am I right, that there is no problem with my configuration, if it's not possible to redirect many domains?
And what would be a recommendation? How could I get the clients redirected to the self registration page. It is not very user friendly to type in the self registration page URL...
Original Message:
Sent: May 12, 2023 04:47 AM
From: Herman Robers
Subject: Aruba 2540 Captive Portal Redirect not working
Remove line 20 from:
class ipv4 web-traffic 10 match tcp any any eq 80 20 match tcp any any eq 443
Because with this configuration you are redirecting HTTPS traffic, which is not possible.
Also, it's not possible to redirect www.google.de (or other Google domains, and many other domains) as these use HSTS which force the browser to use HTTP, which can't be redirected and will give you the warnings/errors. Seems like expected with this configuration.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: May 11, 2023 12:07 PM
From: 802.zak
Subject: Aruba 2540 Captive Portal Redirect not working
It is hard to say exactly what's going on here without digging into a log session.
Here are a couple steps I would take for troubleshooting.
1. Configure an L3/SVI on the Guest VLAN used in the initial Role.
2. Configure the initial CP Role and associated auth locally on the switch. [see snipet below]
3. Double check - aaa authentication mac-based chap-radius server-group
class ipv4 class-dhcp 10 match udp any any eq 53class ipv4 class-dns 10 match udp any any eq 67class ipv4 cppm-captive-portal 10 match tcp any 172.21.0.200 eq 443 20 match tcp any 172.21.0.201 eq 443 30 match tcp any 172.21.0.202 eq 443class ipv4 web-traffic 10 match tcp any any eq 80 20 match tcp any any eq 443 policy user guest-captive-portal 10 class ipv4 cppm-captive-portal 20 class ipv4 class-dhcp 30 class ipv4 class-dns 40 class ipv4 web-traffic action redirect captive-portal aaa authentication mac-based chap-radius server-group "lab1-cppm"aaa authentication captive-portal profile lab1-captive url https://aaa.lab.arubalabs.com/guest/LabGuest.phpaaa authentication captive-portal enableaaa authorization user-role name guest-captive captive-portal-profile lab1-captive policy guest-captive-portal reauth-period 180 vlan-id 10
------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
Original Message:
Sent: May 10, 2023 11:31 AM
From: MatthiasP
Subject: Aruba 2540 Captive Portal Redirect not working
Yes, I´ve installed a cert for Web and one for Captive Portal:
show crypto pki local-certificate
Name Usage Expiration Parent / Profile
-------------------- ------------- -------------- --------------------
IDEVID_CERT IDEVID 2031/01/26 IDEVID_INTER_1
IDEVID_INTER_1 IDEVID 2031/01/26 IDEVID_INTER_2
IDEVID_INTER_2 IDEVID 2031/01/26 IDEVID_ROOT
SSL Web 2025/04/02 SSL
CPPM CaptivePortal 2025/04/02 CPPM
Original Message:
Sent: 5/10/2023 11:04:00 AM
From: 802.zak
Subject: RE: Aruba 2540 Captive Portal Redirect not working
If you run:
show crypto pki local-certificate
do you see a cert listed with the usage "CaptivePortal"
------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
Original Message:
Sent: May 10, 2023 05:21 AM
From: MatthiasP
Subject: Aruba 2540 Captive Portal Redirect not working
Switch Config:
; JL357A Configuration Editor; Created on release #YC.16.11.0010
; Ver #14:67.44.38.04.99.03.b3.b8.ef.74.61.fc.68.f3.8c.fc.e3.ff.37.2f:73
hostname "HNEVGM040CP"
module 1 type jl357a
mirror-port 45
console idle-timeout 300
console idle-timeout serial-usb 300
aruba-central disable
no rest-interface
include-credentials
password operator user-name "operator" XXX
password manager user-name "manager" XXX
password minimum-length 8
radius-server host X.X.X.X key "KEY"
radius-server host X.X.X.X dyn-authorization
radius-server host X.X.X.X time-window 0
timesync ntp
ntp unicast
ntp server X.X.X.X iburst
ntp enable
no telnet-server
time daylight-time-rule western-europe
time timezone 60
web-management ssl
ip default-gateway 10.251.2.1
ip dns server-address priority 1 X.X.X.X
ip dns server-address priority 2 X.X.X.X
ip ssh filetransfer
ip source-interface radius vlan 65
ip client-tracker trusted
interface 1
name "01/01"
exit
.
.
.
interface 52
name "NOT USED"
exit
snmp-server community "public" unrestricted
snmp-server contact "oc.it@opitz-consulting.com" location "Holding OC.IT"
snmpv3 engineid "00:00:00:0b:00:00:08:f1:ea:50:d1:00"
aaa accounting update periodic 3
aaa accounting commands stop-only radius
aaa accounting exec start-stop radius
aaa accounting network start-stop radius
aaa accounting system stop-only radius
aaa authentication login privilege-mode
aaa authentication web login radius local
aaa authentication web enable radius local
aaa authentication ssh login radius local
aaa authentication ssh enable radius local
aaa authentication port-access eap-radius
aaa authentication captive-portal enable
aaa port-access authenticator 2-10,12-14,16-30,32,34,36-42,44-48
aaa port-access authenticator 1 client-limit 3
.
.
.
aaa port-access authenticator 48 client-limit 3
aaa port-access authenticator active
aaa port-access mac-based 2-10,12-14,16-30,32,34,36-42,44-48
aaa port-access mac-based 1 addr-limit 2
.
.
.
aaa port-access mac-based 48 addr-limit 2
vlan 1
name "DEFAULT_VLAN"
no untagged 1-48
untagged 49-52
no ip address
exit
.
.
.
vlan 55
name "OC-GM-User-Gast"
untagged 2-10,12-14,16-30,32,34,36-42,44-48
tagged 49-52
no ip address
exit
.
.
.
vlan 65
name "OC-GM-ClearPass-Profiling"
tagged 49-52
ip address 10.251.2.40 255.255.255.0
ip helper-address X.X.X.X
exit
primary-vlan 250
spanning-tree
no tftp client
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
no dhcp tr69-acs-url
CPPM Profile:
Original Message:
Sent: May 09, 2023 06:27 PM
From: 802.zak
Subject: Aruba 2540 Captive Portal Redirect not working
Do you mind posting a scrubbed copy of your switch config?
------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
Original Message:
Sent: May 09, 2023 05:23 PM
From: MatthiasP
Subject: Aruba 2540 Captive Portal Redirect not working
Yes, if I try to connect to the CaptivePortal everything works fine.
I had hoped the behavior would be nearly the same as with the wireless Environment.
If the guest client connects to the guest wifi, a Browser automaticly opens and the client gets redirected to the self registration page.
Original Message:
Sent: 5/9/2023 1:00:00 PM
From: 802.zak
Subject: RE: Aruba 2540 Captive Portal Redirect not working
Are you able to browse directly to the CPPM Guest Page URL?
------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
Original Message:
Sent: May 09, 2023 04:01 AM
From: MatthiasP
Subject: Aruba 2540 Captive Portal Redirect not working
Hi everybody,
I've setup a wired mac-based service with a redirect to a self registration page for guests. I've a guest client connects to the switch, I can see that the correct profile is assigned. But when I try to open a page in the browser I get the following error:
The connection for this site is not secure. www.google.de uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH; Unsupported protocol; The client and server don't support a common SSL protocol version or cipher suite.
I've installed a SSL and a CaptivePortal certificate on the switch.
Any ideas?
Kind regards
Matthias