Wireless Access

last person joined: 15 minutes ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Captive Portal redirect

Jump to Best Answer
This thread has been viewed 33 times
  • 1.  Captive Portal redirect

    Posted Jul 21, 2021 06:47 AM

    It's been a while since I have configured a controller, being more focused on Instant for some time.

    I'm in the process of migrating an Instant cluster to a properly controlled AP group and I'm facing some difficulties with Captive Portal redirection - it works perfectly on Instant, it does not work at all on the 'real' controller.

    This old post here gave me a clue:
    Airheads Community

    Having a L3 interface in the guest network for each controller is a major nuisance. In this project I'm going to have several locations with controllers, and the guest network is centralized via GRE tunnels to a datacenter controller. I'm going to use a bunch of addresses, when in reality all I should need is layer-2 connectivity.

    Can someone explain the necessity of this L3 interface? If Instants don't need it, why would the controller? I guess this has something to do with this part of the access list:

      user any svc-http  dst-nat 8080 
      user any svc-https  dst-nat 8081 

    And maybe an internal process in the controller ends up forming the HTTP 302 response to the client. But honestly, why such complication?

    Sorry for the rant...

    Miguel Goncalves

  • 2.  RE: Captive Portal redirect
    Best Answer

    Posted Jul 21, 2021 07:08 AM
    The ip address in a guest network is because the client needs to request the captive portal page from somewhere, and many do not want guests to have access to the actual management ip address of the controller.  

    You mention that you are GRE tunneling back to a single controller.  I am not sure if that is just aspirational or if you have it already configured.  If that is the case, you would only need an ip address on the guest VLAN on that single controller.  If you are enforcing captive portal on the WLAN controllers, you would instead need an ip address on the guest VLAN on those controllers.  You will also need to configure the "ip cp-redirect-address" parameter for each controller to point to the ip address on each controller:  https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=42139

    The ACLs pointing to ports 8080 and 8081 redirect client traffic to the captive portal instance on the controller and are required.

    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

  • 3.  RE: Captive Portal redirect

    Posted Jul 21, 2021 10:10 AM
    Hi Colin,

    Well, this is a migration from Instants, running IAP-VPN, so the datacenter controllers and GRE Tunnels were already in place. Default gateway for WiFi clients is always a datacenter firewall, whether we're talking about corporate or guest clients.

    Due to some features the customer wants to use we are trying out local controllers in the satellite locations, but the base architecture remains - from the client's perspective the whole Aruba infrastructure provides simple layer-2 connectivity to the default gateway in the datacenter.

    What baffles me is that the Instants provide a much easier way to do this, without weird looking ACLs with destination NAT to custom ports.

    Regarding the "ip cp-redirect-address", I have no such configuration. After creating a L3 interface in the guest vlan a client gets redirected automatically (granted, I tested only with a windows machine, but still, it works). You said I need to configure the "ip cp-redirect-address" to the IP of the controller in the guest vlan, is that it? Shouldn't be an issue in my current scenario, but what if I had multiple guest vlans?

    Ah, I see what it does, it's the address the controller responds with when intercepting DNS responses for securelogin.arubanetworks.com (or some other name you have in the Captive portal certificate). Ok, it makes some sense now.
    But the question about multiple guest networks is still valid. It's not an issue for me, but might happen to someone else.

    Miguel Goncalves