Security

Reply
hyc
Occasional Contributor II
Posts: 18
Registered: ‎10-27-2015

Captive portal pefng domain whitelisting not working

[ Edited ]

hi, sorry for a long question :

 

We have setup a externally hosted captive portal with Radius authentication using campus WLAN wizard.

 

We have 512AP pfeng firewall installed, and a few domains are whitelisted as a pefng firewall Destination with that destination whitelisted under L3 authorization tab for the captive portal profile.

 

The whitelisted domains consists of facebook.com, twitter.com, twimg.com, fbcdn.net .. etc common social media sites.

 

Our WiFi clients are being served splash page, but can only go to facebook.com to complete the authentication if we add "src-https" (which just allows all port 443 to go through) to the AAA pre authentication user role. This unfortunately enables all HTTPS access. If we do not add "src-https" to the pre authentication user role's access control list, the client cannot be forwarded to facebook.com, twitter.com (page load dropped or timedout) even though it is allowed as a whitelisted destionation under L3 authentication.

 

We have also tried to create an inverted firewall destination rule, which will reject https traffic to all domains other than facebook.com, fbcdn.net, akamaihd.net .. e.g the domains necessary for facebook login . This also does not work.   Without completing the authentication , the client can still access https resources such as https://youtube.com/ as long as the svc-https rule is there (which is needed for them to go onto facebook.com to complete sign in)

 

We have tried putting the access rule before, after, svc-https, does not change  a thing, domain whitelisting is not working.

 

 

The situation is as if pefng Destination domains are being ignored , even though we have definitely specified it under AAA pre auth role.

 

 

 

 

If we allow all https communication to go through, the clients can authenticate properly with facebook, with the correct RADIUS authentication following after that, and everything works. The only isssue we have is we have to allow all HTTPS communication in order for th e client to go to external social media sites. pefng based domain whitelisting is being ignored.

 

 

we have setup very similar setup before also using the campus WLAN wizard, and we did not have any problem back then. This current setup is behind a switch and all clients are being assigned to vlan id 500. Not sure if that changes anything, but as long as we enable all https communication, everything works.

 

Is there some other settings we are missing in order to make the controller apply domain based Destionation whitelist. We see the first access role created by the controller already whitelists http/https traffic to the whitelisted domain that we have under stateful firewall -> Destination.

It seems, access role is only applying ip,port based whitelisting rather than domain based whitelisting.

 

 

 

thanks

 

 

 

Guru Elite
Posts: 19,982
Registered: ‎03-29-2007

Re: Captive portal pefng domain whitelisting not working

Did you configure a DNS server on the controller and configure ip domain-lookup?

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
hyc
Occasional Contributor II
Posts: 18
Registered: ‎10-27-2015

Re: Captive portal pefng domain whitelisting not working

thanks. Initially our DNS wasn't resolving. We have added dns-acl to the pre authentication role and that seems to have resolved that issue. We also had to add dhcp-acl, icmp acl to the pre-auth role.

 

 

 

 

hyc
Occasional Contributor II
Posts: 18
Registered: ‎10-27-2015

Re: Captive portal pefng domain whitelisting not working

[ Edited ]

The thing is, as soon as we allow svc-https everything works. The external portal page redirects the client using DNS name and not IP.  (e.g. clients get redirected to https://graph.facebook.com/oauth/authorize.... via javascript in their mobile browser)

 

Guru Elite
Posts: 19,982
Registered: ‎03-29-2007

Re: Captive portal pefng domain whitelisting not working

Two things:

 

The controller itself needs to resolve the urls that users are looking up, so you need to do this:

 

config t

ip name-server 8.8.8.8

ip domain-lookup

 

The USERS will use whatever DNS server they obtain via DHCP, but that is separate from what you need to do above to allow and block domains.

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Guru Elite
Posts: 19,982
Registered: ‎03-29-2007

Re: Captive portal pefng domain whitelisting not working

If things are solved, okay, good.

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
hyc
Occasional Contributor II
Posts: 18
Registered: ‎10-27-2015

Re: Captive portal pefng domain whitelisting not working

thanks, we will try this today.

 

Can you please tell us the correct command on the controller to test domain resolution,

lets say I want to see how the controller itself resolves fbcdn.net , what do I have to type into the console ?

 

 

 

thanks

 

 

 

Guru Elite
Posts: 19,982
Registered: ‎03-29-2007

Re: Captive portal pefng domain whitelisting not working

You can type ping www.
Yahoo.com on the controller's command line.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
hyc
Occasional Contributor II
Posts: 18
Registered: ‎10-27-2015

Re: Captive portal pefng domain whitelisting not working

thanks a lot .

hyc
Occasional Contributor II
Posts: 18
Registered: ‎10-27-2015

Re: Captive portal pefng domain whitelisting not working

We have now set the DNS on the controller to be the same as what the user's phone will get from DHCP.

 

Now in the ACL, the controller is allowing some domains but is not allowing others. For example, if we whitelist both facebook.com and twitter.com in the ACL; it will only partially allow facebook.com (i.e., some images don't load).

 

Question: how does the Aruba Controller handle domain based ACLs. How does this work when its a sub-domain of an allowed domain (e.g., mobile.twitter.com). In this case, if twitter.com was in the ACL,how does the controller allow mobile.twitter.com (does it maintain a cache of all lookups as some of these sites have multiple load-balancing IPs).

 

Thanks.

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: