Wireless Access

Reply
Frequent Contributor I
Posts: 177
Registered: ‎05-18-2011

Access Captive Portal using Mozilla Firefox - OSCP

Unable access Aruba captive portal by using Mozilla firefox. I have add all of the OCSP host on the Policy (ACL) and apply the policy to the logon initial role, but it doesn't work.

 

Below are the OCSP host list that i add in :

91.199.212.174

91.209.196.4

208.116.56.4

149.5.128.4

91.209.196.5

205.234.175.175

91.209.196.169

91.199.212.169

149.5.128.169

199.66.201.169

 

If i disable the https for captive portal webpage the laptop was able the access the captive portal by using Mozilla firefox, but when i enable (https) it again the captive portal was not accessible on Mozilla firefox.

 

Please advise.

Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: Access Captive Portal using Mozilla Firefox - OSCP

SSH into the controller that you are having the problem.

 

Find the client ip and do a "show datapath session table <client's ip address>" to see what port 80 traffic is being denied.  This is my output here:

 

(host) #show datapath session table 192.168.1.192

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal

  Source IP     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination TAge Flags 
--------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- ---- -----
192.168.1.192   8.8.8.8         17   54242 53     0/0     0 96  1   tunnel 24   2    FSCI
192.168.1.192   10.2.1.226      6    49195 443    0/0     0 96  1   tunnel 24   18   FNCI
192.168.1.192   10.2.1.226      6    49196 443    0/0     0 96  0   tunnel 24   e    FNCI
192.168.1.192   10.2.1.226      6    49197 443    0/0     0 96  0   tunnel 24   4    FNCI
192.168.1.192   199.66.201.169  6    49199 80     0/0     0 96  0   tunnel 24   2    FDY  <---------------------
192.168.1.3     192.168.1.192   6    8081  49196  0/0     0 96  1   tunnel 24   e    FSI
192.168.1.3     192.168.1.192   6    8081  49197  0/0     0 96  0   tunnel 24   4    FSI
192.168.1.3     192.168.1.192   6    8081  49198  0/0     0 96  0   tunnel 24   2    SI
192.168.1.3     192.168.1.192   6    8080  49199  0/0     0 96  0   tunnel 24   2    FS
192.168.1.3     192.168.1.192   6    8081  49195  0/0     0 96  1   tunnel 24   18   FSI

 As you can see, my client's port 80 traffic is being denied to 199.66.201.169.

 

Do an "nslookup" on the commandline for that ip address to see if it is an ocsp or crl URL:

 

Host:~ colinjoseph$ nslookup
> server 8.8.8.8
Default server: 8.8.8.8
Address: 8.8.8.8#53
> 199.66.201.169
Server:		8.8.8.8
Address:	8.8.8.8#53

Non-authoritative answer:
169.201.66.199.in-addr.arpa	name = ocsp.usertrust.com.

 Since it is an OCSP URL, I would add the 199.66.201.169 address to your netdestination, and that should fix it for now.

 

 

 

 If this is ArubaOS 6.x and above, I would add the name ocsp.usertrust.com to the netdestination you are using:

 

netdestination usertrust
  name ocsp.usertrust.com

Please make sure that ip domain-lookup is on and you have a dns server defined, if this is 6.x and you are using the named netdestination:

 

config t
ip domain lookup
ip domain-name test.com
ip name-server 8.8.8.8
ip name-server 4.2.2.2

If you are configuring the ip domain-lookup above, you can ignore the message that you need to reboot.

 

 Test to make sure your domain lookup is working by pinging a url (once again, ONLY if you are using ArubaOS 6.x and above):

 

(3600 controller) # ping www.zdnet.com
Press 'q' to abort.
Sending 5, 100-byte ICMP Echos to 216.239.116.55, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 61.783/63.033/63.654 ms

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba Employee
Posts: 571
Registered: ‎04-17-2009

Re: Access Captive Portal using Mozilla Firefox - OSCP

It's probably going to end up being the CRL address that needs to be added.
Thanks,

Zach Jennings
Frequent Contributor I
Posts: 177
Registered: ‎05-18-2011

Re: Access Captive Portal using Mozilla Firefox - OSCP

[ Edited ]

The problem already solved. Thanks for your help. But have some minor issue on Firebox browser. which is 

before the firefox browser able go to Captive Portal it will pop up a windows for 3 times is about the "Secure Connection Failed". While it pop up I have to click cancel it then it will go to Captive Portal.

 

Please find the below attached screen capture.

Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: Access Captive Portal using Mozilla Firefox - OSCP

Please open the browser initially to a non-secure (non-ssl) site for the captive portal.  It looks like you are opening the browser to a SSL yahoo site, and then the controller is redirecting you to a different one, so to the browser, it looks like an attack.  Open www.yahoo.com instead and see if that works.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: