Security

Reply
Occasional Contributor II
Posts: 18
Registered: ‎05-24-2012

Captive portal failure in guest vlan (Ticket 1361035)

[ Edited ]

Hi everyone,

 

I have a ticket open for this problem as well, but I thought, why not post it here as well because you might never know if someone has seen this problem before.

 

I have a setup with a captive portal vlan for my guest users.

Some specifics:

Captive portal on the Aruba 3200XM AOS version 6.1.3.4.

Routing on a external corporate router.

Both IPv4 and IPv6 active on the vlan.

Aruba has an IPv4 and an IPv6 address on the vlan and those addresses are used as the captive portal addresses.

 

When I have rebooted the controller everything works fine. The guests are presented with the captive portal page, are able to login and are able to use the wireless network This works for several weeks without problems.

 

After some time, without any changes in the configuration, everything stops working. What I then notice on a test client is the following:

 

The rules for the initial connectivity still work:

The client receives an IPv4 address from the DHCP server.

The client configures a SLAAC IPv6 address based on the received RA packets.

The client can do a DNS lookup for the site it want's to visit.


But when the client tries to connect to the site it wants to visit it sends out a SYN packet to setup the connection, but it never receives an ACK. To my understanding this ACK should come from the controller which should intercept the traffic so it can redirect the client to the captive portal. But this never happens because it never sends an ack back on the syn request.

 

When I reboot the controller again everything works again for some time but that doesn't fix the problem in the long run.

 

At the moment the controller is in this defective state, so we can't use the guest access at all at the moment and my management is not really happy with this so one of these days I have to reboot the controller to have a working situation again. But that stops the debugging dead in it's tracks.

 

I also have a different SSID that I use with 802.1x to authenticate users. This keeps working just fine. So the problem is definetly with the guest vlan.

 

Some information:

 

(aruba01) #show aaa profile TC3GUEST-aaa_prof

AAA Profile "TC3GUEST-aaa_prof"
-------------------------------
Parameter                           Value
---------                           -----
Initial role                        guest-logon
MAC Authentication Profile          N/A
MAC Authentication Default Role     guest
MAC Authentication Server Group     default
802.1X Authentication Profile       N/A
802.1X Authentication Default Role  guest
802.1X Authentication Server Group  N/A
L2 Authentication Fail Through      Disabled
RADIUS Accounting Server Group      N/A
RADIUS Interim Accounting           Disabled
XML API server                      N/A
RFC 3576 server                     N/A
User derivation rules               N/A
Wired to Wireless Roaming           Enabled
SIP authentication role             N/A
Device Type Classification          Enabled
Enforce DHCP                        Disabled

(aruba01) #show aaa authentication captive-portal TC3-Guest-cp_prof

Captive Portal Authentication Profile "TC3-Guest-cp_prof"
---------------------------------------------------------
Parameter                                     Value
---------                                     -----
Default Role                                  authenticated
Default Guest Role                            guest
Server Group                                  CaptivePortal_srvgrp
Redirect Pause                                10 sec
User Login                                    Enabled
Guest Login                                   Enabled
Logout popup window                           Enabled
Use HTTP for authentication                   Disabled
Logon wait minimum wait                       5 sec
Logon wait maximum wait                       10 sec
logon wait CPU utilization threshold          60 %
Show FQDN                                     Disabled
Use CHAP (non-standard)                       Disabled
Login page                                    /upload/custom/TC3-Guest-cp_prof/index.html
Welcome page                                  /auth/welcome.html
Show Welcome Page                             Yes
Add switch IP address in the redirection URL  Disabled
Allow only one active user session            Disabled
White List                                    walled-garden-access
White List                                    walled-garden-access-ipv6
Black List                                    N/A
Show the acceptable use policy page           Disabled

When my test client is connected to the SSID and is trying to connect to a website I see the following in the controller for this client:

 

(aruba01) #show user | include 10.22.61.147
10.22.61.147                         18:f4:6a:98:9f:e8                           guest-logon    00:00:07                      d8:c7:c
8:cb:5f:5c  Wireless  TC3GUEST/d8:c7:c8:35:f5:c0/g-HT          TC3GUEST-aaa_prof          tunnel        Linux


(aruba01) #show datapath session table 10.22.61.147

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       u - User Index

  Source IP     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination TAge UsrIdx UsrVer Flags
--------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- ---- ------ ------ -----


 

If someone knows why this is happening, I would be very happy.

 

Jan Hugo Prins

 

 

Frequent Contributor II
Posts: 135
Registered: ‎07-06-2012

Hi,   Howlong does this take to happen again? Have you tr...

Hi,

 

Howlong does this take to happen again?

Have you tried to capture packets from the controller port ? 

Have you tried to shutdown the port only and then no shut instead of rebooting the controller ?

 

When the clients access controller and after sending SYN he needs to receive a redirect to the controller IP/captive portal page.

 

 

Occasional Contributor II
Posts: 18
Registered: ‎05-24-2012

Re: Captive portal failure in guest vlan (Ticket 1361035)

Hi everyone,

 

I did some extra debugging today and I have found the cause of my problem. I also found that the thing I thought to be true about DNS resolving were not completly true after all.

 

In my configuration I had limited the number of sessions for the Guest role and the Guest-Logon role. But the problem was that my limit was to tight which resulted for all clients in a working configuration at start but very soon after that a failing configuration. I misinterpreted this due to the moments I tested and the fact that the test client I used was allready connected when I tested again and noticed everything was broken.

 

Everything works perfectly again.

 

Jan Hugo Prins

 

Frequent Contributor II
Posts: 135
Registered: ‎07-06-2012

Re: Captive portal failure in guest vlan (Ticket 1361035)

[ Edited ]

Hi,

 

Congratulation.

 

So you enabled ( Allow only one active user session) in CP authentication ?And by disabling it you solved your issue.

Or something else that caused it?

Guru Elite
Posts: 21,488
Registered: ‎03-29-2007

Re: Captive portal failure in guest vlan (Ticket 1361035)

No,

 

I think he is referring to the "sessions" parameter in the user role.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 18
Registered: ‎05-24-2012

Re: Captive portal failure in guest vlan (Ticket 1361035)

Indeed.

That is the one I limited. I've put it back to 65535 and now everything is fine again.

 


Jan Hugo Prins

 

Guru Elite
Posts: 21,488
Registered: ‎03-29-2007

Re: Captive portal failure in guest vlan (Ticket 1361035)

jhaprins

 

Thank you for following up!

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: