Wireless Access

 View Only
Expand all | Collapse all

Internal Captive portal page not popping up

This thread has been viewed 103 times
  • 1.  Internal Captive portal page not popping up

    Posted Nov 21, 2021 02:43 PM
    Hi all

    I've a case while I need to create Internal Captive portal, I've used the ready template inside the controller but the page is not popping up.

    I can find the captive portal manually by typing any IP address in the browser.

    I've added new rules for the initial rule to allow http and https for any any, but pop up still not working.

    I don't know if I should add certificate to the controller or doesn't matter?

    Appreciate your support.

    ------------------------------
    Mahmoud Nagah
    ------------------------------


  • 2.  RE: Internal Captive portal page not popping up

    Posted Nov 21, 2021 04:47 PM
    Adding http and https will guarantee the captive portal will not pop up, because it will bypass the captive portal.

    The client specifically needs to be able to resolve DNS in the initial role and have the captive portal ACL.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 3.  RE: Internal Captive portal page not popping up

    Posted Nov 21, 2021 05:09 PM
    Hi cjoseph,

    Thanks for your reply, I've added these rules inside different policy and put this policy under captive portal policy, so CP policy priority is higher than the policy I've created, anyway I'll remove it.

    shall I add resolvable DNS? I'm not using FQDN anymore, it's all about IPs

    ------------------------------
    Mahmoud Nagah
    ------------------------------



  • 4.  RE: Internal Captive portal page not popping up

    Posted Nov 21, 2021 06:23 PM
    DNS is essential, yes.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 5.  RE: Internal Captive portal page not popping up

    Posted Nov 22, 2021 01:42 AM
    OK, DNS rule is already exist in the role and the client is able to resolve DNS through it, I've connected to SSID the tried to ping FQDN and it is successfully pinging, but still popup not working, I have to go to the Captive portal page manually.

    I've tried to use the (ip cp redirect command in the controller with Guest VLAN IP in the controller) but still the same.

    ------------------------------
    Mahmoud Nagah
    ------------------------------



  • 6.  RE: Internal Captive portal page not popping up

    Posted Nov 22, 2021 07:49 AM
    Do you have an IP address configured on the controller in the guest VLAN? This is required for Captive Portal redirection.

    ------------------------------
    Dustin Burns
    Lead Mobility Engineer @WEI

    ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2021
    If my post was useful accept solution and/or give kudos
    ------------------------------



  • 7.  RE: Internal Captive portal page not popping up

    Posted Nov 22, 2021 12:40 PM
    I have the same problem as Mahmoud. Certificate in place, followed the guide from Ha Duc Binh, but I don't have an IP address from the guest vlan on the controller because the controller sits in a network separated from where the client gets an IP address (the controller and all the APs are in our network, the guest wireless SSID is broadcast by our controllers, but the gateway for the clients, the DHCP, the DNS, are all on a separate service provider's network, as guests are not allowed to use our corporate ISP to connect to the Internet.) 
    So we may now struggle to use CP Captive Portal, but we're using MPSK quite nicely.

    ------------------------------
    nathan millward
    ------------------------------



  • 8.  RE: Internal Captive portal page not popping up

    Posted Nov 23, 2021 05:06 AM
    You don't need to use the controller IP in that guest VLAN as the default gateway, it just needs to have an IP in the subnet, and you can (should) use roles or service ACLs to prevent guests from connecting to the controller.

    Another option would be to enable tri-state-nat, which doesn't need an IP for the captive portal redirect but maybe a bit harder to troubleshoot.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 9.  RE: Internal Captive portal page not popping up

    Posted Nov 22, 2021 10:19 AM
    To answer the question if a public trusted certificate is required for captive portal on a controller: Yes.

    It can be that the device that you test with will not show the page because the certificate is not trusted. You can't run the captiveportal 'on an IP' as you will not be able to get a certificate for an IP, just DNS. Note you can get a certificate for a public IP, but it is very uncommon and I don't think the controller can handle that scenario.

    In my experience, if you don't get it working at once, it may be best to work with your Aruba partner or Aruba TAC to go step-by-step through the scenario of redirects and login. It will work much more efficiently if someone can have a look together with you, versus asking questions here and hoping that someone has the right answer based on the limited information.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 10.  RE: Internal Captive portal page not popping up

    Posted Nov 27, 2021 01:41 AM
    Hi Herman,

    I've tried to generate AD Certificate (with controller name as Common Name and add DNS record for it, clients can resolve it), imported the certificate and AD CA into controller, and imported the CA to my windows 10 but still popup not working, I have to open a browser manually and write any ip to direct me to CP page.

    ------------------------------
    Mahmoud Nagah
    ------------------------------



  • 11.  RE: Internal Captive portal page not popping up

    Posted Nov 27, 2021 08:31 AM
    Can you share the details of the initial role. All policies in order assigned to the initial role.

    ------------------------------
    Dustin Burns
    Lead Mobility Engineer @WEI

    ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2021
    If my post was useful accept solution and/or give kudos
    ------------------------------



  • 12.  RE: Internal Captive portal page not popping up

    Posted Nov 27, 2021 09:34 AM
    Hi Dustin,

    Here is the initial role, its auto generated, I didn't modify anything






    ------------------------------
    Mahmoud Nagah
    ------------------------------



  • 13.  RE: Internal Captive portal page not popping up

    Posted Nov 29, 2021 10:04 AM
    If both:
    - connect to SSID, no automatic redirect
    - connected to SSID, open browser, enter URL like: http://1.2.3.4, you get redirected to the captive portal (and don't see a certificate warning)
    [ please confirm this is the case ]

    I think the issue still is with the certificate. It should be publicly trusted, and it may be that a private CA certificate is rejected by the Windows 10 captive popup. What you could do, is run a Wireshark packet capture while connecting to the SSID. The client should connect first on http to www.msftconnecttest.com (or similar), which should be redirected by the controller, then you should see an https connection to your controller/captive portal, and the popup should appear. Can you check if you see that traffic?

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------