Security

last person joined: 4 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

iAP no captive portal pop-up and authentication text question

  • 1.  iAP no captive portal pop-up and authentication text question

    Posted Feb 13, 2019 06:11 AM

    Dear Airheads,

     

    i am trying to setup a guest wifi with external captive portal page.

     

    I have setup a website , which is available in the same vlan like the guest will be assiged. There is one page where the user need to accept the terms and then get redirected to a second page, where the authentication text is in the html body.

     

    The first issue is, that the captive portal page does not pop up, when connecting to the wifi, but i can access the page with the normal webbrowser.

     

    The second issue is, that the authentication text does not seem to work.

    The role does not change after the user gets redirected to the second page, where the authentication text is integrated. The authentication text is inside a hidden input:

     

    <div class="MainLoginSuccess">
    <label>Ihr Log-In war erfolgreich.</label><br /><br />
    <label><i>Your Log-In was successful.</i></label>
    </div>

    I have added some images of the configuration.

     

    I hope someone can help me.



  • 2.  RE: iAP no captive portal pop-up and authentication text question

    Posted Feb 13, 2019 06:16 AM

    Is your client assigned a valid and working DNS server? The VC will not be able to re-direct to a Captive Portal if DNS is not working for the client. Also, have you replaced the default Captive Portal certificate on the VC?



  • 3.  RE: iAP no captive portal pop-up and authentication text question

    Posted Feb 13, 2019 06:20 AM

    Hi,

     

    thanks for your reply.

     

    the dns server should be correct assigned. It's the same we are using for a password protected wifi in the same vlan.

     

    Where should i replace the certificate? And which certificate should i use? The captive portal website is only accessable through http.



  • 4.  RE: iAP no captive portal pop-up and authentication text question

    Posted Feb 13, 2019 06:25 AM
    I'd still double check your client can perform DNS. It might be more
    restrictive on your guest network due to ACL's.

    You can take a look at the cert info here.

    https://community.arubanetworks.com/t5/Controller-less-WLANs/ArubaOS-Default-Certificate-Revocation-FAQ-Instant/ta-p/275814


  • 5.  RE: iAP no captive portal pop-up and authentication text question

    Posted Feb 13, 2019 06:42 AM
      |   view attached

    I have checked the DNS and added the DNS access in the pre-authentication role.

     

    When i am using nslookup, the names are resolved correctly, but still no pop-up.

     

    When i am using the access point internal captive portal page, the pop up works.



  • 6.  RE: iAP no captive portal pop-up and authentication text question

    Posted Feb 13, 2019 06:50 AM

    Have you enabled automatic whitelisting? What is the URL that is presented in the browser? Is this showing as correct?

     

    show datapath session | include [CLIENT IP]

    Confirm in the first case the client can reach the captive portal via the vlan.



  • 7.  RE: iAP no captive portal pop-up and authentication text question

    Posted Feb 13, 2019 07:07 AM

    The user can reach the captive portal, by typing it manually into the webbrowser.

     

    http://192.168.16.215/Login.html

     

    This is the result of the command:

     

    show datapath session | include 192.168.16.191
    192.168.16.1 192.168.16.191 17 53 53984 0 0 0 0 dev17 17 1 43 FI
    192.168.16.191 224.0.0.251 17 5353 5353 0 0 0 0 dev17 17 3 ba FDC
    192.168.16.191 192.168.16.1 17 50207 53 0 0 0 0 dev17 1d 2 86 FCI
    192.168.16.191 224.0.0.252 17 62456 5355 0 0 0 0 dev17 17 1 38 FDC
    192.168.16.1 192.168.16.191 17 53 64774 0 0 0 1 dev17 3f 0 0 FI
    192.168.16.1 192.168.16.191 17 53 65319 0 0 0 1 dev17 3e 0 0 FI
    192.168.16.191 192.168.16.1 17 63627 53 0 0 0 1 dev17 68 0 0 FCI
    192.168.16.191 192.168.16.255 17 137 137 0 0 0 0 dev17 17 2 9c FDC
    192.168.16.1 192.168.16.191 17 53 63627 0 0 0 1 dev17 68 0 0 FI
    192.168.16.191 104.107.216.169 6 58469 80 0 0 0 0 dev17 36 6 22f FSNC
    192.168.16.191 104.81.34.215 6 58467 443 0 0 0 1 dev17 3f 0 0 FSNC
    192.168.16.191 104.107.216.169 6 58470 80 0 0 0 0 dev17 1d 4 1df FSNC
    192.168.16.191 104.107.216.169 6 58471 80 0 0 0 0 dev17 4 3 1b7 SNC
    192.168.16.191 104.107.216.169 6 58464 80 0 0 0 1 dev17 81 0 0 FSNC
    192.168.16.191 104.81.34.215 6 58468 443 0 0 0 1 dev17 3e 1 28 FSNC
    192.168.16.191 192.168.16.1 17 64774 53 0 0 0 1 dev17 3f 0 0 FCI
    192.168.16.191 104.107.216.169 6 58465 80 0 0 0 1 dev17 68 2 50 FSNC
    192.168.16.191 104.107.216.169 6 58466 80 0 0 0 1 dev17 4f 3 78 FSNC
    192.168.16.1 192.168.16.191 17 53 65457 0 0 0 1 dev17 4f 0 0 FI
    192.168.16.191 192.168.16.1 17 51452 53 0 0 0 1 dev17 4e 0 0 FCI
    192.168.16.191 192.168.16.1 17 65457 53 0 0 0 1 dev17 4f 0 0 FCI
    192.168.16.1 192.168.16.191 17 53 51452 0 0 0 1 dev17 4e 0 0 FI
    192.168.16.191 192.168.16.1 17 53984 53 0 0 0 0 dev17 17 1 43 FCI
    192.168.16.191 224.0.0.252 17 65288 5355 0 0 0 0 dev17 17 1 38 FDC
    192.168.16.191 192.168.16.1 17 65319 53 0 0 0 0 dev17 3e 0 0 FCI
    192.168.16.1 192.168.16.191 17 53 50207 0 0 0 0 dev17



  • 8.  RE: iAP no captive portal pop-up and authentication text question

    Posted Feb 13, 2019 07:22 AM

    Somehow my answere gets deleted...

     

    The captive portal is available through the webbrowser:

     

    http://192.168.16.215/Login.html

     

    The output of the command is:

    show datapath session | include 192.168.16.191
    192.168.16.1 192.168.16.191 17 53 53984 0 0 0 0 dev17 17 1 43 FI
    192.168.16.191 224.0.0.251 17 5353 5353 0 0 0 0 dev17 17 3 ba FDC
    192.168.16.191 192.168.16.1 17 50207 53 0 0 0 0 dev17 1d 2 86 FCI
    192.168.16.191 224.0.0.252 17 62456 5355 0 0 0 0 dev17 17 1 38 FDC
    192.168.16.1 192.168.16.191 17 53 64774 0 0 0 1 dev17 3f 0 0 FI
    192.168.16.1 192.168.16.191 17 53 65319 0 0 0 1 dev17 3e 0 0 FI
    192.168.16.191 192.168.16.1 17 63627 53 0 0 0 1 dev17 68 0 0 FCI
    192.168.16.191 192.168.16.255 17 137 137 0 0 0 0 dev17 17 2 9c FDC
    192.168.16.1 192.168.16.191 17 53 63627 0 0 0 1 dev17 68 0 0 FI
    192.168.16.191 104.107.216.169 6 58469 80 0 0 0 0 dev17 36 6 22f FSNC
    192.168.16.191 104.81.34.215 6 58467 443 0 0 0 1 dev17 3f 0 0 FSNC
    192.168.16.191 104.107.216.169 6 58470 80 0 0 0 0 dev17 1d 4 1df FSNC
    192.168.16.191 104.107.216.169 6 58471 80 0 0 0 0 dev17 4 3 1b7 SNC
    192.168.16.191 104.107.216.169 6 58464 80 0 0 0 1 dev17 81 0 0 FSNC
    192.168.16.191 104.81.34.215 6 58468 443 0 0 0 1 dev17 3e 1 28 FSNC
    192.168.16.191 192.168.16.1 17 64774 53 0 0 0 1 dev17 3f 0 0 FCI
    192.168.16.191 104.107.216.169 6 58465 80 0 0 0 1 dev17 68 2 50 FSNC
    192.168.16.191 104.107.216.169 6 58466 80 0 0 0 1 dev17 4f 3 78 FSNC
    192.168.16.1 192.168.16.191 17 53 65457 0 0 0 1 dev17 4f 0 0 FI
    192.168.16.191 192.168.16.1 17 51452 53 0 0 0 1 dev17 4e 0 0 FCI
    192.168.16.191 192.168.16.1 17 65457 53 0 0 0 1 dev17 4f 0 0 FCI
    192.168.16.1 192.168.16.191 17 53 51452 0 0 0 1 dev17 4e 0 0 FI
    192.168.16.191 192.168.16.1 17 53984 53 0 0 0 0 dev17 17 1 43 FCI
    192.168.16.191 224.0.0.252 17 65288 5355 0 0 0 0 dev17 17 1 38 FDC
    192.168.16.191 192.168.16.1 17 65319 53 0 0 0 0 dev17 3e 0 0 FCI
    192.168.16.1 192.168.16.191 17 53 50207 0 0 0 0 dev17


  • 9.  RE: iAP no captive portal pop-up and authentication text question

    Posted Feb 13, 2019 07:45 AM

    Hi,

     

    When using 'Authentication Text' method, please refer to the template I posted:

    https://community.arubanetworks.com/t5/Controllerless-Networks/Using-external-captive-portal-with-authentication-text/m-p/457350#M21740

     

    I've created an external captive portal template. (ref: InstantCPv8.1-NoCSS-AuthText-Error.zip)

     

    When you click on accept, it calls the HTML GET which fetches the login.html page which contains a comment, the authenticated text string: Authenticated.

     

    This method works using HTTP as the IAP needs to parse HTML code to looks for the authentication text in HTML comment.

     

    Paul Gallant, ing.
    CWNA, CWSP, ACCA, ACSA, ACEAP, ACMX #377, ACDX #380



  • 10.  RE: iAP no captive portal pop-up and authentication text question

    Posted Feb 13, 2019 08:27 AM

    Hi,

     

    i am using your template right now, but it is still the same. The user role does not change from the pre-authentication to the post-authentication role.

     

    Is it maybe a firmware issue? I have currently the version 8.3.0.3 installed.

     

     

     



  • 11.  RE: iAP no captive portal pop-up and authentication text question

    Posted Feb 13, 2019 08:58 AM

    EXAMPLE OF CONFIGURATION, 4 STEPS CAPTIVE PORTAL:

    1.
    wlan auth-server RADIUS_CP
    ip XX.XX.XX.XX
    port 1812
    acctport 1813
    key ******
    nas-ip 172.26.x.x
    nas-id *****
    drp-ip 172.26.x.x 255.255.255.0 vlan XX gateway 172.26.x.1 //optional drp-ip (DINAMIC RADIUS PROXY)//

     

    2.
    wlan captive-portal
    background-color 16777215
    banner-color 16777215
    banner-text "Bienvenido a HPE_LAB"
    terms-of-use "El usuario se compromete a usar el servicio de acceso WiFi de forma diligente y correcta y se compromete a no utilizarlo para actividades contrarias a la ley."
    use-policy "Marque I agree si acepta las condiciones de uso"
    authenticated

    3.
    wlan external-captive-portal
    server localhost
    port 80
    url "/"
    auth-text "Authenticated"
    auto-whitelist-disable
    https

    4.
    wlan external-captive-portal ILFW
    server xxxxxxx.telefonica.es
    port 443
    url "/login.php?nasid=XXXXXX&platform=aruba"
    auth-text ""
    auto-whitelist-disable

    https

     

    ___________________________________________________________

    EXAMPLE OF CONFIGURATION wlan external OTHER CAPTIVE PORTALS ONLY

    wlan external-captive-portal ONDEGO_CP
    server x.x.x.x
    port 443
    url "/login.php/?platform=aruba"
    auth-text ""
    auto-whitelist-disable
    https

    wlan external-captive-portal PURPLE_CP
    server purpleportal.net
    port 80
    url "/access/?iapmac=<MACiAP>"
    auth-text ""
    redirect-url "https://purpleportal.net/login"
    auto-whitelist-disable

    wlan external-captive-portal Linkyfi_CP
    server linkyfi.com
    port 443
    url "/linkyfi.com/portal"
    auth-text ""
    redirect-url "https://linkyfi.com/portal"
    auto-whitelist-disable
    https
    ___________________________________________________________

     

     



  • 12.  RE: iAP no captive portal pop-up and authentication text question

    Posted Feb 13, 2019 09:03 AM
    5.
    wlan ssid-profile IAP_Inv
    enable
    type guest
    essid IAP_Inv
    opmode opensystem
    max-authentication-failures 0
    vlan XX
    auth-server RADIUS_CP
    set-role-pre-auth Pre-auth
    captive-portal external profile ILFW
    broadcast-filter arp
    radius-accounting
    radius-interim-accounting-interval 5
    content-filtering


  • 13.  RE: iAP no captive portal pop-up and authentication text question

    Posted Feb 13, 2019 09:06 AM

    @JC_HPE

     

    Your answeres do not help me to find the solution.



  • 14.  RE: iAP no captive portal pop-up and authentication text question

    Posted Feb 13, 2019 09:28 AM

    I have testet the radius authentication. That is working. Pop up appears and the authentication works.

     

    It is a workaround but not an optimal solution.

     



  • 15.  RE: iAP no captive portal pop-up and authentication text question

    Posted Feb 14, 2019 04:36 AM


  • 16.  RE: iAP no captive portal pop-up and authentication text question

    Posted Feb 13, 2019 09:03 AM

    Note: Authentication text method does not make use of RADIUS.

     

    Paul Gallant, ing.