Wireless Access

Reply
New Contributor

PSK then Captive Portal

I am attempting to configure a guest wireless so that users must provide a PSK and once they have done so they are forced to Captive Portal.

 

I have seen discussions in which people have supposedly made this happen but the details on how they accomplished this task were scarce.

 

Any help would be greatly appreciated.

 

My environment:

APs: Controller mode

ClearPass: No

Mobility Controller v: 6.5.4.0

Guru Elite

Re: PSK then Captive Portal

Set the initial role in your AAA profile to your captive portal role. Set the 802.1X profile to default-psk.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: PSK then Captive Portal

Tim,

 

Thanks for the reply!  So is there something unique about the default-psk?

 

I have a wap2-psk-aes enabled in my ssid profile.  When I provide that I am granted the initial role (which contains a captive portal configuration) but the captive portal never comes up.  If I set the encryption setting to none/open, then captive portal comes up.

Re: PSK then Captive Portal

Check what role the user is in when it is connected to the PSK network and does not get to the captive portal. If it is the same role (with the captive-portal rules, and the captive portal profile assigned) as on the open network, and the user is in the same VLAN, it should work.

 

One thing I noticed is that Windows 10 got an update early this year that broke captive portal on PSK networks. Not sure what the status is today, but it may make sense to test with another device than Windows 10.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Highlighted
Guru Elite

Re: PSK then Captive Portal

No, shouldn't matter. I would open a TAC case. That should be working.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: PSK then Captive Portal

Tim,

I figured it out.  My error.  I was using the incorrect ACLs that captures and NAT's the web traffic to the captive portal interface.

 

So, for others trying to do this, in the initial role of your aaa profile it needs to have the following ACLs.  Obiously the net objects may be different but you need to capture the 80 and 443 traffic and NAT it to the controller.

1         any     any          svc-dns                       permit                                 Low                                                           4    
2         any     any          svc-dhcp                      permit                                 Low                                                           4    
3         user    any          udp 68                        deny                                   Low                                                           4    
4         any     any          svc-icmp                      permit                                 Low                                                           4    
5         any     any          svc-natt                      permit                                 Low                                                           4    
6         user    any          svc-http                      dst-nat 8080                           Low                                                           4    
7         user    any          svc-https                     dst-nat 8081                           Low                                                           4    
8         user    any          svc-http-proxy1               dst-nat 8088                           Low                                                           4    
9         user    any          svc-http-proxy2               dst-nat 8088                           Low                                                           4    
10        user    any          svc-http-proxy3               dst-nat 8088                           Low                                                           4    

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: