Wireless Access

Reply
Occasional Contributor II
Posts: 13
Registered: ‎03-03-2011

Cannot access internet when don't authenticated by portal

Hi all,

 

I have used 650 controller with version 6.1.2.4.

I have  two SSID

- SSID "Guest" authenticated by captive portal. It work well

- SSID "Employee" authentcated by 802.11.

 

If client connect by SSID "Guest" then can access internet well.

 

If client connect with SSID "Employee" then client only ping to address and cannot accesst to any website and service

 

I have attach config file.

!

!

ap-group "PCST"
virtual-ap "PCST_Employee"
virtual-ap "PCST_Guest"

!

wlan virtual-ap "PCST_Employee"
aaa-profile "employee-aaa"
ssid-profile "ssid-employee"
vlan 1

!

aaa profile "employee-aaa"
dot1x-default-role "employee"

!

user-role employee
access-list session allowall
access-list session v6-allowall

!
user-role logon
access-list session logon-control
access-list session vpnlogon
access-list session v6-logon-control

!

wlan ssid-profile "ssid-employee"
essid "PCST_Employee"
wpa-passphrase ff71bd82d86b29ad5064cfd6632f6e2ea7feee63d72ea7bc

 

Please help me. Thanks very much

 

Guru Elite
Posts: 20,789
Registered: ‎03-29-2007

Re: Cannot access internet when don't authenticated by portal

When you do not authenticate, what role is the user in?  You can type "show rights <role>" to see what ACLs are applied.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 13
Registered: ‎03-03-2011

Re: Cannot access internet when don't authenticated by portal

Hi cjoseph

 

When do not authentication, i permit all service as

Please help me

 

(Aruba650) #show rights employee

Derived Role = 'employee'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 45/0
Max Sessions = 65535


access-list List
----------------
Position Name Location
-------- ---- --------
1 allowall
2 v6-allowall

allowall
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any any permit Low 4
v6-allowall
-----------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any any permit Low 6

Expired Policies (due to time constraints) = 0

(Aruba650) #show rights logon

Derived Role = 'logon'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 1/0
Max Sessions = 65535


access-list List
----------------
Position Name Location
-------- ---- --------
1 logon-control
2 vpnlogon
3 v6-logon-control

logon-control
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user any udp 68 deny Low 4
2 any any svc-icmp permit Low 4
3 any any svc-dns permit Low 4
4 any any svc-dhcp permit Low 4
5 any any svc-natt permit Low 4
vpnlogon
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user any svc-ike permit Low 4
2 user any svc-esp permit Low 4
3 any any svc-l2tp permit Low 4
4 any any svc-pptp permit Low 4
5 any any svc-gre permit Low 4
v6-logon-control
----------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user any udp 68 deny Low 6
2 any any svc-v6-icmp permit Low 6
3 any any svc-v6-dhcp permit Low 6
4 any any svc-dns permit Low 6

Expired Policies (due to time constraints) = 0

(Aruba650) #

 

Thanks very much

Guru Elite
Posts: 20,789
Registered: ‎03-29-2007

Re: Cannot access internet when don't authenticated by portal

Type "show datapath session table <ip address of client>" to see if anything is being blocked.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 13
Registered: ‎03-03-2011

Re: Cannot access internet when don't authenticated by portal

Hi cjoseph,

 

please check and help me. Thanks very much

 

it can only ping to destination address (example ip:8.8.8.8).

 

(Aruba650) #show datapath session table 192.168.1.31

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal

Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- -----
192.168.1.31 198.145.13.22 6 61130 80 0/0 0 0 0 tunnel 13 2 FDYC
192.168.1.31 198.145.13.22 6 61131 80 0/0 0 0 0 tunnel 13 1 FDYC
192.168.1.31 224.0.0.252 17 60751 5355 0/0 0 0 0 tunnel 13 3 FDC
123.30.215.12 192.168.1.31 6 80 61018 0/0 0 0 0 1/3 5 FDC
192.168.1.31 8.8.8.8 17 54073 53 0/0 0 0 0 tunnel 13 4 FCI
192.168.1.31 74.125.142.125 6 61126 5222 0/0 0 0 0 tunnel 13 4 FDYC
192.168.1.31 74.125.142.125 6 61127 5222 0/0 0 0 0 tunnel 13 3 FDYC
192.168.1.31 123.30.215.12 6 61120 80 0/0 0 0 0 tunnel 13 8 FDYC
192.168.1.31 113.171.253.231 6 61124 443 0/0 0 0 0 tunnel 13 4 FDYC
192.168.1.31 113.171.253.231 6 61125 443 0/0 0 0 0 tunnel 13 4 FDYC
192.168.1.31 8.8.8.8 17 59967 53 0/0 0 0 0 tunnel 13 4 FCI
192.168.1.31 8.8.8.8 17 59708 53 0/0 0 0 1 tunnel 13 f FCI
192.168.1.31 8.8.8.8 17 62387 53 0/0 0 0 0 tunnel 13 2 FCI
8.8.8.8 192.168.1.31 17 53 54073 0/0 0 0 0 tunnel 13 4 FI
192.168.1.31 222.255.27.169 6 61121 80 0/0 0 0 0 tunnel 13 5 FDYC

