Controllerless Networks

last person joined: yesterday 

Aruba Instant Wi-Fi: Meet the controllerless Wi-Fi solution that's easy to set-up, is loaded with security and smarts, and won't break your budget.
Expand all | Collapse all

IAP-115 External captive portal

Jump to Best Answer
  • 1.  IAP-115 External captive portal

    Posted Jun 25, 2015 09:55 AM

    Hi,


    I am using the internal captive portal provided by the iap (no controller here only virtual one) at the moment. I works ok but the lack of customization made me want to have an external one.

    I noticed that the iap contact google ip through 216.58.192.0/19 or 173.194.0.0/16
    exemple or reached page : 216.58.211.78/generate_204
    Is it possible to configure the IAP so that it goes to the external http page directly.

    I don't know where the problem comes from but I can only display html page with the captive portal, any php cause the page to be blank or even unreachable.

    Is it at all possible to use php? Or do I have to use html and a radius server on the side? I wanted to use pfsense captive portal, but since I can't manage to display a single php page on an completely different host I wonder if it is even possible.
    Is there anywhere in the doc an explicit answer to what the html page should return to the iap and how?

    Thanks for the reading.



  • 2.  RE: IAP-115 External captive portal

    Posted Jun 25, 2015 10:02 AM
    Hi,

    What kind of captive portal experience are you trying to provide? Is it a simple "Click to agree to terms and conditions and then get online" or something more complex such as register for a free username and password and then login with it?

    Thanks,

    Yan Liu


  • 3.  RE: IAP-115 External captive portal

    Posted Jun 25, 2015 10:09 AM

    Hi,

     

    I would like something pretty simple with therms and conditions with a voucher or login/password.

    I don't mind putting up a radius server on the side for authentication.

    What the pfsense captive portal offers would be great.

     

     

    We don't use the guest portal very often, maybe 3-5 times a week. But it still bothers me to have a very minimalistic designed page.



  • 4.  RE: IAP-115 External captive portal
    Best Answer

    Posted Jun 30, 2015 03:30 PM


  • 5.  RE: IAP-115 External captive portal

    Posted Jul 01, 2015 12:02 PM

    Thansk, It helps a little.

    I manage to see the page but It still don't work after validation of the form.

     

    I have this error at the http://securelogin.arubanetworks.com/cgi-bin/login url.

    <html><pre>Error in invocation. Error string - Internal error 001, please contact support</pre></html>

     

    I tried changing the url by the VIP of the iaps but it didn't work. I also added the master ip in the host to securelogin.arubanetworks.com

     

    I also changed the hidden input values from the value in the url like that :

    http://<portal-ip>/index.php?cmd=login&mac=<mac>&essid=guest%20test&ip=192.168.3.103&apname=<ap>&vcname=<name>&switchip=securelogin.arubanetworks.com&url=<url>

    But with no success yet.

     

    Edit:

    My bad... I didn't configure enough access rule for it to work, but the basic html page v8 in the thread http://community.arubanetworks.com/t5/Aruba-Instant-Cloud-Wi-Fi/Captive-portal-on-IAP-without-using-Clearpass/td-p/79362 works !

     



  • 6.  RE: IAP-115 External captive portal

    Posted Jul 29, 2015 07:59 PM

    Do you mind posting your final code?

    I am stuck at the same place. Same error.

     

    Trying to just force acknowledgement before accessing Guest network.

     

    <p>
    <form method=POST action="http://<IAP VC IP ADDRESS>/cgi-bin/login">
    <span class="bodytext">
    <input name=cmd value="authenticate" type="hidden">
    <input name=mac value="" type="hidden">
    <input name=ip value="" type="hidden">
    <input name=essid value="" type="hidden">
    <input name=url value="http://www.arubanetworks.com" type="hidden">
    <input type="submit" name="Login" value=" I Agree" class="button" />
    </span>
    </form>
    </p>

     

    Thanks.



  • 7.  RE: IAP-115 External captive portal

    Posted Jul 29, 2015 08:35 PM
    Can you post your config from CLI?


  • 8.  RE: IAP-115 External captive portal

    Posted Jul 29, 2015 08:51 PM


    18:64:72:c7:a2:e0# sh captive-portal

    :Captive Portal Configuration
    Background Color:13421772
    Banner Color :13369344
    Decoded Texts :
    Banner Text :Welcome to the Guest Network
    Use Policy :Please read terms and conditions before using Guest Network
    Terms of Use :This network is not secure, and use is at your own risk
    Internal Captive Portal Redirect URL:http://www.school.org/
    Captive Portal Mode:Acknowledged
    Custom Logo :
    :External Captive Portal Configuration
    Server:localhost
    Port :80
    URL :/
    Authentication Text:Authenticated
    External Captive Portal Redirect URL:
    Server Fail Through:No
    Auto White List :Disable
    18:64:72:c7:a2:e0#



  • 9.  RE: IAP-115 External captive portal

    Posted Jul 29, 2015 08:55 PM

    Your captive portal should look like this:

    wlan external-captive-portal CPPM_GUEST-CP-PROFILE
    server 192.168.1.100
    port 443
    url "/guest/guest_registration_page.php"
    auth-text ""
    https

     

    Follow the steps in this video:

    https://www.youtube.com/watch?t=32&v=JJXyLWtfQRo

     



  • 10.  RE: IAP-115 External captive portal

    Posted Jul 29, 2015 09:19 PM

    Found it:

     

    wlan ssid-profile Guest
    enable
    index 3
    type guest
    essid Guest
    opmode opensystem
    max-authentication-failures 0
    vlan 67-69
    rf-band all

     

    wlan external-captive-portal "Captive Portal"
    server 192.168.20.151
    port 8060
    url "/"
    auth-text "Welcome to the Guest Network"
    auto-whitelist-disable
    captive-portal external profile "Captive Portal"
    dtim-period 1
    inactivity-timeout 1000
    broadcast-filter all
    dmo-channel-utilization-threshold 90
    local-probe-req-thresh 30
    max-clients-threshold 64



  • 11.  RE: IAP-115 External captive portal

    Posted Jul 29, 2015 09:50 PM

    This example is using Guest with Mac Auth and you can configure Mac caching using the ClearPass templates 

     

    Captive Portal Profile:

    wlan external-captive-portal CPPM_GUEST-CP-PROFILE
    server <ClearPass IP or DNS Name>
    port 443
    url "/guest/guest_registration_page.php"
    auth-text ""
    https

     

    Roles:

    wlan access-rule GUEST-ROLE
    index 9
    rule any any match udp 53 53 permit
    rule any any match udp 67 68 permit
    rule any any match tcp 80 80 permit
    rule any any match tcp 443 443 permit

     

    wlan access-rule GUEST-CP-ROLE
    index 16
    captive-portal external profile CPPM_GUEST-CP-PROFILE
    rule any any match udp 67 68 permit
    rule any any match udp 53 53 permit

     

    SSID Profile

    wlan ssid-profile <ssid-name/profile>
    disable
    index 2
    type guest
    essid iap_cppm_guest_ssid
    opmode opensystem
    max-authentication-failures 0
    vlan 101
    auth-server <CPPM-SERVER>
    set-role-pre-auth GUEST-CP-ROLE
    set-role-mac-auth GUEST-ROLE
    rf-band all
    captive-portal external profile CPPM_GUEST-CP-PROFILE
    mac-authentication
    mac-authentication-delimiter :
    hide-ssid
    dtim-period 1
    inactivity-timeout 1000
    broadcast-filter arp
    radius-accounting
    radius-interim-accounting-interval 15
    dmo-channel-utilization-threshold 90
    local-probe-req-thresh 0
    max-clients-threshold 64

     

    Whitelist ClearPass servers:

    lan walled-garden
    white-list "<ClearPass server IP"