im freakin out, got some controller without PEF-NG and have to solve guest voucher access, guest access addded via wlan wizard pointing to internal_db . while pef-ng isnt installed here i got the guest-login/guest role, but those are just empty, the wizard generated some own guest-profile and i wonder how to solve "initial role" and "authenticated" role access.
any quick ideas ? i always wonder if guest voucher without PEF NG is the best way. dont think so.
Without PEF-NG you will not have those options to configure the guest roles. Guests will get on your network and function just fine, but you cannot, without the PEF-NG license, restrict where they can send their traffic.
Using the Wizard is the best way to setup this WLAN, instead of doing it from scratch.
to put in nutshell (thx cjoseph) hehe , am i able to use CP without PEFNG or not ?
i created this guest wlan with the wizard. some guest-role had been created containing approx 14policies (http/s, dns, and so on) but the guest-logon/guest role are just empty, dont contain any policies. well its clear cause pef-ng is missing.
customers goal is to have CP with voucher and first "logon cp page" and the guest-authenticated.
possible without PEFNG right?
Yes you can, with the Wizard, without PEF-NG.
Do not look at the roles or the contents of them, because nothing is being enforced beyond forcing the client to a http(s) page to login without the PEF-NG license.
so without PEFNG, whats the "logon role", guest-logon , or this 14policy containing wizard-based created guest-role?
what about "captive portal authentication profile", theres "inital role" and "default guest role". what should be set there?
hope you are right that CP is working, will create now some fresh guest-wizard VAP, hope its working then finally.
once i had "role VLAN ID" to be set on the guest-logon , but this is all useless.. so you are sure not to do any changes in "guest logon" nor "guest" role ? only this 11policy containing guest-role created by wizard,
sorry, normally i have PEFNG and not some "naked" controller like this ;(
checking the captive portal auth profile saying also here :
Captive Portal Authentication Profile > gast-test-cp_prof Default Role: guest-login
Default Guest Role : guest
You should not have to change anything, it will just work, but you will not be able to add/remove any acls to any of the roles.
ok , im using some firewall in front of the controller to NAT , DNS seems to work, i wonder that securelogin.arubanetworks doesnt come up . any hint to troubleshoot, how the client gets this re-direct information?
shouldnt there be some "logon" role and then after authenticated some guest-role or ?
i dont like naked controllers...
Are you using firefox with OSCP turned on to test? Please try turning it off to see if that is the issue. Do a "show datapath session table <ip address of client>" to see what they are requesting.
once i wondered about having on the controllers port instead of N/A some AAA profile ? is there still a need of having AAA profile active on the PORT itself ? i experienced this once at some customer facing this problem.
using ff 8.x/9.x , yes OCSP is active, turning off now , lets see.
well let's call mulder and scully, i wonder why it's working now after just deleting the whole crap and re-wizard'ing , now it's working the magic way. dont know why.
im just confused (well we rebooted the mc3200 also ) ..
I got the same error once
Go to "L3 Authentication" > "Captive portal auth profile" > "Your CP profile"
Once there, make sure that the field "Login Page" is pointing towards "/upload/custom/YOURSSID-captiveportal-profile/index.html"
For some reason, whenever I changed anything in my WLAN a part of that field got erased.
the field actually pointing here :
So i should change to this ? :
/upload/custom/<name of cp-profile>/index.html
in this case i would use the name of the cp-profle :
Captive Portal Authentication Profile > <name....>
what about "guest login" , should this be marked checked ? never activated this and it works on other controllers with PEFNG ...
Yes, once you change that you should be able to use the captive portal (customization and so on) in the same way as you would with the pef license.
In regards to guest login, you should only check it if you want a "pass through" captive portal
This is what the config guide says about it:
Guest Login Enables Captive Portal logon without authentication.Default: disabled
next question, this little popup for "logout" after authentication via CP is coming, but saying error 404 , pointing to some other vlan's IP adress of the controller. therefore this cant be reached. how to solve this ? never had this, only the logout control doenst come up , then it had be to added in the ACLs (known issue...) . this time it's something else.
anyone experienced this=? guest voucher access is some seperated network, normally the popup should be loaded from the guest network .
another queston : without PEFNG , some authentication as guest-provisioning user should be possible with Radius Auth or ? cause here some "set role" is used, and while role's are PEFNG stuff.. hm...
the ip cp-redirect command should determine the ip interface of the controller that is pointed to by the "securelogon.....". Type "show ip cp-redirect-address" to find out what interface that is. To change it to the right one:
ip cp-redirect-address <ip address of controller on guest interface>
Not sure about guest provisioning without the PEF-NG license. Please search for the section entitled " Captive Portal in the Base ArubaOS" in the ArubaOS user guide for more details.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.