Wireless Access

Reply
Contributor I
Posts: 23
Registered: ‎09-04-2012

Captive Portal Login Issue

Good Morning AirHeads...

 

Over the weekend we had a disk failure on one of our core servers.  I got it back up and running, but my RADIUS and Certificate services had to be reinstalled and I had to re-issue the certificate for my Aruba 3400 to use for RADIUS.  I was able to do that with th3 802.1x stuff with no problem at all -- everyone who is on our 802.1x WiFi is up and running and happy.

 

However, we have a captive portal that authenticates back to our Active Directory too...  that is not working.  I cannot figure out where to go to find out what the issue is...   Can anyone point me in the right direction for Captive Portal Authentication via Active Directory (RADIUS)?

 

We have an Aruba 3400 controller and the RADIUS server is Windows 2008 R2.

 

Any help is appreciated!  Thanks!

Aruba
Posts: 1,643
Registered: ‎04-13-2009

Re: Captive Portal Login Issue

The servers you are using for Captive Portal authentications is located under Authentication --> Layer 3 --> Captive Portal Authentication Profile --> Select your profile and check what Server Group is being used.  Then confirm this group has the proper RADIUS server in it to reflect your needs.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Contributor I
Posts: 23
Registered: ‎09-04-2012

Re: Captive Portal Login Issue

Yes, it does have the correct Server Group listed.

 

 

Aruba
Posts: 1,643
Registered: ‎04-13-2009

Re: Captive Portal Login Issue

If it is the same server, then you know the server and shared secret are working fine.    You should check the logs on the RADIUS server then to see if it is dropping/rejecting the requests from Captive Portal users.   Keep in mind, the request from Captive Portal will be using PAP (or CHAP if you have it set) authentication as compared to PEAP; so your RADIUS policies should reflect this.

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Contributor I
Posts: 23
Registered: ‎09-04-2012

Re: Captive Portal Login Issue

Hmm... that might be the issue...

 

 

Any pointers on how to do that?   Is that in the certificate itself?

Aruba
Posts: 1,643
Registered: ‎04-13-2009

Re: Captive Portal Login Issue

Nope, should have nothing to do with the certificate.  What RADIUS server are you running?  

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Contributor I
Posts: 23
Registered: ‎09-04-2012

Re: Captive Portal Login Issue

Windows 2008 R2 NPAS, seems to work fine with the 802.1x stuff... but I set that up based on Aruba's step-by-step instructions... I don't have a lot of experience with it, so finding my way around is really tough for me.

Frequent Contributor II
Posts: 135
Registered: ‎07-06-2012

Re: Captive Portal Login Issue

so the proble is not with captive portal page it self, it appears normally ?

 

can you test it 1st with local db. so we can ignore any issue with captive portal configuration causing any type of faults.

 

if every thing is fine, then the next step is the following:

 

is you AD is the same for employee and guests in other words it says authentication successful when you test it from diagnostic window ? if so, then please tell me how many IP addresses configured in your controller, how many gateways and did you check Terminate or not?

 

 

Aruba
Posts: 1,643
Registered: ‎04-13-2009

Re: Captive Portal Login Issue

[ Edited ]

The full configurations will vary depending on how you want the NPS server to respond to the requests.  I typically have customers create two network policies (or more) for this.   

 

**The following are generic recommendations, I do not know what current conditions you have set for your policy are.

 

The first would be for secure 802.1x authentications; which you have confirmed you have working.  

The second would be for captive portal logons.   There would be a couple of changes.  At a minimum, the supported authentication type woudl be PAP, not PEAP/MSCHAPv2 as you have for your secure wireless policy.    If you need to be more restrictive (for example members of only certain groups can use the captive portal page) you can add additional conditions.

 

Again, this is not a detailed setup; but if you duplicate your existing Network Policy and change the supported authentication type, that shoudl get you started....you can then work on firming up your conditions for the policy's application.    If your current secure wireless policy is returning attributes to the controller (user-role or VLAN for example); you may need to remove or alter these to meet your needs.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Contributor I
Posts: 23
Registered: ‎09-04-2012

Re: Captive Portal Login Issue

There is 1 IP Address for the controller.  Yes, the Captive Portal page appears -- but access is denied when the user puts a valid username/password in.

 

We have a guest login set up with the internal database on a different SSID that works fine.  It is just something to do with the RADIUS Captive Portal config and the new certificate...

 

How do I test it in the diagnostic window?  I don't know where that is.

 

On the server I get the following error with the Captive portal via RADIUS:


Search Airheads
Showing results for 
Search instead for 
Did you mean: