Wireless Access

last person joined: 4 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Guest Voucher Access / and the need of PEF-NG or not

  • 1.  Guest Voucher Access / and the need of PEF-NG or not

    Posted Dec 28, 2011 10:03 AM

    hi

     

    im freakin out, got some controller without PEF-NG and have to solve guest voucher access, guest access addded via wlan wizard pointing to internal_db . while pef-ng isnt installed here i got the guest-login/guest role, but those are just empty, the wizard generated some own guest-profile and i wonder how to solve "initial role" and "authenticated" role access.

     

    any quick ideas ? i always wonder if guest voucher without PEF NG is the best way. dont think so.

     

    regards



  • 2.  RE: Guest Voucher Access / and the need of PEF-NG or not

    Posted Dec 28, 2011 10:17 AM

    Without PEF-NG you will not have those options to configure the guest roles.  Guests will get on your network and function just fine, but you cannot, without the PEF-NG license, restrict where they can send their traffic.

     

    Using the Wizard is the best way to setup this WLAN, instead of doing it from scratch.



  • 3.  RE: Guest Voucher Access / and the need of PEF-NG or not

    Posted Dec 28, 2011 10:20 AM

    to put in nutshell (thx cjoseph) hehe , am i able to use CP without PEFNG or not ?

     

    i created this guest wlan with the wizard. some guest-role had been created containing approx 14policies (http/s, dns, and so on) but the guest-logon/guest role are just empty, dont contain any policies. well its clear cause pef-ng is missing.

     

    customers goal is to have CP with voucher and first "logon cp page" and the guest-authenticated.

     

    possible without PEFNG right?

     

    regards



  • 4.  RE: Guest Voucher Access / and the need of PEF-NG or not

    Posted Dec 28, 2011 10:22 AM

    Yes you can, with the Wizard, without PEF-NG.

     

    Do not look at the roles or the contents of them, because nothing is being enforced beyond forcing the client to a http(s) page to login without the PEF-NG license.



  • 5.  RE: Guest Voucher Access / and the need of PEF-NG or not

    Posted Dec 28, 2011 10:31 AM

    so without PEFNG, whats the "logon role", guest-logon , or this 14policy containing wizard-based created guest-role?

     

    what about "captive portal authentication profile", theres "inital role" and "default guest role". what should be set there?

     

    hope you are right that CP is working, will create now some fresh guest-wizard VAP, hope its working then finally.

     

    regards



  • 6.  RE: Guest Voucher Access / and the need of PEF-NG or not

    Posted Dec 28, 2011 10:33 AM

    once i had "role VLAN ID" to be set on the guest-logon , but this is all useless.. so you are sure not to do any changes in "guest logon" nor "guest" role ? only this 11policy containing guest-role created by wizard,

     

    sorry, normally i have PEFNG and not some "naked" controller like this ;(



  • 7.  RE: Guest Voucher Access / and the need of PEF-NG or not

    Posted Dec 28, 2011 10:35 AM

    checking the captive portal auth profile saying also here :

     


    Captive Portal Authentication Profile > gast-test-cp_prof
        
            
    Default Role: guest-login       

    Default Guest Role : guest

     

     



  • 8.  RE: Guest Voucher Access / and the need of PEF-NG or not

    Posted Dec 28, 2011 10:36 AM

    You should not have to change anything, it will just work, but you will not be able to add/remove any acls to any of the roles.



  • 9.  RE: Guest Voucher Access / and the need of PEF-NG or not

    Posted Dec 28, 2011 10:39 AM

    ok , im using some firewall in front of the controller to NAT , DNS seems to work, i wonder that securelogin.arubanetworks doesnt come up . any hint to troubleshoot, how the client gets this re-direct information?

     

    shouldnt there be some "logon" role and then after authenticated some guest-role or ?

     

    i dont like naked controllers...



  • 10.  RE: Guest Voucher Access / and the need of PEF-NG or not

    Posted Dec 28, 2011 10:42 AM

    Are you using firefox with OSCP turned on to test?  Please try turning it off to see if that is the issue.  Do a "show datapath session table <ip address of client>" to see what they are requesting.



  • 11.  RE: Guest Voucher Access / and the need of PEF-NG or not

    Posted Dec 28, 2011 10:48 AM

    once i wondered about having on the controllers port instead of N/A some AAA profile ? is there still a need of having AAA profile active on the PORT itself ? i experienced this once at some customer facing this problem.

     

    using ff 8.x/9.x , yes OCSP is active, turning off now , lets see.

     

     



  • 12.  RE: Guest Voucher Access / and the need of PEF-NG or not

    Posted Dec 28, 2011 11:43 AM

    well let's call mulder and scully, i wonder why it's working now after just deleting the whole crap and re-wizard'ing , now it's working the magic way. dont know why.

     

    im just confused (well we rebooted the mc3200 also ) ..

     

    regards



  • 13.  RE: Guest Voucher Access / and the need of PEF-NG or not

    Posted Dec 28, 2011 10:58 AM

    I got the same error once

     

    Go to "L3 Authentication" > "Captive portal auth profile" > "Your CP profile"

     

    Once there, make sure that the field "Login Page" is pointing towards "/upload/custom/YOURSSID-captiveportal-profile/index.html"

     

    For some reason, whenever I changed anything in my WLAN a part of that field got erased.

     



  • 14.  RE: Guest Voucher Access / and the need of PEF-NG or not

    Posted Dec 28, 2011 11:04 AM

    the field actually pointing here :

     

    /auth/index.html

     

    So i should change to this ? :

     

    /upload/custom/<name of cp-profile>/index.html 

     

    ?

     

    in this case i would use the name of the cp-profle :

     

    Captive Portal Authentication Profile > <name....>

     

    what about "guest login" , should this be marked checked ? never activated this and it works on other controllers with PEFNG ...

     



  • 15.  RE: Guest Voucher Access / and the need of PEF-NG or not

    Posted Dec 28, 2011 11:43 AM

    Yes, once you change that you should be able to use the captive portal (customization and so on) in the same way as you would with the pef license.

     

    In regards to guest login, you should only check it if you want a "pass through" captive portal

     

    This is what the config guide says about it:

    Guest Login Enables Captive Portal logon without authentication.
    Default: disabled



  • 16.  RE: Guest Voucher Access / and the need of PEF-NG or not

    Posted Dec 29, 2011 09:45 AM

    next question, this little popup for "logout" after authentication via CP is coming, but saying error 404 , pointing to some other vlan's IP adress of the controller. therefore this cant be reached. how to solve this ? never had this, only the logout control doenst come up , then it had be to added in the ACLs (known issue...) . this time it's something else.

     

    anyone experienced this=? guest voucher access is some seperated network, normally the popup should be loaded from the guest network .

     

    another queston : without PEFNG , some authentication as guest-provisioning user should be possible with Radius Auth or ? cause here some "set role" is used, and while role's are PEFNG stuff.. hm...

     

    regards



  • 17.  RE: Guest Voucher Access / and the need of PEF-NG or not

    Posted Dec 29, 2011 09:48 AM

    the ip cp-redirect command should determine the ip interface of the controller that is pointed to by the "securelogon.....".  Type "show ip cp-redirect-address" to find out what interface that is.  To change it to the right one:

     

    config t

    ip cp-redirect-address <ip address of controller on guest interface>

     

    Not sure about guest provisioning without the PEF-NG license.  Please search for the section entitled " Captive Portal in the Base ArubaOS" in the ArubaOS user guide for more details.