Controllerless Networks

I’ve encountered a problem while integration testing my Captive Portal application with an IAP303HR Access Point. The Captive Portal is a Java Servlet web application. It is deployed on an external server hosted by Heroku. The corresponding External Captive Portal entity defined on the IAP is configured to use Radius Authentication.

 

Guest Users interact with the Captive Portal application and then, if they qualify for Wi-fi access, the Captive Portal client sends an HTTP Post request to securelogin.mydomain.com/cgi-bin/login. A certificate for the domain securelogin.mydomain.com is deployed on the IAP and it is associated with the Captive Portal.

 

Because the URL for the Captive Portal application and the URL for Authentication have two different domains and origins, the browser initiates the Cross-Origin Request Sharing (CORS) protocol on the HTTP POST request for authentication. It includes an ORIGIN header in this request as follows:

 

Origin: https://myherokuappname.herokuapp.com

 

The browser expects an Access-Control-Allow-Origin header in the authentication response from the IAP. This header indicates the second origin, the IAP, accepts the HTTP POST request from the first origin or from any origin. The header might look something like the following:

 

Access-Control-Allow-Origin: “*”     or

Access-Control-Allow-Origin: “myherokuappname.herokuapp.com”  (in my case)

 

But, the response that is returned by the IAP does not include this header and the browser returns an error to the Captive Portal client script (Javascript), as follows:

 

Access to XMLHttpRequest at 'https://securelogin.hmgnapps.com/cgi-bin/login' from origin 'https://my-heroku-app-name.herokuapp.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

 

By the way, the IAP returns a 200 OK response to the authentication request and the guest user is granted internet access. But, the client script receives an error indication. The following is the HTTP response returned by the IAP:

 

HTTP/1.1 200 OK

Content-Type: text/html; charset=utf-8

Pragma: no-cache

Strict-Transport-Security: max-age=604800

Cache-Control: max-age=0, no-store

 

I used both the Chrome browser (Version 79) and the Firefox browser (Version 72) to perform integration testing and they both returned similar error messages. The sofware version of my IAP is 8.5.0.5.

 

It may be possible to work around the error returned by the browser. But, I believe this issue should be resolved within the IAP. I would appreciate any comments or suggestions.

I have not heard of this issue before, and I don't think that you can enable CORS headers on the IAP (at this point, don't know either if that is the solution).

 

Can you share the code that you are using?

What is the purpose of the JavaScript?

 

It looks like you are using the JavaScript to post the credentials, instead of the user to click and have the browser post credentials to the IAP.

Thanks for your reply. The front end of the Captive Portal was developed using the AngularJS framework. The portal application has multiple views. http requests to back-end resources are invoked either by AngularJS or application scripts. Information in http responses is processed by scripts and results in changes to the user interface.

 

I haven't tried invoking authentication using input elements. I prefer not to do it that way for a few reasons. But, perhaps I should test this option in any case and see what happens.

 

The following is the code that invokes the http post for guest user authentication:

 

service.authenticateRequest = function () {
	var credentials = {};
	var postURL = 'https://securelogin.hmgnapps.com/cgi-bin/login';
			
	credentials.user = "guest1";
	credentials.password = "mypassword";
	credentials.cmd = "authenticate";
	
	console.log("sending authentication request");
	
	return $http({
	    method: "POST",
	    url: postURL,
	    data: credentials,
	    transformRequest: function(obj) {
	        var str = [];
	        for(var p in obj)
	        str.push(encodeURIComponent(p) + "=" + encodeURIComponent(obj[p]));
	        return str.join("&"); 
	        },
        transformResponse: function (data, header) {
            var transData = {};
            transData.html = data;
            console.log("Transformed response data: ", transData);
            return transData;
            },
	    headers : {"Content-Type": "application/x-www-form-urlencoded; charset=utf-8"}
	    }).then(function onSuccess(response){
	    		    console.log(response.status);
	    			console.log(response.data);
	    			return(response.status);
	    		}, function onError(error) {
	    			console.log("Unknown Error");
	    			console.log(error);
	    		});
    	
    };

 

Note: I created a case for the problem described in the original post that's been accepted by the Aruba TAC for review. As such, I've closed this discussion point by accepting the response that I received. I'd be interested to hear if anyone else experiences the issue described in this post in the future. Thanks.

@rswillner5411, We have exactly the same problem. the IAP has no OPTIONS method implemented and as result we cannot invoke the POST method from JavaScript. I wish to see it fixed ASAP, but for now, unfortunately​ I should report to my manager that Aruba is not compatible and cannot be integrated with our system. :(

------------------------------
Alexander Shulgin
------------------------------

Original Message:
Sent: Feb 13, 2020 04:39 PM
From: Robert Willner
Subject: Cross Origin Request Sharing (CORS) Error on IAP-Captive Portal Integration

Note: I created a case for the problem described in the original post that's been accepted by the Aruba TAC for review. As such, I've closed this discussion point by accepting the response that I received. I'd be interested to hear if anyone else experiences the issue described in this post in the future. Thanks.