Wireless Access

I have a functioning captive portal with logon and authenticated roles correctly working. We supply wpad to clients with DHCP and DNS. Radius is by MS NPS wich returns the user role based on vendor attributes.

 

My issue is with devices that can't do wpad. Andriods, IOS. I need them to explicitly set the proxy server in the wi-fi settings. I can educate our CP users to do this. The problem is that once they set the proxy server the CP logon page doesn't work. If they haven't set the proxy it works fine but they then need to set the proxy to get interent access which is then remembered for that SSID which breaks the CP for them next time they use it.

 

The master controller is 3600 at OS 6.4.3.5. The other 10 local controllers are a mixture all running at same version.

 

I am seeing DNS on the proxy server from the affected client so I don't think DNS is the issue.

Are your users manually setting the proxy server?  ex: proxy address = x.x.x.x, proxy port = 8080?  Or are they using the proxy auto function that iOS & Android support?

I have had some success with iOS by using auto and entering http://xxx.xxx.xxx.xxx/wpad.dat. (Apparently iOS doesn't do DNS resolution for WPAD hence using the IP of the WPAD server).
The Android device I am using for testing doen't support auto detect or adding a URL for a wpad file.

I need to put in xxx.xxx.xxx.xxx:8081 as the proxy address. When I do this it I don't get the CP login screen.

I tried dst-nat'ing tcp 8081 in the log on role to the controller but that doesn't work.

If I revert to using http (not https) for the CP it works fine but I am not about to do that for eveyone.

Unfortunately,

 

Android does not support automatic configuration of a proxy via option 252 or wpad.  https://code.google.com/p/android/issues/detail?id=42696

 

Yes, that is why I am having the andriod users set the proxy server. The issue is that it breaks the captive portal login. I can't get the login page to show.

On the iOS devices that you can use the automatic proxy URL, are you able to hit the captive portal?  If not, I was thinking you could create an exception in the pac file so the request wouldn't go to the proxy and thus force a redirect to the captive portal. For example, bypass "http://yahoo.com" in the proxy pac file; this will result in captive portal redirection.  Of course, you'd want to select something that colleagues wouldn't typically go or else they won't be able to connect to it once logged in since your Internet traffic must traverse a proxy.

 

Curious to know which version of Android you're running?  Automatic proxy URL is available in Marshmallow and Jelly Bean, from the experience I have.

The portal works fine on iOS if we set the URL for the pac file. It is actually auto generated by Microsoft TMG as the proxy so it is wpad.dat not a pac file.

My android phone is Marshmallow. The option to set auto proxy is there but the save button is greyed out.

For the proxy port I tried using 8081 and d-nat'ing any 8081 traffice to the captive portal, <controller ip>:8081 but I get a "Bad Request. Reason: you're speaking plain http to an ssl-enabled port".

What port do you use for your proxy?

He's using TCP 8081 if I'm not mistaken.

---

@dazza wrote:

Yes, that is why I am having the andriod users set the proxy server. The issue is that it breaks the captive portal login. I can't get the login page to show.

---

If you are using port 8081, there is a rule already built in to redirect that successfully for the captive portal.  Please see the article here:  http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-I-configure-Captive-Portal-with-a-browser-that-uses-a/ta-p/178038

 

Thanks to both of you. I wasn't aware of the dst nat to 8088 rule. I added that to my custom CP logon role and it is now working with a proxy server set.

Awesome! I've never looked too closely at those rules that Colin referred
you to. Glad to learn something along with you.