Wireless Access

Reply
Occasional Contributor II
Posts: 18
Registered: ‎12-07-2015

Captive Portal Woes

[ Edited ]

I used the WLAN wizard to create a new guest network.

 

I configured it to use a Captive Portal with no authentication.

 

I have the PFENG license in use.

 

I have a VLAN IP for this guest subnet.

 

I have two controllers (Master, Master-Standby).

 

This guest VLAN is making use of VRRP. So the IP scheme is, as an example, 10.0.100.2/24 (on the primary controller), 10.0.100.3/24 (on the secondary), then both configured to share 10.0.100.1/24 via VRRP.

 

Master controller IP, as an example, is 10.0.1.2. Master-standby is 10.0.1.3. And VRRP for this management VLAN is 10.0.1.4.

 

The ip cp-redirect page is 10.0.1.4.

 

When I connect to this guest SSID with a Captive Portal profile, I get an IP address. The scope is using 8.8.8.8 and 8.8.4.4 for DNS servers.

 

If I try to go to a webpage, it times out. If I try to use nslookup, it times out. If I do http://1.1.1.1 it'll load the Captive Portal page, then redirect and time out.

 

I've deleted and recreated this SSID multiple times to no avail.

 

What am I missing at this point? Why is DNS timing out? All of the local policies in use via the WLAN wizard allow FULL icmp, dns, dhcp, etc. DHCP seems to work, but DNS will not.

Aruba Employee
Posts: 151
Registered: ‎02-14-2013

Re: Captive Portal Woes

Hi,


1. Are you able to ping the DNS server IP from the client?
2. Check the output of "# show rights <User-role-of-client>"
3. Check the output of "# show datapath session table <DNS-Server-IP> | include <Client-IP>"


This should help I guess.


Thanks,
Rajaguru Vincent

 

Thanks,
Rajaguru Vincent
Occasional Contributor II
Posts: 18
Registered: ‎12-07-2015

Re: Captive Portal Woes

[ Edited ]

Hi Rajaguru,

 

Thanks for the reply - I'll have to get another device for testing to see those commands.

 

For now:

1. Are you able to ping the DNS server IP from the client? NO (to be fair, I can't ping the DHCP server either, but my client still gets an IP...)
2. Check the output of "# show rights <User-role-of-client>" IN PROGRESS
3. Check the output of "# show datapath session table <DNS-Server-IP> | include <Client-IP>" IN PROGRESS

 

Thanks again - I'll be replying shortly,

Josh

Aruba Employee
Posts: 151
Registered: ‎02-14-2013

Re: Captive Portal Woes

Hi,


If ICMP is not blocked in your network, do a tracert to the DNS server IP and check where is it getting dropped. Without DNS, captive portal may not work.


Thanks,
Rajaguru Vincent 

Thanks,
Rajaguru Vincent
Occasional Contributor II
Posts: 18
Registered: ‎12-07-2015

Re: Captive Portal Woes

It is not blocked. When I do a traceroute, it stops at the first hop (Aruba mobility controller).

 

Here's the datapath session info:

 

10.11.104.12    8.8.8.8         17   51670 53     0/0     0    0   1   tunnel 190  1c   3          216        FCI
8.8.8.8         10.11.104.12    17   53    60931  0/0     0    0   0   tunnel 190  8    3          216        FI
10.11.104.12    8.8.8.8         17   63541 53     0/0     0    0   0   tunnel 190  8    3          216        FCI
10.11.104.12    8.8.8.8         17   58586 53     0/0     0    0   1   tunnel 190  17   3          186        FCI
8.8.8.8         10.11.104.12    17   53    62790  0/0     0    0   1   tunnel 190  18   3          201        FI
8.8.8.8         10.11.104.12    17   53    53885  0/0     0    0   0   tunnel 190  5    2          130        FI
8.8.8.8         10.11.104.12    17   53    50152  0/0     0    0   0   tunnel 190  0    1          139        FI
8.8.8.8         10.11.104.12    17   53    55066  0/0     0    0   1   tunnel 190  1c   3          795        FI
10.11.104.12    8.8.8.8         17   57429 53     0/0     0    0   0   tunnel 190  10   3          186        FCI
10.11.104.12    8.8.8.8         17   53885 53     0/0     0    0   0   tunnel 190  5    2          130        FCI
10.11.104.12    8.8.8.8         17   59358 53     0/0     0    0   1   tunnel 190  15   3          204        FCI
8.8.8.8         10.11.104.12    17   53    63541  0/0     0    0   0   tunnel 190  8    3          216        FI
8.8.8.8         10.11.104.12    17   53    54267  0/0     0    0   0   tunnel 190  2    1          72         FI
10.11.104.12    8.8.8.8         17   56470 53     0/0     0    0   1   tunnel 190  18   3          210        FCI
10.11.104.12    8.8.8.8         17   64921 53     0/0     0    0   0   tunnel 190  b    3          210        FCI
10.11.104.12    8.8.8.8         17   55066 53     0/0     0    0   1   tunnel 190  1c   3          195        FCI
8.8.8.8         10.11.104.12    17   53    56470  0/0     0    0   1   tunnel 190  18   3          417        FI
8.8.8.8         10.11.104.12    17   53    51670  0/0     0    0   1   tunnel 190  1c   3          216        FI
10.11.104.12    8.8.8.8         17   61136 53     0/0     0    0   1   tunnel 190  d    3          201        FCI
10.11.104.12    8.8.8.8         17   50174 53     0/0     0    0   0   tunnel 190  7    3          201        FCI
8.8.8.8         10.11.104.12    17   53    61136  0/0     0    0   1   tunnel 190  d    3          870        FI
10.11.104.12    8.8.8.8         17   50152 53     0/0     0    0   0   tunnel 190  0    1          70         FCI
8.8.8.8         10.11.104.12    17   53    59358  0/0     0    0   1   tunnel 190  15   3          204        FI
8.8.8.8         10.11.104.12    17   53    60997  0/0     0    0   0   tunnel 190  0    1          65         FI
8.8.8.8         10.11.104.12    17   53    58586  0/0     0    0   1   tunnel 190  17   3          321        FI
8.8.8.8         10.11.104.12    17   53    50174  0/0     0    0   0   tunnel 190  7    3          201        FI
10.11.104.12    8.8.8.8         17   60931 53     0/0     0    0   0   tunnel 190  8    3          216        FCI
10.11.104.12    8.8.8.8         17   54267 53     0/0     0    0   0   tunnel 190  2    1          72         FCI
8.8.8.8         10.11.104.12    17   53    64921  0/0     0    0   1   tunnel 190  b    3          417        FI
10.11.104.12    8.8.8.8         17   62158 53     0/0     0    0   1   tunnel 190  5    2          134        FCI
10.11.104.12    8.8.8.8         17   62790 53     0/0     0    0   1   tunnel 190  18   3          201        FCI
8.8.8.8         10.11.104.12    17   53    57429  0/0     0    0   1   tunnel 190  10   3          321        FI
10.11.104.12    8.8.8.8         17   60997 53     0/0     0    0   0   tunnel 190  0    1          65         FCI
8.8.8.8         10.11.104.12    17   53    62158  0/0     0    0   0   tunnel 190  5    2          134        FI

Occasional Contributor II
Posts: 18
Registered: ‎12-07-2015

Re: Captive Portal Woes

It's stopping at the first hop, which is the VLAN IP of the subnet on the controller (10.0.100.2).

Aruba Employee
Posts: 151
Registered: ‎02-14-2013

Re: Captive Portal Woes

Hi, 

 

It could be because of ACLs. Check "# show rights <User-role-of-client>" and review the ACLs mapped to the user-role. 

 

Thanks, 

Rajaguru Vincent 

Thanks,
Rajaguru Vincent
Occasional Contributor II
Posts: 18
Registered: ‎12-07-2015

Re: Captive Portal Woes

I don't think so. :/ Seems to be a mobility bug or something.

 

I created a brand new SSID, super basic config. VLAN, VLAN IP, DHCP, allow-all ACL, etc. The client joins, grabs an IP, then dies immediately, even with an ACL allowing everything out.

 

Now, when I ssh into the controller and do a ping and a traceroute from that source interface, it works just fine.

 

For kicks, here's the ACL the client has and it's privs:

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'allow-all'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Number of users referencing it = 2
 Periodic reauthentication: Disabled
 DPI Classification: Enabled
 Youtube education: Disabled
 Web Content Classification: Enabled
 ACL Number = 70/0
 Max Sessions = 65535

 Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name  Type
----  ----

Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------
Position  Name                  Type     Location
--------  ----                  ----     --------
1         global-sacl           session
2         apprf-allow-all-sacl  session
3         allowall              session

global-sacl
-----------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
apprf-allow-all-sacl
--------------------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
allowall
--------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     any          any                   permit                           Low                                                           4
2         any     any          any-v6                permit                           Low                                                           6

Expired Policies (due to time constraints) = 0

 

Occasional Contributor II
Posts: 18
Registered: ‎12-07-2015

Re: Captive Portal Woes

After much troubleshooting, I decided to open a case. The controller is behaving very oddly.

 

It had a kernel panic this morning and rebooted. Even after, nothing new works. I created another new SSID. Internal. allow-all policy. Wide open. The host will grab an IP, ping the gateway, but do nothing else, even with everything defined as allow all any, etc. Gateway can't ping hosts, but hosts can ping gateway. The whole situation is just very bizarre, since I've done all this kind of configuration many times before on many other controller pairs without issue.

 

Thanks for the help anyway.

Aruba Employee
Posts: 151
Registered: ‎02-14-2013

Re: Captive Portal Woes

Hi, 

 

If there is kernel panic and other issues, it is really a valid reason to open a TAC case. Please keep us posted with the feedback. 

 

Thanks, 

Rajaguru Vincent 

Thanks,
Rajaguru Vincent
Search Airheads
Showing results for 
Search instead for 
Did you mean: