Security

Reply
Super Contributor II
Posts: 429
Registered: ‎01-19-2011

ip cp-redirect-address

I have a master-local setup with a requirement for users to access a captive on each controller. There is a VRRP address running between the controllers acting as the DG for BYOD clients. My question is - do I configure the ip cp-redirect-address command to use the VRRP address (or the controllers static address) and is this a command that is part of the config that is syncd from the master to the local or do I configure it on each individual controller?

Guru Elite
Posts: 20,575
Registered: ‎03-29-2007

Re: ip cp-redirect-address

It is individual for each controller.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 561
Registered: ‎11-28-2011

Re: ip cp-redirect-address

If you're using the "default" captive portal ACL, you don't need to do that.

 

Captive portal users should get redirected to the "controller" alias (version of code dependant), in the controller that is controlling the AP to which they are attached.

 

I.e. a user associated with an AP, will get redirected to the "controller" alias IP on the relevant controller at the time.

 

Try "show netdestination" in the controllers to see what this looks like if interested.

 

Kudos appreciated, but I'm not hunting! (ACMX 104)
Guru Elite
Posts: 20,575
Registered: ‎03-29-2007

Re: ip cp-redirect-address

[ Edited ]

the.racking.money,

 

Sort of:.   By default users of the captive portal are redirected to the management ip address of the controller.  In most networks, the admins do NOT want the users to have access to the management ip address or the management address  is not routable to guest users.  The ip cp-redirect-address commands is used to point  user captive portal traffic to a different ip address on the controller that IS routable (usually the ip address of the guest VLAN on the controller).  The captive portal ACL and the netdestination are independent of this command.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 561
Registered: ‎11-28-2011

Re: ip cp-redirect-address

[ Edited ]

That's interesting...

 

I usually don't worry about the "users to have access to the management ip address" part, because the captiveportal ACL redirects to the "magic" port (8081 as per below). And my understanding is the "magic port" doesn't respond to anything other than CP related requests? Therefore, it's not at risk from that perspective (admin abuse). Am I wrong in thinking this?

 

Also, if the customer queries about DOS attacks etc against the CP, I tighten this up with stateful-fw thresholds. Again, am I wrong about this?

 

ip access-list session captiveportal
  user   alias controller svc-https  dst-nat 8081
  user any svc-http  dst-nat 8080
  user any svc-https  dst-nat 8081
  user any svc-http-proxy1  dst-nat 8088
  user any svc-http-proxy2  dst-nat 8088
  user any svc-http-proxy3  dst-nat 8088
!

 

Obviously, everything else RFC1918 I block if that makes sense?

Kudos appreciated, but I'm not hunting! (ACMX 104)
Guru Elite
Posts: 20,575
Registered: ‎03-29-2007

Re: ip cp-redirect-address

The.racking.monkey,

 

You might have a guest network with the ip address range 192.168.1.x and the default gateway is a cable modem, 192.168.1.254, and the controller's management ip address is 10.10.10.10.  The controller has an ip address of 192.168.1.1 on the guest subnet.  By default the guest users will be redirected to the 10.10.10.10 address, but the cable modem does not have a route to 10.10.10.10, so the users will never get the captive portal.  The solution is to change the ip cp-redirect-address to 192.168.1.1 so that guest users will be redirected to the routable interface on the controller to bring up the captive portal.

 

In short, this is the specific situation that the ip cp-redirect-address command is designed to solve.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 561
Registered: ‎11-28-2011

Re: ip cp-redirect-address

[ Edited ]

Hi CJ,

 

Sure, I appreciate that consideration (routing to redirect IP).

 

I was probably mis-understanding your point  as follows "the admins do NOT want the users to have access to the management ip address".

 

What I was asking (off topic), is regardless of the specific IP used for this purpose, my understanding is that port 8081 doesn't respond to anything other than CP related requests? Therefore, it's not at risk from an "admin abuse/attack" point of view? Am I wrong in thinking this?

 

Kudos appreciated, but I'm not hunting! (ACMX 104)
Guru Elite
Posts: 20,575
Registered: ‎03-29-2007

Re: ip cp-redirect-address

Try to hit your controller on a wired subnet on port 8081 and see what happens.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 561
Registered: ‎11-28-2011

Re: ip cp-redirect-address

Good shout CJ. You know, I never actually tried that before!

 

Having tried it, I think I'm right (different browsers interpret it differently of course).

 

Thanks.

 

Sorry for hijacking your post MattF!

Kudos appreciated, but I'm not hunting! (ACMX 104)
Super Contributor II
Posts: 429
Registered: ‎01-19-2011

Re: ip cp-redirect-address

No problem - I'm always keen on following a thread - wherever it goes.

Search Airheads
Showing results for 
Search instead for 
Did you mean: