Security

 View Only
last person joined: 2 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Mobility controller captive portal issue

This thread has been viewed 36 times

  • 1.  Mobility controller captive portal issue

    Posted Jan 01, 2021 07:08 AM
    Mobility controller 7210 version 8.7.1.1-FIPS_78246

    AP 303

    Aruba core switch 3810m routing is here. gateway for all VLANs

    Aruba 2540 access switches 

    2 domain controllers (windows servers 2016) on VLAN 3

    1 DHCP server  on VLAN 3



    VLAN 20 mm&APs  192.168.20.0/24  Mobility controller IP add 192.168.20.253

    VLAN 24 M IP add 192.168.24.0/24 >>> SSID M   >>>> captive portal with LDAP

    VLAN 32 G IP add 192.168.32.0/21 >>>> SSID G   >>>> captive portal with LDAP

    VLAN 40 T IP add 192.168.40.0/21 >>>> SSID T   >>>> captive portal with LDAP

    VLAN 48 S IP add 192.168.48.0/21 >>>> SSID S   >>>> captive portal with LDAP

    The first Problem is DHCP issues 

    -if the user connected on SSID M obtain IP add from VLAN 24 if the same user connected on SSID G still obtain IP from VLAN 24 Who's supposed to get an IP of VLAN 32

    TSHOOT Steps
    -if the user connected on port untagged in VLAN 24  obtain IP add from VLAN 24 if the same user connected on port untagged in VLAN 32 obtain IP from VLAN 32 then problem in a wireless network not in CORE SW or DHCP Server

    - I tried SSID A with PSK  and assigned VLAN and the same result 

    - note IP helper add executed under all VLAN on core SW like that 

    vlan 24
     ip helper-address 192.168.3.80 255.255.255.0


    The Second Problem is Captive Portal issues

    -note I do not have a PEFNG license
    -Captive Portal does not appear in all users (laptops-mobile devices)

    TSHOOT Steps
    - I delete all SSIDs (M.G.T) except (SSID S) still captive portal does not appear I tried added inter VLAN 48 on the Mobility controller (192.168.48.253/21) and executed command IP cp-redirect-address 192.168.48.253 then the captive portal opened and authenticated successfully done.
    - when added SSIDs again captive portal does not appear I tried added inter VLAN 48(added before), inter VLAN 24, inter VLAN 32, and inter VLAN 40 on the Mobility controller and executed command IP cp-redirect-address <inter VLAN IP> remove another command The last command remains only in sh running and still captive portal does not appear in all SSIDs.

    sample configuration on the Mobility controller

    interface gigabitethernet 0/0/2
    trusted
    trusted vlan 1-4094
    no poe
    switchport mode trunk
    switchport trunk native vlan 20
    !
    vlan 20 description "AP&WC"
    vlan 24 description "M"
    vlan 32 description "G"
    vlan 40 description "T"
    vlan 48 description "S"
    !
    aaa authentication-server ldap "DC01-LDAP"
    host 192.168.3.5
    admin-dn "CN=aruba.auth,OU=SS,OU=All_Users_computer,DC=www,DC=local"
    admin-passwd P@ssw@rd
    allow-cleartext
    base-dn "OU=All_Users_computer,DC=www,DC=local"
    preferred-conn-type clear-text
    !
    aaa authentication-server ldap "DC02-LDAP"
    host 192.168.3.6
    admin-dn "CN=aruba.auth,OU=SS,OU=All_Users_computer,DC=www,DC=local"
    admin-passwd P@ssw@rd
    allow-cleartext
    base-dn "OU=All_Users_computer,DC=www,DC=local"
    preferred-conn-type clear-text
    !
    aaa server-group "Ldap-Servers"
    allow-fail-through
    load-balance
    auth-server DC01-LDAP position 1
    auth-server DC02-LDAP position 2
    !
    aaa authentication captive-portal "Captive Portal"

    server-group "Ldap-Servers"

    guest-logon
    protocol-http
    !
    aaa profile "AAA CP"

    initial-role "Captive Portal"
    !

    wlan virtual-ap "G"
    vlan 32
    ssid-profile "G"
    aaa-profile "AAA CP"

    !
    wlan virtual-ap "M"
    vlan 24
    ssid-profile "M"
    aaa-profile "AAA CP"

    !
    wlan virtual-ap "S"
    vlan 48
    ssid-profile "S"
    aaa-profile "AAA CP"

    !
    wlan virtual-ap "T"
    vlan 40
    ssid-profile "T"
    aaa-profile "AAA CP"

    !
    ap-group "CP"
    virtual-ap "G"
    virtual-ap "M"
    virtual-ap "T"
    virtual-ap "S"

    *******************************************************************************************************




    ------------------------------
    Mahmoud Magdy
    ------------------------------


  • 2.  RE: Mobility controller captive portal issue

    MVP EXPERT
    Posted Jan 02, 2021 09:44 AM
    Hi Mahoud,

    Can't explain your 1e issue. Run the command "show user mac ##.##.##.##.##.##"  on the CLI can give you some information about the client connection, which VLAN an Role is assigned for example. Another thing you could try is to enable DHCP debug logging on your controller on the MD level.

    logging network subcat dhcp level debugging
    show log network all

    On your second issue. Do you have assign an IP address on the controller to each VLAN that have to support a captive-portal?

    In your AAA profile there is an initial role named "Captive Portal". Did you create this role yourself? It's seems like this isn't a default exist role. For custom roles you will need the PEF-NG license fas as i known.Are other captive-portal users working? What can you tell us about the initial role they have derived?

    Could you maybe share a "show configuration effective" configuration dump as attachment or as pm?

    For urgent matters please open an Aruba Support case.



    ------------------------------
    Marcel Koedijk | MVP Expert 2020 | ACMP | ACCP | Ekahau ECSE
    ------------------------------

    Original Message