01-10-2012 05:05 AM
My customer uses captive portal authentication on 3600.
Authentication log in page is displayed when http packets are detected by the controller.
But we stop this web redirect because it affects load to the controller temporally.
Instead, the customer wants to put server’s ip address manually on their PC and display authentication page manually.
Can we stop this web redirect on the controller?
Actually they use the authentication by wired, not wireless.
01-10-2012 05:37 AM
Just to clearify..
Do you want to prevent the controller to show the Captive Portal?
Or to prevent the redirect that happens after authentication to the original webpage the user wanted to go?
And - do you have performance issues on the Controller since you want this?
-ACMX #316 :: ACCP-
Intelecom - Norway
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
01-10-2012 06:26 AM
Appreciate your quick response.
>>Do you want to prevent the controller to show the Captive Portal?
Yes, I want the controller not to show the captive portal log in page.
>>And - do you have performance issues on the Controller since you want this?
That is becase we have performance issue. Some clietns create many https for some reaosnse and now the controller redirect all those packets, therefore they recieve much load. I want to prevent this ASAP on controller side.
01-10-2012 06:33 AM
In the initial role, you should have an ACL that looks something like:
any any svc-http dst-nat
any any svc-https dst-nat
If you remove those rules, the controller won't automatically intercept http/https requests. You would have to use the URL "securelogin.arubanetworks.com/auth/index.html" (if you use a custom cert, change "securelogin.arubanetworks.com" to the device name in your cert) to get the client to view the captive portal page.
You will also have to add a rule that allows the user to talk to the controllers "controller-ip" so that the page can be displayed. You can get the controller-ip from the command "show controller-ip", assuming you are running a fairly new ArubaOS.
01-10-2012 07:07 AM
>>a rule that allows the user to talk to the controllers "controller-ip" so that the page can be displayed.
If clients are different subnet for controller-ip, let's say what rules should I add? Do I have routing?
01-10-2012 07:18 AM
In the pre-login role, add these rules:
any host x.x.x.x svc-http dst-nat
any host x.x.x.x svc-https dst-nat
x.x.x.x = the IP address of the controller from "show controller-ip".
That way, when you put in the URL in the client browser, you can do http://x.x.x.x (same IP as above) and the client should be redirected to the login page. If you put http://www.google.com (or any other URL) in the browser, you should NOT get the login page.