find this with a 'show user' on the command line or by looking at clients on the controller or airwave.

That would be helpful to know for starters... is it 'logon' or something else ? 

Hi jfernyc,

thanks for your reply. The user's role is exactly the ACL that I set in the port configuration for the desired untrusted vlan.

It seems that the port actually behaves like it's supposed to.

Maybe my ACL is incorrect. What should the ACL look like to redirect traffic to the captive portal?

TIA

I missed the forest for the trees...

The wired clients are conntected to this controller port:

interface gigabitethernet  1/3
        description "GE1/3"
        no trusted vlan 1-4094
        switchport access vlan 300

I enabled Advanced Services > Wired Access > Enable Wired Access Concentrator Server, added the AAA profile.

That's it! :smileyhappy:

Hey guys

I've also been trying to do the same stuff (wired CP redirection). Unfortunately, I haven't been so successful, and I have the feeling that my problem lies in the ACL attached to the wired guest vlan.

I get my wired-guest users redirected to the CP-Guest captive portal. Then they're authenticated and their role changes in the controller. Up to that point, I think everything's ok. My problem is that I keep being redirected to the web portal. Could that be due to the ACL I've applied to the untrusted port?

Thanks

My ACL is the following:

!
ip access-list session wired-cp
  user any udp 68  deny
  any any svc-icmp  permit
  any any svc-dns  permit
  any any svc-papi  permit
  any any svc-sec-papi  permit
  any any svc-cfgm-tcp  permit
  any any svc-adp  permit
  any any svc-tftp  permit
  any any svc-dhcp  permit
  any any svc-natt  permit
  any alias Amigopod any  permit
  user   alias controller svc-https  dst-nat 8081
  user any svc-http  dst-nat 8080
  user any svc-https  dst-nat 8081
  user any svc-http-proxy1  dst-nat 8088
  user any svc-http-proxy2  dst-nat 8088
  user any svc-http-proxy3  dst-nat 8088
!

You do NOT put an ACL on the port.  You just make it untrusted.

Please take a look at the article here:  https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-1183