Wireless Access

I have an external capitve portal setup for guest wireless with a third-party radius provider on an aruba mobility controller (ver 6.4.2.3).  I have an "identitical" setup on a IAP, which was my test enivornment and which I'm trying to port over my configuration to the mobility controller, but without success. 

 

I've been able to get redirection to my external captive portal setup, but once authenticated, I get redirected back to the captive portal page, leading me to believe that the preauth role is staying with the user after authentication and not moving to the captive portal default role.  I'm trying to figure out if that's the issue and, if so, determine why it's not flipping to the default role, and if not, what other issue with my config I might have that would cause this.  

 

Here is my config - let me know if you'd like me to produce something else!

 

(aruba-1-mht) #show aaa authentication captive-portal guest_wifi

Captive Portal Authentication Profile "guest_wifi"
-------------------------------------------------------------
Parameter                                          Value
---------                                          -----
Default Role                                       guest
Default Guest Role                                 guest
Server Group                                       guest_wifi
Redirect Pause                                     10 sec
User Login                                         Enabled
Guest Login                                        Disabled
Logout popup window                                Enabled
Use HTTP for authentication                        Disabled
Logon wait minimum wait                            5 sec
Logon wait maximum wait                            10 sec
logon wait CPU utilization threshold               60 %
Max Authentication failures                        0
Show FQDN                                          Disabled
Authentication Protocol                            PAP
Login page                                         https://splash.3rdpartyradius.com/r-f7539-oy2ao-ouyge/
Welcome page                                       https://www.google.com
Show Welcome Page                                  No
Add switch IP address in the redirection URL       Disabled
Adding user vlan in redirection URL                Disabled
Add a controller interface in the redirection URL  N/A
Allow only one active user session                 Disabled
White List                                         N/A
Black List                                         N/A
Show the acceptable use policy page                Disabled
User idle timeout                                  N/A
Redirect URL                                       N/A
Bypass Apple Captive Network Assistant             Disabled
URL Hash Key                                       N/A



(aruba-1-mht) #show aaa profile guest_wifi

AAA Profile "guest_wifi"
-----------------------------------
Parameter                           Value
---------                           -----
Initial role                        GUEST_hidden-guest-logon
MAC Authentication Profile          N/A
MAC Authentication Default Role     guest
MAC Authentication Server Group     default
802.1X Authentication Profile       N/A
802.1X Authentication Default Role  guest
802.1X Authentication Server Group  N/A
Download Role from CPPM             Enabled
L2 Authentication Fail Through      Disabled
Multiple Server Accounting          Disabled
User idle timeout                   N/A
RADIUS Accounting Server Group      N/A
RADIUS Interim Accounting           Enabled
XML API server                      N/A
RFC 3576 server                     N/A
User derivation rules               N/A
Wired to Wireless Roaming           Enabled
SIP authentication role             guest
Device Type Classification          Enabled
Enforce DHCP                        Disabled
PAN Firewall Integration            Disabled


(aruba-1-mht) #show aaa authentication-server radius wifi_Primary

RADIUS Server "wifi_Primary"
--------------------------------
Parameter                              Value
---------                              -----
Host                                   1.1.1.1
Key                                    ********
Auth Port                              8215
Acct Port                              8216
Retransmits                            3
Timeout                                5 sec
NAS ID                                 8215
NAS IP                                 N/A
Enable IPv6                            Disabled
NAS IPv6                               N/A
Source Interface                       N/A
Use MD5                                Disabled
Use IP address for calling station ID  Enabled
Mode                                   Enabled
Lowercase MAC addresses                Disabled
MAC address delimiter                  none
Service-type of FRAMED-USER            Enabled
called-station-id                      ap-name colon disable


(aruba-1-mht) #show rights GUEST_hidden-guest-logon

Derived Role = 'GUEST_hidden-guest-logon'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 DPI Classification: Enabled
 Web Content Classification: Enabled
 ACL Number = 59/0
 Max Sessions = 65535

 Check CP Profile for Accounting = FALSE
 Captive Portal profile = guest_wifi

Application Exception List
--------------------------
Name  Type
----  ----

Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------
Position  Name                                        Type     Location
--------  ----                                        ----     --------
1         global-sacl                                 session
2         apprf-GUEST_hidden-guest-logon-sacl  session
3         captiveportal                               session

global-sacl
-----------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
apprf-GUEST_hidden-guest-logon-sacl
------------------------------------------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
captiveportal
-------------
Priority  Source  Destination  Service    Application  Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------    -----------  ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     any          svc-dhcp                permit                                 Low                                                           4
2         any     any          svc-dns                 permit                                 Low                                                           4
3         any     any          svc-icmp                permit                                 Low                                                           4
4         user    controller   svc-https               dst-nat 8081                           Low                                                           4
5         user    any          svc-http                dst-nat 8080                           Low                                                           4
6         any     wifiacl  	   any                     permit                                 Low                                                           4
7         user    any          svc-https               dst-nat 8081                           Low                                                           4

 

You should check the HTML in your "submit".  IAP has "authenticate text" which would allow a captive portal page to work, where it would break on a normal controller infrastructure.  Again, I'm just guessing.

The Controller internal captive portal html info is here (similar to external):  https://www.arubanetworks.com/techdocs/ArubaOS_6_5_4_X_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/Captive_Portal/Internal_Captive_Portal.htm?Highlight=external%20captive%20portal

I think you're on the right track.

 

For my IAP  config, I have auth-text "" configured, which works perfect. The external captive portal is handling authentication, really, so if the person is not authenticated, they'd end up back on the captive portal login page.  We're doing a sponsored access setup, where someone gets an email with each access request and approves or rejects the access by clicking on a certain link, which sends a URL with a token and an "approve" or "reject" back to the captive portal provider, and the provider, if approved, sends a reply message back to the controller (which is empty, I presume, for auth-text) and the person is redirected to their original URL, or, if rejected, the provider sends nothing back to the controller and redirects the user back to the captive portal login page.

 

So, what I'm hoping to figure out, is whether I can replicate that auth-text "" command in the controller somehow.... I don't think I'll be able to do anything from the form submit side of things, as the captive portal provider is handling that, and I don't think I can make too many changes to what the provider sends back to the controller.  Could I use a custom server rule under my server group to assign the role somehow?

If there is no characters between the "" in auth-text, that is probably not a factor; I was just guessing.

 

What you could do is if you are using Chrome is to record the client-side data from an Instant authentication vs. a controller authentication to see what is different.

 

If you are using Chrome, to go Tools> More Tools> Developer Tools.  Click on the Network tab and click on the "Preserve Log" checkbox.  You might then be able to see what URLs the client is requesting.  It is possible that your instant APs have a captive portal certificate on it that is referenced by the external captive portal that your controller does not have.

 

Thanks for the reply.  I was able to run the developer tools to capture the network stream during the authentication process.  The third party RADIUS provider sends back the login credentials to Aruba to intitiate the authentication back to the third party provider (essentially saying here is the username and password to use, now authenticate against the RADIUS servers).  What happens is I get hung on the request url (see below), which then suggests that I need to visit the captive portal to login.

 

Request URL: https://securelogin.arubanetworks.com/auth/index.html/u
Referrer Policy: no-referrer-when-downgrade
Provisional headers are shown
Content-Type: application/x-www-form-urlencoded
Origin: https://thirdpartyradiusprovider.com
Referer: https://thirdpartyradiusprovider/url
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36
X-DevTools-Emulate-Network-Conditions-Client-Id: 8FF101E0635EDF716581321AB3641CC8
user: qy4vemo5
password: b1gjzot9
url: https://thirdpartyradiusprovider/url
cmd: authenticate
Login: Log In
mac: mymac
ip: 192.168.0.177
essid:guest_test

At any rate, I'm working with the third party radius provider to troubleshoot, as it's possible the issue is with them.  However, I was wondering, what is the best way to debug this from the mobility controller?  I was looking through the available debug commands and wasn't sure which one's I should enable to retreive some verbose logging on this issue (captive portal, radius auth, etc.)?  

 

What authentication store is being used to validate the credentials? In this situation the authentication would certainly from the controller to the provider. Do you have a radius server defined on the controller that points to the service provider's radius or ldap server? If yes, the service provider might not have the IP address of the controller whitelisted. It will be difficult to make this work without working with someone on the provider's side.

We're using the provider's authentication store.  Essentially, through their captive portal, we're generating username and pass creds that are then stored in their authentication store and sent back to the controller to use to then authenticate the user with against the provider's authentication store.  We have their radius server's configured on the controller.

I've reached back out to the provider this morning for further support, as I do think the issue lies with them.  I was hoping to gather some debug information from the controller to see where the authentication was failing, but it seems as if the controller isn't receiving the creds from the provider to then do authentication.  

There is a tab on the controller called diagnostics. You should do a aaa server test with known good credentials using PAP to see if it passes. If not, you have an issue.

Thank you!  I overlooked that potential tool about 100 times. That's exactly what I needed.

So, this is what I'm finding:

• When I attempt to authenticate agains the provider's radius server, it times out.  We limit outbound port access, but I have added a rule that matches the source IP of the controller (the master IP and the two physical controllers, we have a HA setup) to the destination address of the radius server and opens up the destination ports needed.
• I thought that perhaps the controller is using a different source IP than I was anticipating.  I noticed that in the radius server configuration I can set the "source interface" via a vlan id on which source address to use during authentication.  I set this to use the vlan for the IP that I've opened up in the firewall, but still to no avail.  I also tried using the vlan id for our DMZ/guest network, which has no outbound firewall rules blocking it, but still no go.
• To make sure everything was working with the provider, I put my workstation in the DMZ and used NTRadPing to test the radius server, and was successful.  So the provider's server and the credentials are good.

The issue lies between our mobility controller and our firewall.  It seems that setting the VLAN id on the radius server does not have the expected behavior I'd expect, otherwise it should work using the ID of our DMZ and using its interface IP in the DMZ as its source address, which should succeed without any issue, as I've proven above.  Does the AAA test server respect the vlan ID setting in the radius configuration and send the test out that vlan's interface, or does it default to some global setting?  If it default's to some global setting, what interface would it use by default?  We are not using our management interface, and I've succesfully tested internal radius servers using the tool.

I retried the test via CLI with debugging aaa servers on, and this is what I'm seeing in the debug logs:

 

Jun 28 06:35:28 :199802:  <ERRS> |authmgr|  server_group.c, ncfg_server_getnext:382: Unknown or empty server group "" (method=, user=test)

I'm using the correct radius server name (as listed in the controller), but that log looks like it can't even find the radius server in the controller config.  I tested one of our internal servers that is configured on the controller and it works perfectly.

 

EDIT

I enabled a few other aaa debugs and received more information, which I think shows this as just timing out, like the gui test shows:

 

Jun 28 06:43:37 :121004:  <WARN> |authmgr| |aaa| RADIUS server test1--x.x.x.x-PORT timeout for client=test auth method test-server
Jun 28 06:43:37 :121031:  <DBUG> |authmgr| |aaa| [rc_request.c:37] Del Request: id=3, srv=x.x.x.x, fd=87
Jun 28 06:43:37 :199802:  <ERRS> |authmgr|  server_group.c, ncfg_server_getnext:382: Unknown or empty server group "" (method=, user=test)

If the AAA test is timing out, likely your provider is ignoring the request because it does not know the ip address where it is coming from.  You need to contact the provider to ensure that the expected ip address and preshared key are correct.

 

The timeout message is important.  The other messages are not.

 

You should type "show ip radius source-interface" to see what VLAN requests are going out on.

I'm embarrased to say that I opened the RADIUS ports for that address for TCP and not UDP.  Ugh... Anyway, correcting that firewall rule solved it.

As a quick side question that is semi-related to this thread: with a virtual controller and IAPs, what source IP would RADIUS (and similar) traffic be sent from?  Would it be the master AP, the virtual controller's IP, or from the IP of the originating AP?  I was planning to dive into some documentation to find out (or add a second IAP to my current one), but thought someone might be able to supply a quicker answer.

If dynamic radius proxy is enabled, then outgoing requests would have the ip address of the virtual controller.  https://www.arubanetworks.com/techdocs/Instant_423_WebHelp/InstantWebHelp.htm#UG_files/Authentication/Dynamic%20Proxy%20RADIUS.htm?Highlight=dynamic%20radius%20proxy

Was there a conclusion to this issue?

 

We are running into a similar issue where we are using an external captive portal service to authenticate users with the Facebook login service. The external captive portal service works with Instant but we cannot get it to work with a controller implementation. 

 

If the service is sending back to the Instant VC the following parameters how do we adjust the controller to work similarly?

 

cmd=authenticate

user={username}

password={password}

url={redirect_url}

 

Can I create a server rule on the controller under the server group that uses the Reply-Message attribute condition to trigger a role assignment action based on the operand being returned to the controller of authenticate?

 

We are using the Chrome developer tool to see the return message and we are seeing authenticate as the message. How do we use this to set a role for the authenticated user?