Wireless Access

Reply
Occasional Contributor I

Why does my user role not trigger portal redirection?

Hello experts

 

Problem: The Static Captive Portal redirection is not happening when my user role is assigned.  Even when browsing to a http site on phone does not cause redirect.

 

Smart phone connected to AP and got IP address.  AAA MAC auth was done to Cisco ISE AAA server.  Cisco ISE server retuened the role 'guest-ISE-portal'.  The next step would be that the Aruba controller redirects the client to the captive portal that is assigned to the role, not so?

I am quite new to this and I cannot find the relationship between role and captive portal profile, because as you can see in my config, there is a circular relationship (they refer to each other - I have probably done something crazy) - please help. 

 

Below is the client details - I can see that my expected role is assigned

 

(Aruba7210) # show user-table ip 10.172.9.1 detail

Name: 84-55-A5-FC-5B-2C, IP: 10.172.9.1, MAC: 84:55:a5:fc:5b:2c, Age: 00:00:20
Role: guest-ISE-portal (how: ROLE_DERIVATION_MBA_VSA), ACL: 73/0
Authentication: Yes, status: started, method: MAC, protocol: PAP, server: ISE-VIP-NextDC
Authentication Servers: dot1x authserver: , mac authserver: ISE-VIP-NextDC
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: ROLE_DERIVATION_MBA_VSA
VLAN Derivation: MBA Aruba VSA
Idle timeout (global): 300 seconds, Age: 00:00:00
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=0, mba=1, vpnflags=0, u_stm_ageout=1
Flags: innerip=0, outerip=0, vpn_outer_ind:0, download=1, wispr=0
IP User termcause: 0
phy_type: a-VHT-80, l3 reauth: 0, BW Contract: up:0 down:0, user-how: 14
Vlan default: 18, Assigned: 18, Current: 18 vlan-how: 11 DP assigned vlan:0
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, Flags=0x0
SlotPort=0x2100, Port=0x1000a (tunnel 10)
Essid: Blizzard, Bssid: 44:48:c1:c9:ce:70 AP name/group: AP1/default Phy-type: a-VHT-80 Forward Mode: tunnel
RadAcct sessionID:84-55-A58455A5FC5B2C-5A1B5638-AB528
RadAcct Traffic In 2643/234815 Out 591/124305 (0:2643/0:0:3:38207,0:591/0:0:1:58769)
Timers: L3 reauth 0, mac reauth 0 (Reason: ), dot1x reauth 0 (Reason: )
Profiles AAA:Blizzard-aaa_prof, dot1x:, mac:MAB-Auth CP:n/a def-role:'guest-ISE-portal' sip-role:'' via-auth-profile:''
ncfg flags udr 0, mac 1, dot1x 0, RADIUS interim accounting 1
IP Born: 1511740983 (Mon Nov 27 10:03:03 2017)
Core User Born: 1511740982 (Mon Nov 27 10:03:02 2017)
Upstream AP ID: 0, Downstream AP ID: 0
User Agent String:
Max IPv4 users: 2
L3-Auth Session Timeout from Radius: 0
Mac-Auth Session Timeout Value from Radius: 0
Dot1x Session Timeout Value from Radius: 0
CoA Session Timeout Value from Radius: 0
Dot1x Session Term-Action Value from Radius: Default
CaptivePortal Login-Page URL from Radius: N/A
Reauth-interval from role: 0
Number of reauthentication attempts: mac reauth 0, dot1x reauth 0
mac auth server: ISE-VIP-NextDC, dot1x auth server: N/A
Address is from DHCP: yes
Per-user-log pointer 0x150c3b4 (id 3), num logs 21
Role assigment:
  L3 assigned role: n/a, VPN role: n/a, Dot1x cached role: n/a
  DHCP role: n/a, Default role: guest-ISE-portal, Cached role: n/a
  Current Role name: guest-ISE-portal, role-how: ROLE_DERIVATION_MBA_VSA,
  L2-role: guest-ISE-portal (how: ROLE_DERIVATION_MBA_VSA), L3-role: n/a (how: n/a)
Role events:
    1: l2 role->logon, mac user created
    2: l2 role->guest-ISE-portal, Set AAA profile defaults
    3: l2 role->guest-ISE-portal, station Authenticated with auth type:  MAC based authentication
RTTS disabled: rtts_throughput 311760 rtts_discard 0 rtts_reest 0 rtts_keepalive 0

 

Just to keep things simple while troubleshooting (i.e. I am getting desperate now!)  I made the firewall any/any - I want to secure that of course, but that is the next thing.  Here are the rights for that role

 

(Aruba7210) #show rights guest-ISE-portal

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'guest-ISE-portal'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Number of users referencing it = 2
 Periodic reauthentication: Disabled
 DPI Classification: Enabled
 Youtube education: Disabled
 Web Content Classification: Enabled
 IP-Classification Enforcement: Enabled
 ACL Number = 73/0
 Openflow: Disabled
 Max Sessions = 65535

 Check CP Profile for Accounting = FALSE
 Captive Portal profile = Blizzard-cp_prof

