Security

Reply
MVP
Posts: 329
Registered: ‎04-25-2013

Explicit Proxy with Captive Portal

Hi,

I have an explicit proxy that my customer want to use with guest also.

The customer want to use Captive portal for guest authentication,

Guests Vlans are Nated ,

Are there any solution to force guests to use the proxy without any configuration in the browser?

Raouf CHAHBOUNE
ICT Network & Security Engineer
CCNP R/S | CCNA Security | ACMP|ACDX



[If my post is helpful please give kudos, or mark as solved if it answers your post.]
Guru Elite
Posts: 20,578
Registered: ‎03-29-2007

Re: Explicit Proxy with Captive Portal

There are ways, but some things need to be in place.

 

You would need to configure your DHCP server for option 252: http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-I-configure-DHCP-option-252-for-captive-portal-with-proxy/ta-p/182290  The drawback with this method is that the user's browser needs to be set to "auto discovery of proxy server", otherwise it will not work.

 

There is also a second way that you can try, using the redirect ACL:  http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-to-configure-Aruba-Controller-for-redirecting-traffic-to-the/ta-p/180598  Please note the drawback of using this method - "Note: In the transparent mode, most of the proxy server will process only the http traffic. Few proxyserver like websense or bluecoat will process the https traffic provided ssl inspection in the enabled in theproxy server."

 

 

 

 

 

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 329
Registered: ‎04-25-2013

Re: Explicit Proxy with Captive Portal

the issue is that , I'm using Captive Portal , and if i use an ACL to redirect traffic , the Captive portal authentication will not be proceded, if i use a DHCP option , the browser will try to redicrect the traffic directly to the the DHCP, and here to , i will get a probleme with the Captive Portal Authentocation
Raouf CHAHBOUNE
ICT Network & Security Engineer
CCNP R/S | CCNA Security | ACMP|ACDX



[If my post is helpful please give kudos, or mark as solved if it answers your post.]
Guru Elite
Posts: 20,578
Registered: ‎03-29-2007

Re: Explicit Proxy with Captive Portal

What is the exact setup?  Your only option that covers all bases is probably a transparent proxy, where the client does not have to configure anything....



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 329
Registered: ‎04-25-2013

Re: Explicit Proxy with Captive Portal

Hi,

The customer is using an Explicit Proxy , if he was using a transparent proxy , I would not say this question :)

so the exact question is how to use an Explicit proxy with Captive Portal

Regards

Raouf CHAHBOUNE
ICT Network & Security Engineer
CCNP R/S | CCNA Security | ACMP|ACDX



[If my post is helpful please give kudos, or mark as solved if it answers your post.]
Guru Elite
Posts: 20,578
Registered: ‎03-29-2007

Re: Explicit Proxy with Captive Portal

[ Edited ]

There are two parts to this:

1.  What is needed to bring up the captive portal

2.  What is needed to redirect the user traffic to the explicit proxy after the captive portal is brought up.

 

#1 should be straightforward and use the standard captive portal and control  ACLs.  The client would need to be able to resolve DNS, and all http traffic will be redirected to the controller's captive portal on port 8080:

(Aruba7005-US) # show ip access-list captiveportal

ip access-list session captiveportal
captiveportal
-------------
Priority  Source  Destination  Service          Application  Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------          -----------  ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    controller   svc-https                     dst-nat 8081                           Low                                                           4        
2         user    any          svc-http                      dst-nat 8080                           Low                                                           4        
3         user    any          svc-https                     dst-nat 8081                           Low                                                           4        
4         user    any          svc-http-proxy1               dst-nat 8088                           Low                                                           4        
5         user    any          svc-http-proxy2               dst-nat 8088                           Low                                                           4        
6         user    any          svc-http-proxy3               dst-nat 8088                           Low                                                           4        

The standard logon-control ACL at minimum should allow DNS and DHCP, as well

(Aruba7005-US) # show ip access-list logon-control

ip access-list session logon-control
logon-control
-------------
Priority  Source  Destination              Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------              -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    any                      udp 68                 deny                             Low                                                           4        
2         any     any                      svc-icmp               permit                           Low                                                           4        
3         any     any                      svc-dns                permit                           Low                                                           4        
4         any     any                      svc-dhcp               permit                           Low                                                           4        
5         any     any                      svc-natt               permit                           Low                                                           4        
6         any     169.254.0.0 255.255.0.0  any                    deny                             Low                                                           4        
7         any     240.0.0.0 240.0.0.0      any                    deny                             Low                                                           4        

Both of the ACLs above should be combined into an intial role that allows to user to bring up the captive portal.

 

#2 After the user authenticates with the captive portal, that is when it will be necessary to destination-NAT (translate) all http traffic to the explicit proxy using an ACL in the role you use after the client has authenticated.  For example if the proxy is at 10.10.10.10 and the proxy port is 8080 your ACL would look like this for your authenticated client:

alias "user" any "svc-http" dst-nat ip 10.10.10.10 8080 

You would do the same thing for https client, but like I warned above, it is quite possible that your proxy will not handle https traffic properly so you might have to try to come up with a workaround for that.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 329
Registered: ‎04-25-2013

Re: Explicit Proxy with Captive Portal

Many Thanks for the Help ,

i'm trying it , but I remember that i got an issue with the source NAT in the VLAN , because i use VLAN source NAT for security Issue , that i have to use Dest NAT to port the proxy server (8080) , and it do not work for me last time

Raouf CHAHBOUNE
ICT Network & Security Engineer
CCNP R/S | CCNA Security | ACMP|ACDX



[If my post is helpful please give kudos, or mark as solved if it answers your post.]
Search Airheads
Showing results for 
Search instead for 
Did you mean: