Wireless Access

last person joined: 16 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

IAP 204 captive portal access list

This thread has been viewed 2 times

  • 1.  IAP 204 captive portal access list

    Posted Oct 29, 2015 04:53 PM

    Hello Team,

     

    I have IAP 204 configured with external captive portal.

    Software: 6.4.2.3

    I am redirected correctly to captive portal, but i do not have access to all the ports of that captive portal. Checking ACL in CLI i can see:

     

    04:bd:88:c3:88:14# show datapath acl 138
    Datapath ACL 138 Entries
    -----------------------
    Flags: P - permit, L - log, E - established, M/e - MAC/etype filter
    S - SNAT, D - DNAT, R - redirect, r - reverse redirect m - Mirror
    I - Invert SA, i - Invert DA, H - high prio, O - set prio, C - Classify Media
    A - Disable Scanning, B - black list, T - set TOS, 4 - IPv4, 6 - IPv6
    K - App Throttle, d - Domain DA
    ----------------------------------------------------------------
    1: any any 17 0-65535 8209-8211 P4
    2: any 172.31.98.1 255.255.255.255 6 0-65535 80-80 PSD4
    3: any 172.31.98.1 255.255.255.255 6 0-65535 443-443 PSD4
    4: any captive.example.com 6 0-65535 80-80 Pd4
    5: any captive.example.com 6 0-65535 443-443 Pd4
    6: any captive.example.com 6 0-65535 8443-8443 Pd4 hits 76
    7: any any 6 0-65535 80-80 PSD4 hits 42
    8: any any 6 0-65535 8080-8080 PSD4
    9: any any 6 0-65535 443-443 PSD4
    10: 172.31.98.0 255.255.254.0 172.31.98.0 255.255.254.0 17 0-65535 67-68 P4
    11: 172.31.98.0 255.255.254.0 224.0.0.0 224.0.0.0 17 0-65535 67-68 P4
    12: 172.31.98.0 255.255.254.0 any 17 0-65535 67-68 PS4
    13: any any 17 0-65535 67-68 P4
    14: 172.31.98.0 255.255.254.0 172.31.98.0 255.255.254.0 17 0-65535 53-53 P4
    15: 172.31.98.0 255.255.254.0 224.0.0.0 224.0.0.0 17 0-65535 53-53 P4
    16: 172.31.98.0 255.255.254.0 any 17 0-65535 53-53 PS4
    17: any any 17 0-65535 53-53 P4 hits 162
    18: 172.31.98.0 255.255.254.0 172.31.98.0 255.255.254.0 6 0-65535 8081-8081 P4
    19: 172.31.98.0 255.255.254.0 224.0.0.0 224.0.0.0 6 0-65535 8081-8081 P4
    20: 172.31.98.0 255.255.254.0 any 6 0-65535 8081-8081 PS4
    21: any any 6 0-65535 8081-8081 P4
    22: any any any 4 hits 69
     

    So - only ports 80, 443 and 8443 are allowed. I need to add all ports.

    In GUI i have configured in specific Role: "Allow any to all destinations" 

     

    How to fix it in CLI ?

    Is it some kind of bug/limitation in GUI ?

     

    Thanks,

    Michal



  • 2.  RE: IAP 204 captive portal access list

    EMPLOYEE
    Posted Oct 29, 2015 09:14 PM

    Do you need to allow ports after authentication?  If you allow all ports before authentication, the captive portal will not show up.

     



  • 3.  RE: IAP 204 captive portal access list

    Posted Oct 30, 2015 03:34 AM

    Hi Joseph,

     

    My problem is that i am redirected to captive portal (can see web page) - but also need to connect via different ports (not 80,443,8443) to that portal and those TCP SYN packets to captive portal are being dropped.

    In CLI we do see that while in GUI it looks like all traffic to captive portal should be allowed.

     

    Thanks,