05-10-2012 07:05 AM
I configured a SSID with captive portal authentication, everything works fine.
I also tried to configure wired user guest access. I found this is the user guide:
"About Trusted and Untrusted VLANs
You can also classify traffic as trusted or untrusted based on the VLAN interface and port/channel. This
means that wired traffic on the incoming port is trusted only when the port’s associated VLAN is also
trusted, otherwise the traffic is untrusted. When a port and its associated VLANs are untrusted, any
incoming and outgoing traffic must pass through a predefined ACL. For example, this setup is useful if your
company provides wired user guest access and you want guest user traffic to pass through an ACL to
connect to a captive portal."
Now I'm stuck with the ACL. I supposed that the "logon" and the "captive-portal" ACLs merged into one ACL should redirect traffic to the captive portal, but all I get is a strange firefox message ("Redirect Loop Error, Redirection limit for this URL exceeded. Unable to load the requested page. This may be caused by cookies that are blocked."). Internet explorer just fails to connect to the internet.
Any suggestion is appreciated...
Solved! Go to Solution.
05-10-2012 08:00 AM
What role is the wired user in when the failures occur?
You can find this with a 'show user' on the command line or by looking at clients on the controller or airwave.
That would be helpful to know for starters... is it 'logon' or something else ?
05-14-2012 12:45 AM - edited 05-14-2012 12:47 AM
thanks for your reply. The user's role is exactly the ACL that I set in the port configuration for the desired untrusted vlan.
It seems that the port actually behaves like it's supposed to.
Maybe my ACL is incorrect. What should the ACL look like to redirect traffic to the captive portal?
05-15-2012 02:36 AM - edited 05-15-2012 03:58 AM
I missed the forest for the trees...
The wired clients are conntected to this controller port:
interface gigabitethernet 1/3
no trusted vlan 1-4094
switchport access vlan 300
I enabled Advanced Services > Wired Access > Enable Wired Access Concentrator Server, added the AAA profile.
That's it! :smileyhappy:
03-03-2013 03:02 PM
I've also been trying to do the same stuff (wired CP redirection). Unfortunately, I haven't been so successful, and I have the feeling that my problem lies in the ACL attached to the wired guest vlan.
I get my wired-guest users redirected to the CP-Guest captive portal. Then they're authenticated and their role changes in the controller. Up to that point, I think everything's ok. My problem is that I keep being redirected to the web portal. Could that be due to the ACL I've applied to the untrusted port?
My ACL is the following:
ip access-list session wired-cp
user any udp 68 deny
any any svc-icmp permit
any any svc-dns permit
any any svc-papi permit
any any svc-sec-papi permit
any any svc-cfgm-tcp permit
any any svc-adp permit
any any svc-tftp permit
any any svc-dhcp permit
any any svc-natt permit
any alias Amigopod any permit
user alias controller svc-https dst-nat 8081
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
user any svc-http-proxy1 dst-nat 8088
user any svc-http-proxy2 dst-nat 8088
user any svc-http-proxy3 dst-nat 8088
ACMP, ACCP, ACDX#100
If I answerd your question, please click on "Accept as Solution".
If you find this post useful, give me kudos for it ;)
03-03-2013 08:13 PM
You do NOT put an ACL on the port. You just make it untrusted.
Please take a look at the article here: https://arubanetworkskb.secure.force.com/pkb/artic
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base