Wireless Access

Reply
Frequent Contributor I

RAP and captive portal using split-tunnel

I was following this "how to" to be able to do captive portal on a RAP (link) with no success. I did exaclty every single step plus created dhcp pool for this interface.

The result I am getting is no captive portal but in the controller I can see I got right user role "vbn-guest-logon" and I am getting IP address from the controller dhcp pool. What can I do wrong that I dont see captive portal so I am half way connected, my iphne insted of wifi icon show still LTE, which indicates sth does not go through.

 

 

Re: RAP and captive portal using split-tunnel

Couple of good places to start would be to check the Captive Portal is assigned to your initial role, the client has a valid and working DNS server, any ACL which a pertaining to the Captive Portal are set to permit to tunnel this traffic back to the controller as well. Feel free to post config snippets which might help.


ACMP, ACSA, ACDX #985
If my post addresses your query, give kudos:)
Frequent Contributor I

Re: RAP and captive portal using split-tunnel

show ip dhcp database
DHCP enabled
# split
subnet 172.32.0.0 netmask 255.255.240.0 {
    default-lease-time 14400;
    max-lease-time 14400;
    option vendor-class-identifier  "ArubaAP";
    option vendor-encapsulated-options  "x.x.x.x";
    option routers 172.32.0.1;
    range 172.32.0.21 172.32.15.254;
    authoritative;

 

show ip interface brief
Interface                   IP Address / IP Netmask        Admin   Protocol  
vlan 32                     172.32.0.1 / 255.255.240.0     up      up         none            (none)

 

show ip access-list vbn-guest-control
ip access-list session vbn-guest-control
vbn-guest-control
-----------------
Priority  Source  Destination  Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    any          udp 68                 deny                             Low                                                           4        
2         any     any          svc-dhcp               permit                           Low                                                           4        
3         any     any          svc-dns                permit                           Low                                                           4        
4         any     any          svc-icmp               permit                           Low                                                           4     

 

 

show ip access-list vbn-guest-captiveportal
ip access-list session vbn-guest-captiveportal
vbn-guest-captiveportal
-----------------------
Priority  Source  Destination  Service    Application  Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------    -----------  ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    controller   svc-https               dst-nat 8081                           Low                                                           4        
2         user    any          svc-http                dst-nat 8080             Yes           Low                                                           4        
3         user    any          svc-https               dst-nat 8081                           Low                                                           4     

 

 

show aaa authentication captive-portal "vbn-guest"

Captive Portal Authentication Profile "vbn-guest"
-------------------------------------------------
Parameter                                          Value
---------                                          -----
Default Role                                       vbn-guest
Default Guest Role                                 guest
Server Group                                       default
Redirect Pause                                     1 sec
User Login                                         Enabled
Guest Login                                        Disabled
Logout popup window                                Enabled
Use HTTP for authentication                        Disabled
Logon wait minimum wait                            5 sec
Logon wait maximum wait                            10 sec
logon wait CPU utilization threshold               60 %
Max Authentication failures                        0
Show FQDN                                          Disabled
Authentication Protocol                            PAP
Login page                                         /auth/index.html
Welcome page                                       /auth/welcome.html
Show Welcome Page                                  Yes
Add switch IP address in the redirection URL       Disabled
Adding user vlan in redirection URL                Disabled
Add a controller interface in the redirection URL  N/A
Allow only one active user session                 Disabled
White List                                         N/A
Black List                                         N/A
Show the acceptable use policy page                Disabled
User idle timeout                                  N/A
Redirect URL                                       N/A
Bypass Apple Captive Network Assistant             Disabled
URL Hash Key                                       N/A

 

show rights vbn-guest-logon

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'vbn-guest-logon'
 Up BW:No Limit   Down BW:No Limit  
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Number of users referencing it = 0
 Periodic reauthentication: Disabled
 DPI Classification: Enabled
 Youtube education: Disabled
 Web Content Classification: Enabled
 IP-Classification Enforcement: Enabled
 ACL Number = 81/0
 Openflow: Disabled
 Max Sessions = 65535

 Check CP Profile for Accounting = TRUE
 Captive Portal profile = vbn-guest

Application Exception List
--------------------------
Name  Type
----  ----

Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------
Position  Name                        Type     Location
--------  ----                        ----     --------
1         global-sacl                 session  
2         apprf-vbn-guest-logon-sacl  session  
3         vbn-guest-control           session  
4         vbn-guest-captiveportal     session  

global-sacl
-----------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
apprf-vbn-guest-logon-sacl
--------------------------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
vbn-guest-control
-----------------
Priority  Source  Destination  Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    any          udp 68                 deny                             Low                                                           4        
2         any     any          svc-dhcp               permit                           Low                                                           4        
3         any     any          svc-dns                permit                           Low                                                           4        
4         any     any          svc-icmp               permit                           Low                                                           4        
vbn-guest-captiveportal
-----------------------
Priority  Source  Destination  Service    Application  Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------    -----------  ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    controller   svc-https               dst-nat 8081                           Low                                                           4        
2         user    any          svc-http                dst-nat 8080             Yes           Low                                                           4        
3         user    any          svc-https               dst-nat 8081                           Low                                                           4 

 

 

show rights vbn-guest

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'vbn-guest'
 Up BW:No Limit   Down BW:No Limit  
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Number of users referencing it = 0
 Periodic reauthentication: Disabled
 DPI Classification: Enabled
 Youtube education: Disabled
 Web Content Classification: Enabled
 IP-Classification Enforcement: Enabled
 ACL Number = 84/0
 Openflow: Disabled
 Max Sessions = 65535

 Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name  Type
----  ----

Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------
Position  Name                  Type     Location
--------  ----                  ----     --------
1         global-sacl           session  
2         apprf-vbn-guest-sacl  session  
3         vbn-guest             session  

global-sacl
-----------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
apprf-vbn-guest-sacl                              
--------------------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
vbn-guest
---------
Priority  Source  Destination    Service    Application  Action         TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------    -------    -----------  ------         ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     any            svc-dhcp                permit                                  Low                                                           4        
2         user    my-dns  svc-dns                 permit                                  Low                                                           4        
3         user    controller     svc-https               dst-nat 8081                            Low                                                           4        
4         user    any            any                     route src-nat                           Low                                                           4

 

#show ip access-list vbn-guest

ip access-list session vbn-guest
vbn-guest
---------
Priority  Source  Destination    Service    Application  Action         TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------    -------    -----------  ------         ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     any            svc-dhcp                permit                                  Low                                                           4        
2         user    my-dns  svc-dns                 permit                                  Low                                                           4        
3         user    controller     svc-https               dst-nat 8081                            Low                                                           4        
4         user    any            any                     route src-nat                           Low                                                           4 

 

show aaa profile "vbn-guest"

AAA Profile "vbn-guest"
-----------------------
Parameter                           Value
---------                           -----
Initial role                        vbn-guest-logon
MAC Authentication Profile          N/A
MAC Authentication Default Role     guest
MAC Authentication Server Group     default
802.1X Authentication Profile       N/A
802.1X Authentication Default Role  guest
802.1X Authentication Server Group  N/A
Download Role from CPPM             Disabled
Set username from dhcp option 12    Disabled
L2 Authentication Fail Through      Disabled
Multiple Server Accounting          Disabled
User idle timeout                   N/A
Max IPv4 for wireless user          2
RADIUS Accounting Server Group      N/A
RADIUS Roaming Accounting           Disabled
RADIUS Interim Accounting           Disabled
XML API server                      N/A
RFC 3576 server                     N/A
User derivation rules               N/A
Wired to Wireless Roaming           Enabled
SIP authentication role             N/A
Device Type Classification          Enabled

 

--------------------------------

SSID is open
Enforce DHCP                        Disabled
PAN Firewall Integration            Disabled
Open SSID radius accounting         Disabled

 

#show wlan virtual-ap "email capture-vap_prof"

Virtual AP profile "email capture-vap_prof"
-------------------------------------------
Parameter                                       Value
---------                                       -----
AAA Profile                                     email capture-aaa_prof
802.11K Profile                                 default
Hotspot 2.0 Profile                             N/A
SSID Profile                                    email capture-ssid_prof
Virtual AP enable                               Enabled
VLAN                                            32
Forward mode                                    split-tunnel
Allowed band                                    all
Band Steering                                   Enabled
Cellular handoff assist                         Disabled
Openflow Enable                                 Disabled
Steering Mode                                   prefer-5ghz
Dynamic Multicast Optimization (DMO)            Enabled
Dynamic Multicast Optimization (DMO) Threshold  6
Drop Broadcast and Unknown Multicast            Disabled
Convert Broadcast ARP requests to unicast       Enabled
Authentication Failure Blacklist Time           3600 sec
Blacklist Time                                  3600 sec
Deny inter user traffic                         Disabled
Deny time range                                 N/A
DoS Prevention                                  Disabled
HA Discovery on-association                     Enabled
Mobile IP                                       Enabled
Preserve Client VLAN                            Disabled
Remote-AP Operation                             standard
Station Blacklisting                            Enabled
Strict Compliance                               Disabled
VLAN Mobility                                   Disabled
WAN Operation mode                              always
FDB Update on Assoc                             Disabled
WMM Traffic Management Profile                  N/A
Anyspot profile                                 N/A

Re: RAP and captive portal using split-tunnel

The DHCP scope defined on your controller does not appear to be assigning a DNS server. Can you confirm the clients are assigned a valid and working DNS server in the first instance. If there is no response from a DNS server the re-direct to the Captive Portal will occur.


ACMP, ACSA, ACDX #985
If my post addresses your query, give kudos:)
Frequent Contributor I

Re: RAP and captive portal using split-tunnel

Yep, it was missing DNS

 

Thank you

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: