Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

getting Instant External Captive Portal - Authentication Text to work

This thread has been viewed 1 times

  • 1.  getting Instant External Captive Portal - Authentication Text to work

    Posted Jul 15, 2015 02:32 PM

    doubting a little between this and the Instant section, but feels enough like AAA / Guest access.

    disclaimer: im looking to get External Captive Portal - Authentication Text for Instant to work. any advise to not use it or use something else is appreciated but not needed. this is existing functionality that should work, but getting it work doesn't appear to be a straight forward as expected, so it got personal :)

    when searching for it i find several threads that usually end with people asking for more help because it doesn't work for them. sometimes someone seems to get it working but then they forget to mention how.

    the first question is how should the authentication text be provided to the IAP? i see in the previous threads two methods mentioned.

     

    1) send it to the IAP, so via a HTTP POST

     

    i tried this, with a simple page:

     

     

    <html>
<body>
<form name="weblogin_form" method="POST" action="https://securelogin.arubanetworks.com/cgi-bin/login">
        <input type="hidden" name="authenticated" value="authenticated"><br>
        <input type="submit" value="go">
</form>
</body>
</html>


    but that doesn't work, the IAP seems to send a TCP RESET directly. when i play around the with parameter and values i can get some errors, so i assume the hostname / uri is fine.

    getting only the exact word posted isn't that simple, as the whole system is build to send parameters and values, you quickly end up with a = added, but i assume that doesn't matter.

    2) just have it show up on a webpage

    tried this in different ways, just showing it on the first page, having to first do a POST to fake successful auth and then show it, but nothing seems to work. the client doesn't pass captive portal and is always redirected to the first page.

    the manual can be read to mean both ways in my opinion: Authentication Text - Select this option to specify an authentication text. The specified text will be returned by the external server after a successful user authentication.

    so who got this working and wants to provide full details on how to do it?

     



  • 2.  RE: getting Instant External Captive Portal - Authentication Text to work

    EMPLOYEE
    Posted Jul 19, 2015 04:42 AM

    hi Boneyard

    External CP is external text only, i.e. there doesnt have to be anything posted back to the IAP, the auth text is just 'text', whether it appears in the body (and not the http header, see below). The presumption is that some auth is happening on the external CP and then it just responds with some token.

     

    Consider the following config, where .245 is a linux box with apache + php

     

    wlan external-captive-portal lab-cp
 server 192.168.1.245
 port 80
 url "/iap-cp/cp.php"
 auth-text "AUTHZ"
 auto-whitelist-disable
!

    The VAP is set to external CP auth. You can use the below php script to test various scenarios, noting that the httpd header one (X-something: AUTHZ) does not work - it is included for completeness.

     

    <?php
    header("Cache-Control: no-cache");
    header("Pragma: no-cache");

    # this doesnt work - included for completeness
    if (preg_match("/smh\.com/", $_GET["url"])) {
      header("X-Aruba-IAP: AUTHZ");
      header("Refresh: 3; http://wired.com/");
    }

    ?>
    <html>
    <head></head>
    <body>
    <?php
      $ip = $_GET["ip"];
      $url = $_GET["url"];
      $ap = $_GET["apname"];
      $vc = $_GET["vcname"];

    echo "CP request from [$ip] on VC [$vc] / AP [$ap] <br>
    ";
    echo "URL: $url <br><br>
    ";

    if (preg_match("/cnn\.com/", $url)) {
      echo "<a href=>words words words</a> <br>";
      echo "here is the auth text  AUTHZ<br>
    ";
      echo "now browse to some other site <a href=\"http://google.com\">google.com</a><br>
    ";
    }
    else if (preg_match("/abc\.com/", $url)) {
      echo "there is an empty div after this<br>
    ";
      echo "<div id=AUTHZ></div>
    ";
      echo "now browse to some other site <a href=\"http://slate.com\">slate.com</a><br>
    ";
    }
    else {
      echo "You are stuck in the captive portal..... <br><br>
    ";
      echo "go to <a href=\"http://cnn.com\">cnn.com</a> to generate inline cp text<br>
    ";
      echo "go to <a href=\"http://smh.com.au\">smh.com.au</a> to generate http header cp text<br>
    ";
      echo "go to <a href=\"http://abc.com\">abc.com</a> to generate html element cp text<br>
    ";
    }
    ?>
    </body>
    </html>

    and from IAP CLI we can watch the state change from "external cp" to iap-cp

     

    android  192.168.1.33  e8:50:8b:11:11:11  Android  iap-cp      18:64:72:22:22:22  60+      AN    External CP  0(poor)   0(poor)

android  192.168.1.33  e8:50:8b:11:11:11  Android  iap-cp      18:64:72:22:22:22  60+      AN    iap-cp  22(good)  162(good)

     

    my contrived checking of the URL could be a database lookup, a form that posts more info to the external CP server (make sure to whitelist), time of day check etc.

     

    regards

    -jeff

     

     

     

     



  • 3.  RE: getting Instant External Captive Portal - Authentication Text to work

    Posted Jul 19, 2015 04:02 PM

    thanks jeff, if i find some time ill try this and give it go.

     

    then go back on all threads on this and post the actual solution :)