 

Guru Elite
Posts: 20,789
Registered: ‎03-29-2007

Re: Cannot access internet when don't authenticated by portal

Those pings are being denied by a firewall policy.  You need to find out what firewall policy is being applied in that role.

 

Type "show user" to find the role of the user, then type "show rights <role>" to find out what firewall policies are being enforced in that role.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 13
Registered: ‎03-03-2011

Re: Cannot access internet when don't authenticated by portal

Hi Cjoshep,

 

firewall policy allow all to it run well for "employee" ssid.

I must config aaa profile "employee-aaa" as beloww then it run

(PCST) #show aaa profile employee-aaa

AAA Profile "employee-aaa"
--------------------------
Parameter Value
--------- -----
Initial role employee
MAC Authentication Profile N/A
MAC Authentication Default Role guest
MAC Authentication Server Group N/A
802.1X Authentication Profile dot1x-employee
802.1X Authentication Default Role employee
802.1X Authentication Server Group N/A
L2 Authentication Fail Through Disabled
RADIUS Accounting Server Group N/A
RADIUS Interim Accounting Disabled
XML API server N/A
RFC 3576 server N/A
User derivation rules N/A
Wired to Wireless Roaming Enabled
SIP authentication role N/A
Device Type Classification Enabled
Enforce DHCP Disabled

(PCST) #

 

If i change Initial role from "employee" to "logon" then client only ping to ip address, cannot open browser.

 

(PCST) #show user

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ----
192.168.1.41 b4:b6:76:1a:78:4f employee 00:00:03 00:1a:1e:c7:d1:96 Wireless PCST_Employee/00:1a:1e:fd:19:68/a employee-aaa tunnel Windows
192.168.1.31 00:16:ea:5e:1c:90 employee 00:00:09 00:1a:1e:c7:ce:34 Wireless PCST_Employee/00:1a:1e:fc:e3:48/a employee-aaa tunnel Windows

User Entries: 2/2

(PCST) #show rights employee

Derived Role = 'employee'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 46/0
Max Sessions = 65535


access-list List
----------------
Position Name Location
-------- ---- --------
1 allowall
2 v6-allowall

allowall
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any any permit Low 4
v6-allowall
-----------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any any permit Low 6

Expired Policies (due to time constraints) = 0

(PCST) # show rights logon

Derived Role = 'logon'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 1/0
Max Sessions = 65535


access-list List
----------------
Position Name Location
-------- ---- --------
1 logon-control
2 vpnlogon
3 v6-logon-control
4 captiveportal6

logon-control
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user any udp 68 deny Low 4
2 any any svc-icmp permit Low 4
3 any any svc-dns permit Low 4
4 any any svc-dhcp permit Low 4
5 any any svc-natt permit Low 4
vpnlogon
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user any svc-ike permit Low 4
2 user any svc-esp permit Low 4
3 any any svc-l2tp permit Low 4
4 any any svc-pptp permit Low 4
5 any any svc-gre permit Low 4
v6-logon-control
----------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user any udp 68 deny Low 6
2 any any svc-v6-icmp permit Low 6
3 any any svc-v6-dhcp permit Low 6
4 any any svc-dns permit Low 6
captiveportal6
--------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user controller6 svc-https captive Low 6
2 user any svc-http captive Low 6
3 user any svc-https captive Low 6
4 user any svc-http-proxy1 captive Low 6
5 user any svc-http-proxy2 captive Low 6
6 user any svc-http-proxy3 captive Low 6

Expired Policies (due to time constraints) = 0

(PCST) #

 

Thanks very much

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: