Wireless Access

Reply
New Contributor
Posts: 4
Registered: ‎09-10-2013

Aruba 3200 Controller Web Authentication Disabled

Hello,

 

I've recently taken over a position at this company and I'm unfamiliar with the Aruba product line, so please excuse my ignorance.

 

System

Aruba 3200

OS Version: 3.3.1.3 (Yes I know it's out of date)

 

There's a Guest and an Employee SSID.  Guests go to the Captive Authentication Web Page and the Employee SSID uses AD Authentication through my AD Radius Server.

 

Last week we started getting Web Authentication Disabled when people on the Employee SSID would open their Browsers.  Guests are not able to Authenticate either.

 

I was able to get the Employee SSID working by changing the Employee AAA Profile Role from logon to authenticated, but then that SSID is pretty much wide open now.

 

Again, every AD User trying to Authenticate to the Employee SSID failed until I changed that role.  I thought it may have been a Certificate issue, so I tried to have the Aruba Generate the CSR, but I never got the email.

 

Any help on this at all would be greatly appreciated.

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Aruba 3200 Controller Web Authentication Disabled

[ Edited ]

If you go to Configuration > Security > Authentication > L3 Authentication and select your captive portal profile, is "User Login" checked?

 

(Screenshot may look a little different based on version)

user-login.PNG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor
Posts: 4
Registered: ‎09-10-2013

Re: Aruba 3200 Controller Web Authentication Disabled

Thank you for the reply.  No, see below.  However, no one has been into my Controller to have changed any settings like this.  There's only myself and my HD guy.  And he doesn't even know what any of this stuff is.

 

Aruba 01.jpg

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Aruba 3200 Controller Web Authentication Disabled

[ Edited ]

Strange. If you want to use AD credentials, you need to enable User Login and choose a server group that contains your LDAP servers (DCs).

 

You can also use show audit-trail to see what changes were made since the last reload of the controller.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor
Posts: 4
Registered: ‎09-10-2013

Re: Aruba 3200 Controller Web Authentication Disabled

[ Edited ]

I tried that and set the AAA Profile back to logon.

 

Once connected I opened the web browser.  I'm able to browse pages for a few minutes, but when I went to youtube or any other secure site I get the Browser Security Error "This Connection is Untrusted" even if I just go to Google.com

 

EDIT: Also after a perioed of time the Web Authentication Disabled message will come up again.

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Aruba 3200 Controller Web Authentication Disabled

The connection is untrusted message is expected behavior because your http session is being redirected to the captive portal. If you click to accept the certificate, does it bring you to the captive portal?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor
Posts: 4
Registered: ‎09-10-2013

Re: Aruba 3200 Controller Web Authentication Disabled

[ Edited ]

No. it usually goes onto to the page or to the WAD error

 

The way this Employee wifi is setup, they use there AD Credentials to connect to the Employee SSID.  Like if they choose CT_WIRELESS it prompts for their AD credentials.

 

The Captive portal only comes up when someone connects to the CT_GUEST.

Guru Elite
Posts: 21,511
Registered: ‎03-29-2007

Re: Aruba 3200 Controller Web Authentication Disabled


minfinger wrote:

No. it usually goes onto to the page or to the WAD error

 

The way this Employee wifi is setup, they use there AD Credentials to connect to the Employee SSID.  Like if they choose CT_WIRELESS it prompts for their AD credentials.

 

The Captive portal only comes up when someone connects to the CT_GUEST.


minfinger,

 

If a role that a user is in contains the Captive Portal ACL, but the role does not have a Captive Portal Authentication profile assigned, that is why a user would be redirected to "Controller Web Authentication Disabled"

 

You production or employee role should NOT have the Captive Portal ACL so that your production users will not see it.  Your Guest initial role should have a Captive Portal authentication profile assigned.

 

To check up on both roles, please go to Configuration> Security> Access Control. 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: