Security

I'm hoping someone has seen the same issue I've run into now.  I followed the ArubaOS Integration guide for AmigoPod but when connecting a client to the wireless network, I never see the captive portal, the client times out with a page cannot be displayed.  I can resolve DNS and ping to the Internet.  I can also pull up the page of the captive portal manually.

Suggestions anyone?

If you can pull up the page manually thats a good sign and rules out a bunch of things.  Based on these symptoms it must be getting stuck at the redirect, I would check:

- For your "initial-role" do you have the right captive portal profile set

- In that captive portal profile is the right login page set (to point to Amigopod page) and is in the format of "https://<amigopod-ip>/<page-name>.php"?

The initial role does have the correct captive portal set.  Also, the captive portal profile is in the format "https://<amigopod-ip>/pagename.php

If you can open that page direct, and the config is correct, typically this would be a DNS issue, but you state that is working.  Can you post the relevant config (roles, policies, aaa profiles, captive portal profiles, etc) as well as a "show user"?

user-role amigopod-role
 captive-portal "Amigopod-CP"
 access-list session amigopod
 access-list session guest-logon-access

ip access-list session amigopod
  user   alias AmigoPod svc-https permit
  user   alias AmigoPod svc-http permit

aaa authentication-server radius "AmigoPod-Server"
   host "x.x.x.x"
   key c9364ecca4168a429bfdf7725179ea2ef0ddf3aea2f69f32
   nas-identifier "aruba-3200"
   nas-ip y.y.y.y

aaa server-group "amigopod-group"
 auth-server AmigoPod-Server

aaa profile "AmigoPod-AAA"
   initial-role "amigopod-role"
   radius-accounting "amigopod-group"
   rfc-3576-server "x.x.x.x"

aaa authentication captive-portal "Amigopod-CP"
   server-group "amigopod-group"
   redirect-pause 3
   no logout-popup-window
   login-page "https://x.x.x.x/Login_Page.php"
   welcome-page "https://x.x.x.x/Welcome_Page.php"
   no enable-welcome-page
   switchip-in-redirection-url

wlan virtual-ap "amigopod-demo-vap"
   aaa-profile "AmigoPod-AAA"
   ssid-profile "amigopod-ssid-prof"
   vlan 1723

(Aruba3200) #show user

Users
-----
    IP               MAC            Name     Role           Age(d:h:m)  Auth  VPN link  AP name            Roaming   Essid/Bssid/Phy                       Profile       Forward mode  Type
----------      ------------       ------    ----           ----------  ----  --------  -------            -------   ---------------                       -------       ------------  ----
172.31.254.104  c8:bc:c8:de:d6:ea            amigopod-role  00:00:00                    d8:c7:c8:c3:34:b0  Wireless  reynholm-demo/d8:c7:c8:b3:4b:11/a-HT  AmigoPod-AAA  tunnel        OS X

Also note that I have tested with multiple platforms.  OS X, Windows 7, iPad as well as with Firefox and IE.

I would suggest having a look at the configuration of your initial role. It should include the captiveportal policy entries as shown in the App Note extract below:

user-role "guest-logon"

access-list session "amigopod" position 1

access-list session "captiveportal" position 2

access-list session "guest-logon-access" position 3

access-list session "block-internal-access" position 4

access-list session "v6-logon-control" position 5

access-list session "captiveportal6" position 6

captive-portal "guestnet"

This policy is the one that actually enables the controller to perform the HTTP 302 redirect to the Amigopod landing page defined in your Captive Portal policy.

Hope this helps

Cam.

Which ArubaOS version are U using? Something very similar happened to me with version 5.0.x (I can't remember the exact version) and it got fixed by upgrading to ArubaOS 6.1 (read the release notes If you're going to do this, 'cause you'll probably need to do a 2 step upgrade).

In my case, when I did an nslookup (with an external web portal configured) from the client device I always got the controllers IP address instead of the IP I was trying to resolve. This only happened with an external web portal, not with the internal one. Once I upgraded the SW everything started working as expected.

I'm currently running ArubaOS 6.1.  So far using the document provided in an earlier post as well as the Aruba application note, I haven't gotten any further.  When I do a nslookup I do get the IP of the site requested, not the IP of the controller.

Once your test client has connected to the guest ssid, try doing a show user-table from the CLI and check what initial role the device is in. You need to then make sure the captiveportal policy is listed in this Role similar to my previous post.

Thank you all for your help.  I've gotten one step further and can now get the captive portal redirecting properly to force a login, VLAN associated with the guest wireless was missing an IP.  However, after I login it looks like it's trying to pass credentials to the controller IP but then the browser fails with a message stating the connection was interrupted.

I would suggest checking what IP address or hostname you have configured in the Amigopod Web Login setup. This address will need to be accessible from the guest device based on the VLAN and firewall rules included in your initial role.

TRY this document 

...

Attachment(s)

Aruba Amigopod Integration Cheat Sheet.pdf   2.23 MB 1 version

Try this Document and make sure ur configuration by comparing this guide ......and main point is check the

ip access-list session on captiveportal and make sure u have added the net destination pointed towards amigopod ( adding net- destination is there in configuration > strateful firewall >net -dst )

...

Attachment(s)

Aruba Amigopod Integration Cheat Sheet.pdf   2.23 MB 1 version