Wireless Access

last person joined: 7 minutes ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

PSK then Captive Portal

This thread has been viewed 4 times
  • 1.  PSK then Captive Portal

    Posted Dec 05, 2017 10:29 PM

    I am attempting to configure a guest wireless so that users must provide a PSK and once they have done so they are forced to Captive Portal.


    I have seen discussions in which people have supposedly made this happen but the details on how they accomplished this task were scarce.


    Any help would be greatly appreciated.


    My environment:

    APs: Controller mode

    ClearPass: No

    Mobility Controller v:

  • 2.  RE: PSK then Captive Portal

    Posted Dec 05, 2017 11:06 PM
    Set the initial role in your AAA profile to your captive portal role. Set the 802.1X profile to default-psk.

  • 3.  RE: PSK then Captive Portal

    Posted Dec 06, 2017 12:57 AM



    Thanks for the reply!  So is there something unique about the default-psk?


    I have a wap2-psk-aes enabled in my ssid profile.  When I provide that I am granted the initial role (which contains a captive portal configuration) but the captive portal never comes up.  If I set the encryption setting to none/open, then captive portal comes up.

  • 4.  RE: PSK then Captive Portal

    Posted Dec 06, 2017 03:02 AM

    Check what role the user is in when it is connected to the PSK network and does not get to the captive portal. If it is the same role (with the captive-portal rules, and the captive portal profile assigned) as on the open network, and the user is in the same VLAN, it should work.


    One thing I noticed is that Windows 10 got an update early this year that broke captive portal on PSK networks. Not sure what the status is today, but it may make sense to test with another device than Windows 10.

  • 5.  RE: PSK then Captive Portal

    Posted Dec 06, 2017 11:15 AM
    No, shouldn't matter. I would open a TAC case. That should be working.

  • 6.  RE: PSK then Captive Portal

    Posted Dec 06, 2017 12:24 PM


    I figured it out.  My error.  I was using the incorrect ACLs that captures and NAT's the web traffic to the captive portal interface.


    So, for others trying to do this, in the initial role of your aaa profile it needs to have the following ACLs.  Obiously the net objects may be different but you need to capture the 80 and 443 traffic and NAT it to the controller.

    1         any     any          svc-dns                       permit                                 Low                                                           4    
    2         any     any          svc-dhcp                      permit                                 Low                                                           4    
    3         user    any          udp 68                        deny                                   Low                                                           4    
    4         any     any          svc-icmp                      permit                                 Low                                                           4    
    5         any     any          svc-natt                      permit                                 Low                                                           4    
    6         user    any          svc-http                      dst-nat 8080                           Low                                                           4    
    7         user    any          svc-https                     dst-nat 8081                           Low                                                           4    
    8         user    any          svc-http-proxy1               dst-nat 8088                           Low                                                           4    
    9         user    any          svc-http-proxy2               dst-nat 8088                           Low                                                           4    
    10        user    any          svc-http-proxy3               dst-nat 8088                           Low                                                           4