Security

Reply
Occasional Contributor II
Posts: 11
Registered: ‎09-30-2015

External captive portal on 7210 with AP-225

Hi,

 

This might be a rookie question, but i cant seem to find much info on how to set up my 7210s to use an external captive portal for a guest ssid? We have a Clearpass-server that works great with the Cisco wism-controllers, and im now migrating the SSIDs over to the Aruba-solution, but havent issues with the guest-SSID. 

 

What we want to accomplish is this: the user connects to the SSID, gets forwarded to the clearpass (https://guestportal.customerx.no/guest/cust_guest.php. On that page, they enter their name/cell phone/who they are visiting. That person approces/rejects it, and the user can log on with the credentials when the person they are visiting has approved it through the same portal. The problem is i never even get redirected.

 

I tried under Security - Authentication - L3 - Captive Portal - adding the Welcome page and Login page with the full URL to no avail. Also added the add switch ip for good measure. Just seems like this isnt enough? I have added the DNS and host to the ACL for the SSID to allow traffic to the portal. Any ideas?

Aruba
Posts: 1,290
Registered: ‎08-29-2007

Re: External captive portal on 7210 with AP-225

What role are the users in when the should be being redirected?

 

show rights <role name>


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Occasional Contributor II
Posts: 11
Registered: ‎09-30-2015

Re: External captive portal on 7210 with AP-225

Defaults to Guest. They connect, get an IP, but when i open a browser and try to go to www.something.com nothing happens. I have an ACL to allow traffic to the portal.

Guru Elite
Posts: 21,272
Registered: ‎03-29-2007

Re: External captive portal on 7210 with AP-225

Please see the ASE solution here:  (requires Aruba Support Contract)  https://ase.arubanetworks.com/solutions/id/3



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 11
Registered: ‎09-30-2015

Re: External captive portal on 7210 with AP-225

That did the trick for the redirect part, as im now seeing the self service portal. The problem now is that when i click the login-form (the account im using is active and in the clearpass guest manager), i get redirected back to the signup/login-page. I see no entries coming from the controllers in the access tracker. Any clues? This same setup currently works with the Cisco controllers, and i have created a new self-service portal page for Aruba controllers referencing the Aruba VRRP-address in the NAS IP, and pointing to this page on the Aruba controllers. I see that i hit the correct page, but when i log in i get redirected back to the signup/login.

Guru Elite
Posts: 21,272
Registered: ‎03-29-2007

Re: External captive portal on 7210 with AP-225

What is your login page configuration?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 11
Registered: ‎09-30-2015

Re: External captive portal on 7210 with AP-225

Sorry to be a little slow here, but what do you need? Or rather, how do i get the "configuration"? Its set up to use controller-initiated login, NAS IP is 10.20.5.100 as the same as the vrrp address. I have checked add switch ip on the controllers. The weird thing is that when i click log in, i immidately get redirected back to the login/signup page, and no trace of an authentication on the clearpass guest - seems as if the redirect page after clicking login somehow magically ends up with going to 1.1.254.1, which is the nas ip on the Cisco controllers. But I created a new page for Aruba-controllers though, referencing the Aruba NAS IP, and the Aruba page does not once mention the Cisco address - so how is that address still being referenced? Did i inherit something?

Guru Elite
Posts: 21,272
Registered: ‎03-29-2007

Re: External captive portal on 7210 with AP-225

[ Edited ]

You would just screnshot your configuration under "web logins".  Please make sure you have the parameter highlighted below:

weblogin.png



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 11
Registered: ‎09-30-2015

Re: External captive portal on 7210 with AP-225

OK, this is weird - i have no weblogin page, just the two different guest self-registration pages. The users registers themselves and login through the portal. This works fine though with the Cisco controllers, am i missing something here? Does the Aruba method require the weblogin page? I do get to the login page as is - its just the redirect after i hit login that is wrong?

Guru Elite
Posts: 21,272
Registered: ‎03-29-2007

Re: External captive portal on 7210 with AP-225

You have a choice:

 

The end of the Guest Registration Workflow is a login page.  If you create a WEB page, it only involves login.  Let's take a look at your Registration Page:  Edit it and click on the thing that looks like a controller:

cpass-guest-nas.png

That should then bring you to a page like this:

login-page2.png

 

It should look pretty much like this to work on a basic level.  The only reason why it would not work is if you switched out the controller's Web certificate.  If you did, you would have to change the ip address paramter to the fqdn, instead of "securelogin.arubanetworks.com".  When you click on submit, the controller only intercepts the login when that matches its web certificate...  I hope that gets you somewhere...

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: