Wireless Access

 View Only
last person joined: 3 days ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Expand all | Collapse all

AOS 8.10 bridge modes captive portal

This thread has been viewed 96 times
  • 1.  AOS 8.10 bridge modes captive portal

    Posted Nov 22, 2023 04:41 AM

    Hello,

    According to 8.7 features Captive Portal Enhancements (arubanetworks.com) an external CP should now be possible with bridged mode campus AP's. However this is not working for my setup (bridged to a tagged vlan), no CP redirect happening (DNS lookup works). Not much info besides 2 config changes (full path and the AAA profile change). I'm assuming this will only work on the native bridged VLAN? I can't really test the native VLAN to validate as this has no external access (DNS).

    Can someone give me the limitations on this?

    Thanks!



  • 2.  RE: AOS 8.10 bridge modes captive portal

    MVP EXPERT
    Posted Nov 22, 2023 04:57 AM

    In the first instance, when the client is placed in the User Role can it manually browse to the Captive Portal or even reach the IP of the Captive Portal from its VLAN?




  • 3.  RE: AOS 8.10 bridge modes captive portal

    Posted Nov 22, 2023 05:02 AM

    yes, all that is working from the tagged vlan, DNS lookup also works fine




  • 4.  RE: AOS 8.10 bridge modes captive portal

    EMPLOYEE
    Posted Nov 22, 2023 09:37 AM

    Why are you wanting to use bridge mode and captive portal?  Why wouldn't you run the APs in Instant mode where bridging is a native function rather than a secondary consideration?



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 5.  RE: AOS 8.10 bridge modes captive portal

    Posted Nov 22, 2023 10:55 AM

    The customer only has 1 remote site, and thus would imply 2 configurations to be handled differently. For ease of mgmt, we would opt to only forsee the config being handled by the MC. Also the corporate traffic needs to be tunneled and we would need to modify it to handle that to iap-vpn, and thus make it more complex for the customer.




  • 6.  RE: AOS 8.10 bridge modes captive portal

    EMPLOYEE
    Posted Nov 22, 2023 11:01 AM

    Operating an AP as a Campus AP over a WAN is not a supported deployment.  AOS 8 expects a controller on the same LAN as the AP.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 7.  RE: AOS 8.10 bridge modes captive portal

    Posted Nov 22, 2023 11:09 AM

    It's not an WAN, it is still an MPLS site, but the MPLS is too low to also handle the guest traffic, but there is a seperate internet link that we would use to handle guest http traffic. 




  • 8.  RE: AOS 8.10 bridge modes captive portal

    EMPLOYEE
    Posted Nov 22, 2023 11:16 AM

    What is the MTU and underlying transport for the connection between the remote site and controller?



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 9.  RE: AOS 8.10 bridge modes captive portal

    Posted Nov 22, 2023 11:49 AM

    MTU is 1518, but I dont think this is relevant as we can browse to the Captive portal on DNS manually and it works fine. It's just the redirection that isnt working. What device should do the redirection? Is it the AP or the controller? The documention is very lacking on this front.




  • 10.  RE: AOS 8.10 bridge modes captive portal
    Best Answer

    EMPLOYEE
    Posted Nov 22, 2023 12:05 PM

    For a bridge mode connection the AP has to do the redirect.  Make sure the user role applied to the session for login purposes has the "captiveportalbridge" access-list applied rather than the usual "captiveportal".

    Documentation is lacking because this feature was added for a particular requirement.  AOS 8 bridge mode overall is not a recommended deployment.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 11.  RE: AOS 8.10 bridge modes captive portal

    Posted Nov 23, 2023 02:56 AM

    Thanks for the info, do you know if it should work with tagged vlan, or only the native vlan?




  • 12.  RE: AOS 8.10 bridge modes captive portal

    EMPLOYEE
    Posted Nov 24, 2023 10:40 AM

    Haven't seen that mentioned, shouldn't matter.  Clients are never expected to be pulling an IP address from the same VLAN as the AP is managed from.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 13.  RE: AOS 8.10 bridge modes captive portal

    Posted Dec 01, 2023 03:16 AM

    got it working with tagged vlan. Thx for the info




  • 14.  RE: AOS 8.10 bridge modes captive portal

    Posted May 16, 2024 06:31 AM

    Can I please have clarity on this? I'm currently trying to deploy this setup and we can't get the splash page from clearpass to automatically come up. Manually inputting the URL on a browser shows the page but ends up with an error "404 not found user not allowed".

    'm checking the logs on the firewall between sites, should I looking SRC=AP IP address and DST=Clearpass IP?
    I suspect the AP redirect is not happening in our case...




  • 15.  RE: AOS 8.10 bridge modes captive portal

    EMPLOYEE
    Posted May 16, 2024 10:04 AM

    Is there a network ACL configured within ClearPass that doesn't include the remote network that the client device is in?



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 16.  RE: AOS 8.10 bridge modes captive portal

    Posted May 16, 2024 08:34 PM

    Yes there was and the error actually confirms the deny action. I've added the IP range on allowed subnet however it's still coming up with the same error.

    Any ideas?




  • 17.  RE: AOS 8.10 bridge modes captive portal

    EMPLOYEE
    Posted May 17, 2024 10:27 AM

    Update the network ACL on all of the ClearPass appliances.  If that isn't the issue, not sure why ClearPass would be disallowing the connection, assuming you have the proper URL.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 18.  RE: AOS 8.10 bridge modes captive portal

    Posted May 19, 2024 06:16 AM

    Hmm I checked the other clearpass server and the ACL has been applied as well. So far below is what happens when I attempt to join

    1. Client device gets an IP from the local network
    2. Redirect page doesn't come up automatically
    3. Manually typing in the URL brings up the splash page however error 404 comes up after clicking continue

    Done a session with TAC, "show acl hits" doesn't show any entry for the user role for the WLAN. Can you please describe the IP packet flow for this setup so I can check the firewalls on my end? Does the client traffic get natted to the WAP AP when the redirect page is accessed?