Application Exception List
--------------------------
Name  Type
----  ----

Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------
Position  Name                         Type     Location
--------  ----                         ----     --------
1         global-sacl                  session
2         apprf-guest-ISE-portal-sacl  session
3         any-any                      session

global-sacl
-----------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
apprf-guest-ISE-portal-sacl
---------------------------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
any-any
-------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     any          any                   permit             Yes           Low                                                           4

Expired Policies (due to time constraints) = 0

 

And finally, the captive portal profile that I am using (and I have tinkered around with various settings - there are too many to choose from and not sure of their impact)

 

(Aruba7210) #show aaa authentication captive-portal Blizzard-cp_prof

Captive Portal Authentication Profile "Blizzard-cp_prof"
--------------------------------------------------------
Parameter                                          Value
---------                                          -----
Default Role                                       guest-ISE-portal
Default Guest Role                                 guest-ISE-portal
Server Group                                       Blizzard_srvgrp-tsl86
Redirect Pause                                     10 sec
User Login                                         Enabled
Guest Login                                        Disabled
Logout popup window                                Enabled
Use HTTP for authentication                        Disabled
Logon wait minimum wait                            5 sec
Logon wait maximum wait                            10 sec
logon wait CPU utilization threshold               60 %
Max Authentication failures                        0
Show FQDN                                          Enabled
Authentication Protocol                            PAP
Login page                                         https://guest.****************:8443/portal/g?p=9dQ7EkvlqbWGRixNAzYJ85E6Rg
Welcome page                                       /auth/welcome.html
Show Welcome Page                                  No
Add switch IP address in the redirection URL       Disabled
Adding user vlan in redirection URL                Disabled
Add a controller interface in the redirection URL  N/A
Allow only one active user session                 Disabled
White List                                         N/A
Black List                                         N/A
Show the acceptable use policy page                Disabled
User idle timeout                                  N/A
Redirect URL                                       N/A
Bypass Apple Captive Network Assistant             Disabled
URL Hash Key                                       N/A
Guru Elite

Re: Why does my user role not trigger portal redirection?

The guest-ISE-portal role is missing the captive portal acls.

http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-I-configure-captive-portal-access-for-guest-users/ta-p/177702



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Why does my user role not trigger portal redirection?

hi - thanks for the quick response

 

I thought that my any-any took care of that?

show rights guest-ISE-portal

 

I can't really relate my issue to the link you sent me.  I can see that I have a bunch of access lists, and one of them is any-any which I thought is technically feasible (albeit, not secure at all).

 

Do I have to give the access list a special name like "captiveportal" ?

Guru Elite

Re: Why does my user role not trigger portal redirection?

No, the any any does not take care of it.  There is a built-in ACL called "captiveportal".  Just that acl at the top of the guest-ISE-portal role.  Specifically, it redirects any http and https traffic to ports 8080 and 8081 on the controller, which is where it brings up the captive portal.

 

ip access-list session captiveportal

user alias mswitch svc-https permit

user any svc-http dst-nat 8080

user any svc-https dst-nat 8081



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Why does my user role not trigger portal redirection?

Hi Colin

 

Right.  I wasn't aware that there had to be a specifically named ACL for this.  Kind of weird, but ok.

 

Since I am not hosting the captive portal on the Aruba controller, none of the TCP ports mentioned in the captiveportal ACL apply to me. 

 

The portal is on a Cisco ISE server. 

 

I need the Aruba controller to redirect the user to https://blah:8443/blahblah

 

This is why I tried the following with the 'any any any'.

Still doesn't work.

 

 

 

(Aruba7210) #show rights guest-ISE-portal

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'guest-ISE-portal'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Number of users referencing it = 2
 Periodic reauthentication: Disabled
 DPI Classification: Enabled
 Youtube education: Disabled
 Web Content Classification: Enabled
 IP-Classification Enforcement: Enabled
 ACL Number = 73/0
 Openflow: Disabled
 Max Sessions = 65535

 Check CP Profile for Accounting = FALSE
 Captive Portal profile = Blizzard-cp_prof

Application Exception List
--------------------------
Name  Type
----  ----

Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------
Position  Name                         Type     Location
--------  ----                         ----     --------
1         global-sacl                  session
2         apprf-guest-ISE-portal-sacl  session
3         captiveportal                session

global-sacl
-----------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
apprf-guest-ISE-portal-sacl
---------------------------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
captiveportal
-------------
Priority  Source  Destination  Service          Application  Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------          -----------  ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     any          any                           permit                                 Low                                                           4
2         user    controller   svc-https                     dst-nat 8081                           Low                                                           4
3         user    any          svc-http                      dst-nat 8080                           Low                                                           4
4         user    any          svc-https                     dst-nat 8081                           Low                                                           4
5         user    any          svc-http-proxy1               dst-nat 8088                           Low                                                           4
6         user    any          svc-http-proxy2               dst-nat 8088                           Low                                                           4
7         user    any          svc-http-proxy3               dst-nat 8088                           Low                                                           4

Expired Policies (due to time constraints) = 0

 

 

Guru Elite

Re: Why does my user role not trigger portal redirection?

You didn't say you were using ISE to host the Captive Portal page.  I thought you were just using it for mac authentication.

 

1.  Remove the any any permit from the ACLs in the role guest-ISE-portal.  That will stop redirection, and you don't want that.  Click on apply to save that change.

2.  Go to configuration> security> authentication> l3 authentication> Captive Portal authentication and edit the Blizzard-cp_prof captive portal authentication profile.  In the "login page" parameter, delete what is there and put in "https://blah:8443/blahblah".  Click on apply then save configuration.

 

I have never redirected to ISE, but this is what should happen:

The user who ends up in the guest-ISE-portal role will get redirected to the controller captive portal due to the following rules:

2         user    controller   svc-https                     dst-nat 8081                           Low                                                           4
3         user    any          svc-http                      dst-nat 8080                           Low                                                           4
4         user    any          svc-https                     dst-nat 8081                           Low                            

The controller will look up what Captive Portal Profile is assigned to the role when the user's port 80 and port 443 traffic is redirected to 8080 and 8081 (in this case it is the Blizzard-cp_prof captive portal profile).  The controller will send the user a redirect to the "login page" parameter.

 

I hope that makes sense.

 

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Why does my user role not trigger portal redirection?

Hi Colin

 

thanks for bearing with me. 

 

After I remove the IPv4 any any, I break the DHCP and my client doesn't even get an IP address. 

 

The ISE portal URL was always in place under the captive portal profile.

 

My lack of fundamental understanding of the call flows here is leaving me confused.  It would be nice to have a flow chart to see at what point the controller applies what role(s). 

 

I thought it goes something like this

1) Client associates to SSID and then the aaa profile dictates the 'initial role'.  I set this to the built-in 'guest' which apparently allowes DNS/DHCP etc.  But doesn't work for me (I have a theory that this role is applied for a few mseconds and not log enough)

2) In my case the aaa profile causes MAC auth to external AAA server (ISE) and the Radius Access-Accept contains the guest-ISE-role.  This role is then applied.  I can see it in the show commands.

3)  Now I expected Aruba Controller to apply the settings contained in that role.  This includes the captive_portal profile.  But I don't get a redirect.

 

It's quite confusing for a newbie like me.  I have an expectation of what I would like the controller to do, and I need help in understanding the various places where roles are applied.

 

Take for example, the aaa profile.  Here we have Initial role and MAC auth default role.  Are these at all relevant in this call flow?

 

Aruba 1.png

 

 

And next in line is the L3 Auth captive portal authentication - more profiles ... did I do the right thing here?  At what point is this profile's 'default Role' applied? 

 

Aruba 2.png

 

Just to show you what my final guest-ISE-portal role looks like

 

Aruba 3.png

 

 

 

Guru Elite

Re: Why does my user role not trigger portal redirection?

 

I was just writing a long paragraph about what you should do, but what exactly are you trying to do?

 

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite

Re: Why does my user role not trigger portal redirection?

Ok.  Here's that paragraph.

 

The initial role in the AAA profile gets switched to whatever role you are responding with in your ISE server and it is almost immediate, so that is what would be applied. The initial role does not come into play, as a result.  If you were not doing mac authentication or the device failed mac auth, it would stay in the initial role.  The default role and the default guest role in the Captive Portal authentication profile are what you would get after the client does guest authentication (clicks on an accept or enter at the guest password field) against the Aruba Controller.  We are not doing auth to the Aruba Captive Portal..we are passing it through so those do not apply.  Below is what we need to do in addition:

 

Remove the "any any any" rule

Add "any host <your ISE server host> tcp port <whatever port you are redirecting on> permit" to the top of your acls.

Add the captive portal acls after that

Add "any any any service dhcp permit" after that.

Also add "any any any service dns" after that.

 

These changes will allow your client to get dhcp, do dns, in case you are referring to your ISE host with a hostname, it will resolve

The acl to allow to your traffic to your host is to do specifically that, allow traffic to your ISE host.

 

Are you doing something special on the ise page?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Why does my user role not trigger portal redirection?

Hi Colin

 

I took a break from this because it was doing my head in.  I wasn't getting anywhere.

What I am trying to do is quite simple.  My customer has a Cisco ISE AAA platform - for the purpose of this discussion, we're doing CWA (Centralised Web Authentication) as part of a Sponsored Guest access.  ISE creates the Guest accounts, and users log into ISE Guest portals via Cisco WLAN solution.  In the all-CIsco world this works easily because this is what I am used to.

Customer wants to incorporate their Aruba controller into the ISE CWA solution.  This means, make the Aruba controller redirect the client to the same ISE Guest Portals.  It's not rocket science.  But Aruba doesn't accept a URL redirect via an ISE Radius Access-Accept, and it also doesn't use CoA to reauthenticate a session.  There are a few documents out there that describe how to do all these things but they invariably use the IAP, and not a controller based solution.  I need the exact steps for a controller based solution.

Currently ISE returns the role to Aruba when MAB auth happens.  The portal profile is defined on the Aruba controller, and it has the static URL defintion to point to ISE.  The challenge I am having is that no matter what I feed the controller, it doesn't 'activate' the portal profile to then cause the client to redirect.  I am missing something simple.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: