Security

Reply
MVP
Posts: 1,392
Registered: ‎11-30-2011

getting Instant External Captive Portal - Authentication Text to work

doubting a little between this and the Instant section, but feels enough like AAA / Guest access.

disclaimer: im looking to get External Captive Portal - Authentication Text for Instant to work. any advise to not use it or use something else is appreciated but not needed. this is existing functionality that should work, but getting it work doesn't appear to be a straight forward as expected, so it got personal :)

when searching for it i find several threads that usually end with people asking for more help because it doesn't work for them. sometimes someone seems to get it working but then they forget to mention how.

the first question is how should the authentication text be provided to the IAP? i see in the previous threads two methods mentioned.

 

1) send it to the IAP, so via a HTTP POST

 

i tried this, with a simple page:

 

 

<html>
<body>
<form name="weblogin_form" method="POST" action="https://securelogin.arubanetworks.com/cgi-bin/login">
        <input type="hidden" name="authenticated" value="authenticated"><br>
        <input type="submit" value="go">
</form>
</body>
</html>


but that doesn't work, the IAP seems to send a TCP RESET directly. when i play around the with parameter and values i can get some errors, so i assume the hostname / uri is fine.

getting only the exact word posted isn't that simple, as the whole system is build to send parameters and values, you quickly end up with a = added, but i assume that doesn't matter.

2) just have it show up on a webpage

tried this in different ways, just showing it on the first page, having to first do a POST to fake successful auth and then show it, but nothing seems to work. the client doesn't pass captive portal and is always redirected to the first page.

the manual can be read to mean both ways in my opinion: Authentication Text - Select this option to specify an authentication text. The specified text will be returned by the external server after a successful user authentication.

so who got this working and wants to provide full details on how to do it?

 

Moderator
Posts: 321
Registered: ‎08-28-2009

Re: getting Instant External Captive Portal - Authentication Text to work

[ Edited ]

hi Boneyard

External CP is external text only, i.e. there doesnt have to be anything posted back to the IAP, the auth text is just 'text', whether it appears in the body (and not the http header, see below). The presumption is that some auth is happening on the external CP and then it just responds with some token.

 

Consider the following config, where .245 is a linux box with apache + php

 

wlan external-captive-portal lab-cp
 server 192.168.1.245
 port 80
 url "/iap-cp/cp.php"
 auth-text "AUTHZ"
 auto-whitelist-disable
!

The VAP is set to external CP auth. You can use the below php script to test various scenarios, noting that the httpd header one (X-something: AUTHZ) does not work - it is included for completeness.

 

<?php
header("Cache-Control: no-cache");
header("Pragma: no-cache");

# this doesnt work - included for completeness
if (preg_match("/smh\.com/", $_GET["url"])) {
  header("X-Aruba-IAP: AUTHZ");
  header("Refresh: 3; http://wired.com/");
}

?>
<html>
<head></head>
<body>
<?php
  $ip = $_GET["ip"];
  $url = $_GET["url"];
  $ap = $_GET["apname"];
  $vc = $_GET["vcname"];

echo "CP request from [$ip] on VC [$vc] / AP [$ap] <br>\n";
echo "URL: $url <br><br>\n";

if (preg_match("/cnn\.com/", $url)) {
  echo "<a href=>words words words</a> <br>";
  echo "here is the auth text AUTHZ<br>\n";
  echo "now browse to some other site <a href=\"http://google.com\">google.com</a><br>\n";
}
else if (preg_match("/abc\.com/", $url)) {
  echo "there is an empty div after this<br>\n";
  echo "<div id=AUTHZ></div>\n";
  echo "now browse to some other site <a href=\"http://slate.com\">slate.com</a><br>\n";
}
else {
  echo "You are stuck in the captive portal..... <br><br>\n";
  echo "go to <a href=\"http://cnn.com\">cnn.com</a> to generate inline cp text<br>\n";
  echo "go to <a href=\"http://smh.com.au\">smh.com.au</a> to generate http header cp text<br>\n";
  echo "go to <a href=\"http://abc.com\">abc.com</a> to generate html element cp text<br>\n";
}
?>
</body>
</html>

and from IAP CLI we can watch the state change from "external cp" to iap-cp

 

android  192.168.1.33  e8:50:8b:11:11:11  Android  iap-cp      18:64:72:22:22:22  60+      AN    External CP  0(poor)   0(poor)

android  192.168.1.33  e8:50:8b:11:11:11  Android  iap-cp      18:64:72:22:22:22  60+      AN    iap-cp  22(good)  162(good)

 

my contrived checking of the URL could be a database lookup, a form that posts more info to the external CP server (make sure to whitelist), time of day check etc.

 

regards

-jeff

 

 

 

 

MVP
Posts: 1,392
Registered: ‎11-30-2011

Re: getting Instant External Captive Portal - Authentication Text to work

thanks jeff, if i find some time ill try this and give it go.

 

then go back on all threads on this and post the actual solution :)

Search Airheads
Showing results for 
Search instead for 
Did you mean: