Wireless Access

Hello experts

Problem: The Static Captive Portal redirection is not happening when my user role is assigned.  Even when browsing to a http site on phone does not cause redirect.

Smart phone connected to AP and got IP address.  AAA MAC auth was done to Cisco ISE AAA server.  Cisco ISE server retuened the role 'guest-ISE-portal'.  The next step would be that the Aruba controller redirects the client to the captive portal that is assigned to the role, not so?

I am quite new to this and I cannot find the relationship between role and captive portal profile, because as you can see in my config, there is a circular relationship (they refer to each other - I have probably done something crazy) - please help. 

Below is the client details - I can see that my expected role is assigned

(Aruba7210) # show user-table ip 10.172.9.1 detail

Name: 84-55-A5-FC-5B-2C, IP: 10.172.9.1, MAC: 84:55:a5:fc:5b:2c, Age: 00:00:20
Role: guest-ISE-portal (how: ROLE_DERIVATION_MBA_VSA), ACL: 73/0
Authentication: Yes, status: started, method: MAC, protocol: PAP, server: ISE-VIP-NextDC
Authentication Servers: dot1x authserver: , mac authserver: ISE-VIP-NextDC
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: ROLE_DERIVATION_MBA_VSA
VLAN Derivation: MBA Aruba VSA
Idle timeout (global): 300 seconds, Age: 00:00:00
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=0, mba=1, vpnflags=0, u_stm_ageout=1
Flags: innerip=0, outerip=0, vpn_outer_ind:0, download=1, wispr=0
IP User termcause: 0
phy_type: a-VHT-80, l3 reauth: 0, BW Contract: up:0 down:0, user-how: 14
Vlan default: 18, Assigned: 18, Current: 18 vlan-how: 11 DP assigned vlan:0
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, Flags=0x0
SlotPort=0x2100, Port=0x1000a (tunnel 10)
Essid: Blizzard, Bssid: 44:48:c1:c9:ce:70 AP name/group: AP1/default Phy-type: a-VHT-80 Forward Mode: tunnel
RadAcct sessionID:84-55-A58455A5FC5B2C-5A1B5638-AB528
RadAcct Traffic In 2643/234815 Out 591/124305 (0:2643/0:0:3:38207,0:591/0:0:1:58769)
Timers: L3 reauth 0, mac reauth 0 (Reason: ), dot1x reauth 0 (Reason: )
Profiles AAA:Blizzard-aaa_prof, dot1x:, mac:MAB-Auth CP:n/a def-role:'guest-ISE-portal' sip-role:'' via-auth-profile:''
ncfg flags udr 0, mac 1, dot1x 0, RADIUS interim accounting 1
IP Born: 1511740983 (Mon Nov 27 10:03:03 2017)
Core User Born: 1511740982 (Mon Nov 27 10:03:02 2017)
Upstream AP ID: 0, Downstream AP ID: 0
User Agent String:
Max IPv4 users: 2
L3-Auth Session Timeout from Radius: 0
Mac-Auth Session Timeout Value from Radius: 0
Dot1x Session Timeout Value from Radius: 0
CoA Session Timeout Value from Radius: 0
Dot1x Session Term-Action Value from Radius: Default
CaptivePortal Login-Page URL from Radius: N/A
Reauth-interval from role: 0
Number of reauthentication attempts: mac reauth 0, dot1x reauth 0
mac auth server: ISE-VIP-NextDC, dot1x auth server: N/A
Address is from DHCP: yes
Per-user-log pointer 0x150c3b4 (id 3), num logs 21
Role assigment:
  L3 assigned role: n/a, VPN role: n/a, Dot1x cached role: n/a
  DHCP role: n/a, Default role: guest-ISE-portal, Cached role: n/a
  Current Role name: guest-ISE-portal, role-how: ROLE_DERIVATION_MBA_VSA,
  L2-role: guest-ISE-portal (how: ROLE_DERIVATION_MBA_VSA), L3-role: n/a (how: n/a)
Role events:
    1: l2 role->logon, mac user created
    2: l2 role->guest-ISE-portal, Set AAA profile defaults
    3: l2 role->guest-ISE-portal, station Authenticated with auth type:  MAC based authentication
RTTS disabled: rtts_throughput 311760 rtts_discard 0 rtts_reest 0 rtts_keepalive 0

Just to keep things simple while troubleshooting (i.e. I am getting desperate now!)  I made the firewall any/any - I want to secure that of course, but that is the next thing.  Here are the rights for that role

(Aruba7210) #show rights guest-ISE-portal

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'guest-ISE-portal'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Number of users referencing it = 2
 Periodic reauthentication: Disabled
 DPI Classification: Enabled
 Youtube education: Disabled
 Web Content Classification: Enabled
 IP-Classification Enforcement: Enabled
 ACL Number = 73/0
 Openflow: Disabled
 Max Sessions = 65535

 Check CP Profile for Accounting = FALSE
 Captive Portal profile = Blizzard-cp_prof

Application Exception List
--------------------------
Name  Type
----  ----

Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------
Position  Name                         Type     Location
--------  ----                         ----     --------
1         global-sacl                  session
2         apprf-guest-ISE-portal-sacl  session
3         any-any                      session

global-sacl
-----------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
apprf-guest-ISE-portal-sacl
---------------------------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
any-any
-------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     any          any                   permit             Yes           Low                                                           4

Expired Policies (due to time constraints) = 0

And finally, the captive portal profile that I am using (and I have tinkered around with various settings - there are too many to choose from and not sure of their impact)

(Aruba7210) #show aaa authentication captive-portal Blizzard-cp_prof

Captive Portal Authentication Profile "Blizzard-cp_prof"
--------------------------------------------------------
Parameter                                          Value
---------                                          -----
Default Role                                       guest-ISE-portal
Default Guest Role                                 guest-ISE-portal
Server Group                                       Blizzard_srvgrp-tsl86
Redirect Pause                                     10 sec
User Login                                         Enabled
Guest Login                                        Disabled
Logout popup window                                Enabled
Use HTTP for authentication                        Disabled
Logon wait minimum wait                            5 sec
Logon wait maximum wait                            10 sec
logon wait CPU utilization threshold               60 %
Max Authentication failures                        0
Show FQDN                                          Enabled
Authentication Protocol                            PAP
Login page                                         https://guest.****************:8443/portal/g?p=9dQ7EkvlqbWGRixNAzYJ85E6Rg
Welcome page                                       /auth/welcome.html
Show Welcome Page                                  No
Add switch IP address in the redirection URL       Disabled
Adding user vlan in redirection URL                Disabled
Add a controller interface in the redirection URL  N/A
Allow only one active user session                 Disabled
White List                                         N/A
Black List                                         N/A
Show the acceptable use policy page                Disabled
User idle timeout                                  N/A
Redirect URL                                       N/A
Bypass Apple Captive Network Assistant             Disabled
URL Hash Key                                       N/A

The guest-ISE-portal role is missing the captive portal acls.

http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-I-configure-captive-portal-access-for-guest-users/ta-p/177702

hi - thanks for the quick response

I thought that my any-any took care of that?

show rights guest-ISE-portal

I can't really relate my issue to the link you sent me.  I can see that I have a bunch of access lists, and one of them is any-any which I thought is technically feasible (albeit, not secure at all).

Do I have to give the access list a special name like "captiveportal" ?

No, the any any does not take care of it.  There is a built-in ACL called "captiveportal".  Just that acl at the top of the guest-ISE-portal role.  Specifically, it redirects any http and https traffic to ports 8080 and 8081 on the controller, which is where it brings up the captive portal.

ip access-list session captiveportal

user alias mswitch svc-https permit

user any svc-http dst-nat 8080

user any svc-https dst-nat 8081

Hi Colin

Right.  I wasn't aware that there had to be a specifically named ACL for this.  Kind of weird, but ok.

Since I am not hosting the captive portal on the Aruba controller, none of the TCP ports mentioned in the captiveportal ACL apply to me. 

The portal is on a Cisco ISE server. 

I need the Aruba controller to redirect the user to https://blah:8443/blahblah

This is why I tried the following with the 'any any any'.

Still doesn't work.

(Aruba7210) #show rights guest-ISE-portal

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'guest-ISE-portal'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Number of users referencing it = 2
 Periodic reauthentication: Disabled
 DPI Classification: Enabled
 Youtube education: Disabled
 Web Content Classification: Enabled
 IP-Classification Enforcement: Enabled
 ACL Number = 73/0
 Openflow: Disabled
 Max Sessions = 65535

 Check CP Profile for Accounting = FALSE
 Captive Portal profile = Blizzard-cp_prof

Application Exception List
--------------------------
Name  Type
----  ----

Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------
Position  Name                         Type     Location
--------  ----                         ----     --------
1         global-sacl                  session
2         apprf-guest-ISE-portal-sacl  session
3         captiveportal                session

global-sacl
-----------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
apprf-guest-ISE-portal-sacl
---------------------------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
captiveportal
-------------
Priority  Source  Destination  Service          Application  Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------          -----------  ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     any          any                           permit                                 Low                                                           4
2         user    controller   svc-https                     dst-nat 8081                           Low                                                           4
3         user    any          svc-http                      dst-nat 8080                           Low                                                           4
4         user    any          svc-https                     dst-nat 8081                           Low                                                           4
5         user    any          svc-http-proxy1               dst-nat 8088                           Low                                                           4
6         user    any          svc-http-proxy2               dst-nat 8088                           Low                                                           4
7         user    any          svc-http-proxy3               dst-nat 8088                           Low                                                           4

Expired Policies (due to time constraints) = 0

You didn't say you were using ISE to host the Captive Portal page.  I thought you were just using it for mac authentication.

1.  Remove the any any permit from the ACLs in the role guest-ISE-portal.  That will stop redirection, and you don't want that.  Click on apply to save that change.

2.  Go to configuration> security> authentication> l3 authentication> Captive Portal authentication and edit the Blizzard-cp_prof captive portal authentication profile.  In the "login page" parameter, delete what is there and put in "https://blah:8443/blahblah".  Click on apply then save configuration.

I have never redirected to ISE, but this is what should happen:

The user who ends up in the guest-ISE-portal role will get redirected to the controller captive portal due to the following rules:

2         user    controller   svc-https                     dst-nat 8081                           Low                                                           4
3         user    any          svc-http                      dst-nat 8080                           Low                                                           4
4         user    any          svc-https                     dst-nat 8081                           Low                            

The controller will look up what Captive Portal Profile is assigned to the role when the user's port 80 and port 443 traffic is redirected to 8080 and 8081 (in this case it is the Blizzard-cp_prof captive portal profile).  The controller will send the user a redirect to the "login page" parameter.

I hope that makes sense.

Hi Colin

thanks for bearing with me. 

After I remove the IPv4 any any, I break the DHCP and my client doesn't even get an IP address. 

The ISE portal URL was always in place under the captive portal profile.

My lack of fundamental understanding of the call flows here is leaving me confused.  It would be nice to have a flow chart to see at what point the controller applies what role(s). 

I thought it goes something like this

1) Client associates to SSID and then the aaa profile dictates the 'initial role'.  I set this to the built-in 'guest' which apparently allowes DNS/DHCP etc.  But doesn't work for me (I have a theory that this role is applied for a few mseconds and not log enough)

2) In my case the aaa profile causes MAC auth to external AAA server (ISE) and the Radius Access-Accept contains the guest-ISE-role.  This role is then applied.  I can see it in the show commands.

3)  Now I expected Aruba Controller to apply the settings contained in that role.  This includes the captive_portal profile.  But I don't get a redirect.

It's quite confusing for a newbie like me.  I have an expectation of what I would like the controller to do, and I need help in understanding the various places where roles are applied.

Take for example, the aaa profile.  Here we have Initial role and MAC auth default role.  Are these at all relevant in this call flow?

And next in line is the L3 Auth captive portal authentication - more profiles ... did I do the right thing here?  At what point is this profile's 'default Role' applied? 

Just to show you what my final guest-ISE-portal role looks like

I was just writing a long paragraph about what you should do, but what exactly are you trying to do?

Ok.  Here's that paragraph.

The initial role in the AAA profile gets switched to whatever role you are responding with in your ISE server and it is almost immediate, so that is what would be applied. The initial role does not come into play, as a result.  If you were not doing mac authentication or the device failed mac auth, it would stay in the initial role.  The default role and the default guest role in the Captive Portal authentication profile are what you would get after the client does guest authentication (clicks on an accept or enter at the guest password field) against the Aruba Controller.  We are not doing auth to the Aruba Captive Portal..we are passing it through so those do not apply.  Below is what we need to do in addition:

Remove the "any any any" rule

Add "any host <your ISE server host> tcp port <whatever port you are redirecting on> permit" to the top of your acls.

Add the captive portal acls after that

Add "any any any service dhcp permit" after that.

Also add "any any any service dns" after that.

These changes will allow your client to get dhcp, do dns, in case you are referring to your ISE host with a hostname, it will resolve

The acl to allow to your traffic to your host is to do specifically that, allow traffic to your ISE host.

Are you doing something special on the ise page?

Hi Colin

I took a break from this because it was doing my head in.  I wasn't getting anywhere.

What I am trying to do is quite simple.  My customer has a Cisco ISE AAA platform - for the purpose of this discussion, we're doing CWA (Centralised Web Authentication) as part of a Sponsored Guest access.  ISE creates the Guest accounts, and users log into ISE Guest portals via Cisco WLAN solution.  In the all-CIsco world this works easily because this is what I am used to.

Customer wants to incorporate their Aruba controller into the ISE CWA solution.  This means, make the Aruba controller redirect the client to the same ISE Guest Portals.  It's not rocket science.  But Aruba doesn't accept a URL redirect via an ISE Radius Access-Accept, and it also doesn't use CoA to reauthenticate a session.  There are a few documents out there that describe how to do all these things but they invariably use the IAP, and not a controller based solution.  I need the exact steps for a controller based solution.

Currently ISE returns the role to Aruba when MAB auth happens.  The portal profile is defined on the Aruba controller, and it has the static URL defintion to point to ISE.  The challenge I am having is that no matter what I feed the controller, it doesn't 'activate' the portal profile to then cause the client to redirect.  I am missing something simple.

Hi,

I'm facing the same kind of issue.

It seems everything is configured as it should, but no redirection happens when the user role is assigned after MAB occured.

Was wondering if you found out what your problem was ?

Thanks.

Hi

It's been a long time since I solved that mystery.  In the end it was an Aruba expert who looked at my config and found that I had insufficient Firewall Policies in my User Roles.  I had a User Role called guest-ISE-portal which the Cisco ISE server returned when a guest needed to log into the portal.  Now I don't know enough about the Aruba controller to know whether the Name is significant, but the engineer added the factory default Firewall Policy called 'captiveportal' and also created an additional one called 'logon-control' (or maybe that is also factory default -  I don't know).  Either way, the logon-control had rules to allow DNS/DHCP mostly and the captiveportal had all the https ACLs that I was missing.  

See if that works for you.

I reallylike Aruba products but I spend 95% of my time on Cisco stuff so I never get the opportunity to get deeply involved - and I am sorry I can't explain this better.

One last thing - with Apple iOS devices I had to tweak another thing in order to allow the CNA (Captive Neworking Assistant) to pop up for portal login.

Under Security -> Authentication -> L3 Authentication -> Captive Portal Authentication ->{my_Profile} you must untick "Bypass Apple Captive Network Assistant"

Hi,

Unfortunatly, I think I had that Firewall Policies part covered. I'll double check just to make sure.

Thanks for the quick response, though, appriciate it.

Hey, where is the captive portal failing in your case?

Hi,

Thanks for following up.

I finaly found out why redirection was not happening in my case.

It seems that the controller MUST have a L3 interface on the same subnet as redirected clients, otherwise the NAT rules of the "captiveportal" firewall policy can't apply.

I had read that the command "firewall allow-tri-session" was designed to make it possible to implement captive portal without the controller having an IP address in the guest subnet, but I didn't manage to make it work.

If anyone happens to have succesfully implemented captive portal without L3, I would realy be interested in learning about it.

Regards