Wireless Access

Reply
Contributor II

Captive Portal not Pop-up

Hi all,

I have a problem with Captive portal on Aruba7210), Version 6.5.1.

I've configured a Guest SSID on controller intergate with Clearpass guest. When I access the SSID there is no Popup for the captive portal even though i can revice ip, dhcp, dns and able to access to login page via web browser.

 

Any one can help me fix this issue ?

Many thanks for help

Re: Captive Portal not Pop-up

Maybe try setting the initial role in your AAA profile to Guest_Logon?

 


Cheers
James
----------------------------------------------------------------------
--------------------------@whereisjrw--------------------------
---------------------------------blog-------------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
----------------------------------------------------------------------
----------------------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Contributor II

Re: Captive Portal not Pop-up

Hi JR,

i've tried it before, but it still not work. I think that "initial role" will be used if client fail authentication, but my client has their ip, dns from dhcp server. So i don't think i have problem with that role ;(

Re: Captive Portal not Pop-up

Ok, so you're trying to do 802.1X authentication and then captive portal authentication?

That's not a recommended setup. Why do you want to authenticate your users twice?


Cheers
James
----------------------------------------------------------------------
--------------------------@whereisjrw--------------------------
---------------------------------blog-------------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
----------------------------------------------------------------------
----------------------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Contributor II

Re: Captive Portal not Pop-up

Hi James,

My target is captive portal authentication using user on Clearpass (I've already created an "Open"SSID) . I think that my controller need to point to Clearpass via one of method to perform captive portal, so i'm trying to do with both 802.1x and Mac auth .

Am i right or wrong ? If i wrong, could you please explain to me clearly and let me know an example about what i need?

Many thanks for help.


@wrote:
Ok, so you're trying to do 802.1X authentication and then captive portal authentication?

That's not a recommended setup. Why do you want to authenticate your users twice?


 

Guru Elite

Re: Captive Portal not Pop-up

You need a number of things:

1.  Your client needs to be able to resolve DNS

2.  Your guest VLAN on the controller needs an ip address

3.  you need a command "ip cp-redirect-address <ip of vlan on guest network>" on the controller

4.  You need a AAA profile that has an initial role that has the Captive Portal ACL.

5.  The ACL in the role in step 4 needs a line that permits all traffic to the ip address of the ClearPass server

6.  The intial role in step 4 should have a Captive Portal Profile configured.

7.  The Captive Portal authentication profile in step 6 should have the URL of the ClearPass server login page in the "Login Page" parameter as "http://clearpass server login page URL" or "https://<clearpass server login page URL"

 

Here is how it should work:

 

1.  Client gets an ip address, dns server and dhcp server.  The client ends up in the "inital role" for the AAA profile that has the Captive Portal ACL.

2.  Client Opens browser, resolves DNS, and attempts to open a http or https page.

3.  The controller sees that the client is in a role that has the captive portal acl and looks to see what Captive Portal authentication profile is attached to that role.

4.  The Controller redirects the client's browser to the http or https URL in the "login page" parameter in the Captive Portal authentication profile.

 

I skipped some detail, but check everything to make sure it is in place.  The initial role is indeed used to put the user in a role that has the Captive Portal ACL to redirect the user's traffic to bring up the Captive Portal page.  In other authentication methods, the initial role is where the user ends up, after failure, but in Captive Portal it is used to deliver the Captive Portal ACL to the user.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II

Re: Captive Portal not Pop-up

Hi Colin,
Thanks for your response, could you please clarify more about these thing?
1. Your client needs to be able to resolve DNS (Does my client needs DNS as the Controller's ip address ?)
2. Your guest VLAN on the controller needs an ip address (That mean my controller need an ip address even though the gateway of Guest VLAN is placed on the Core Switch?)

 

I'm very appreciate for your help

Guru Elite

Re: Captive Portal not Pop-up

1.  No.  The client can use any DNS server.

2.  Correct.  The VLAN of the guest network needs an ip address on the controller.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II

Re: Captive Portal not Pop-up

Hi Colin,

I've already configured as your comments above, but it still not work, please see them in attachments. Captive portal still not pop-up

1.  Your client needs to be able to resolve DNS.  Done: 

2.  Your guest VLAN on the controller needs an ip address . Done 

3.  you need a command "ip cp-redirect-address <ip of vlan on guest network>" on the controller . Done :My clearpass ip is 172.23.3.168

4.  You need a AAA profile that has an initial role that has the Captive Portal ACL. Done

5.The ACL in the role in step 4 needs a line that permits all traffic to the ip address of the ClearPass server . Done: i have a line that permits any traffic

6.The intial role in step 4 should have a Captive Portal Profile configured. Done

7.The Captive Portal authentication profile in step 6 should have the URL of the ClearPass server login page in the "Login Page" parameter as "http://clearpass server login page URL" or "https://<clearpass server login page URL" .Done

Guru Elite

Re: Captive Portal not Pop-up

#3, the ip address needs  to be the ip address of the VLAN on the controller, NOT clearpass..



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: