Wireless Access

Hi,

I want to create an open ssid which guests should connect automatically. We have a server with information pages for guests. I want to redirect all port 80 traffic to our web server ip. Is it possible with 7030 controller v8.3?

Regards,

Rahman

If you setup a Captive Portal, that is exactly what you are doing.  You then have the option within the Captive Portal authentication profile to have the user just click on accept, enter username and password and then be redirected to another web page.

Beyond just having the user traffic go to a local web server, how do you want the client to function after the web page is observed?

EDIT:  This is considered an "external captive portal".  You would change the "Logon Page" parameter from "/auth/index.html" to "http://whateverpageyouwant.com"

Users should not login and they should not browse any other web site. This will be a single purpose SSID. So just for this should external CP is OK?

Regards,

Rahman

Make sure the captive portal settings are correct



Make captiveportal settings in L3 authentication settings and make sure they are applied as initial-role.



In addition, please make sure that user information (internal or external) is registered in the authentication server.



Finally, verify that the user's role (authenticated) changes after Web authentication is complete

---

@rdurantr wrote:

Users should not login and they should not browse any other web site. This will be a single purpose SSID. So just for this should external CP is OK?

 

---

Yes. You want the connected users to reach your web server to access information, right? That web server is not on the controller itself, so an external portal is the way to go. 

Since you are not wanting users to login, simply do not include the login function on your external website, and users will be kept in that pre-authenticated role where all they can access is your informational website. Any web requests that they send for other sites will be redirected back to your information website.

Hi Charlie,

I tried to setup what you sugessted; an external captive portal that never authenticates users. So users remain unauthenticated state on aruba controller and always redirected to external portal page.

This concept worked well for our Extreme Networks Controllers. But I could not make it work on Aruba 7030 v8.3. I am familiar with Extreme Networks' captive portal mechanism; you write policy rules that permits DNS, DHCP traffic and permit HTTP/HTTPS traffic to external portal IP address. Than Deny anything. So Extreme Networks controller redirects denied HTTP/HTTPS traffic to external captive portal url. This is working as expected.

I admit I don't have a full grasp on how Aruba v8 redirects to external captive portal. I attach the screenshots of the configuration below.

1. When I select external captive portal, it also asks me CPPM server information. But we don't use CPPM only need to setup external CP. How should I fill these fields? This page also askes for Radius servers. Is this necessary as I don't want any authentication?

2. When I look to automatic created role "eduroam-kurulum-guest-logon", there are so many rules compared to what I use on Extereme Networks. What is destination "eduroam-kurulum" alias? Why I can not use external portal IP address here? How does Aruba decides what traffic to redirect to external portal? Is it special "captive" action?

3. And for the last, why this setup is not working? When I browse any http page, it is not redirected to external portal url and timeouts. But if I browse external portal url "https://kablosuz.artvin.edu.tr" directly, it opens the page without any error.

Regards,

Rahman

In your case, using the WLAN wizard likely will not get things completely configured as this is a non-standard configuration.

Yes, using the wizard to start, you would select an external captive portal. The wizard will probably require radius servers be defined, most captive portal solutions are attempting to get users online ... not keep users out. You can define anything here, since an authentication request is not being returned, but I would suggest using the IP address of your external captive portal box here.

The alias is created to enable web traffic to reach your external captive portal. The typical captive portal rule is triggering on http, https, and proxy configurations to perform the redirect. Once the controller redirects the traffic by informing the client that the requested webpage has moved, the policy needs to allow traffic to your external portal to flow normally.

Do you have a valid ssl cert installed on your controller?

Yes, I have a valid commercial certificate.

I openned a case with HPE TAC and the support engineer suggested to use a custom role which allows DNS and DHCP then DNAT all 80,8080,443 traffic to external captive portal. This worked as desired.

Your suggested consept worked for our Extreme Networks controller so I would be more satisfied if I could understand and make Aruba Controller work the same way.

Out of topic: Is there any documantation about External Captive portal integration with Aruba Os 8.x? We are planning to develop our own captive portal that does the authentication part too. So is this possible with Aruba OS8? Controller should redirect users to external CP and ECP should register/validate/or what ever it want to do for authentication, than ECP should inform Aruba controller with username etc. So the controller can change user role to authenticated. Is this possible and is there any ArubaOS8 API documantation for this purpose?

Regards,

Rahman

---

@rdurantr wrote:

 

Out of topic: Is there any documantation about External Captive portal integration with Aruba Os 8.x? We are planning to develop our own captive portal that does the authentication part too. So is this possible with Aruba OS8? Controller should redirect users to external CP and ECP should register/validate/or what ever it want to do for authentication, than ECP should inform Aruba controller with username etc. So the controller can change user role to authenticated. Is this possible and is there any ArubaOS8 API documantation for this purpose?

---

Start here: https://www.arubanetworks.com/techdocs/ArubaOS_83_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/Captive_Portal/Captive_Portal.htm?Highlight=Captive%20Portal

With external captive portal, user authentication is still done via Radius or the internal authentication server on the controller, so your portal page needs to return valid info to pass from the pre-auth portal role.