Wireless Access

 View Only
last person joined: 2 days ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Expand all | Collapse all

logon role pops up captive portal on 802.1 PSK Wi-Fi

This thread has been viewed 32 times
  • 1.  logon role pops up captive portal on 802.1 PSK Wi-Fi

    Posted Feb 26, 2024 04:54 PM

    Hi,

    I'm using an Aruba wireless cluster on AOS 8.7.1.9.

    I setup a simple 802.1-personal Wi-Fi for an event that is coming up on campus.  I used the create WLAN wizard to set it up.  The wizard setup an AAA profile with the initial role set to "logon"

    When I try to connect to this new SSID, after I login I get a Clearpass captive portal window that reads, "Web authentication is disabled.".  I looked at the logon role and it's set to "No captive portal."

    Can anyone think of why it's launching the Clearpass captive portal window when I try to log in?  If I close the captive portal window I can see my client is connected, but still in the "logon" role.

    Thanks



  • 2.  RE: logon role pops up captive portal on 802.1 PSK Wi-Fi

    Posted Feb 26, 2024 04:56 PM
    What licenses do you have?





  • 3.  RE: logon role pops up captive portal on 802.1 PSK Wi-Fi

    Posted Feb 26, 2024 05:01 PM

    Access points, policy enforcement firewall, two RF protect that aren't being used, and MM licenses.




  • 4.  RE: logon role pops up captive portal on 802.1 PSK Wi-Fi
    Best Answer

    Posted Feb 26, 2024 06:20 PM

    This is a WPA2 PSK Network? Did you maybe select "Guest" in the Wizard?

    Either way - You should create a new role without the L3 Captive Portal Config or change the role to "authenticated" for a basic allow-all role. 



    ------------------------------
    If my post was useful, please Accept Solution and Give Kudos.
    ------------------------------
    Zak Chalupka
    Principal Engineer - HPE Aruba
    ACDX | ACMP | ACSP | ACCP
    wifizak@hpe.com
    ------------------------------
    Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
    ------------------------------



  • 5.  RE: logon role pops up captive portal on 802.1 PSK Wi-Fi

    Posted Feb 27, 2024 10:17 AM

    Hi.  Thanks for the reply.  No, I've even set this Wi-Fi up with the wizard several times.  I'm selecting "Employee" as the type.

    I tried setting the initial role as "authenticated."  That works, the captive portal window doesn't come up.  But I also noticed I have full access even before I authenticate.  I can connect to my new SSID, minimize the authentication window, and just access the Internet.  I was hoping to plug up this hole.  I work at a school- the students are basically hackers looking for vulnerabilities (I say this in a playful way, but it's kinda true.)

    The "logon" role is built-in I believe.  We might have made changes to it over the years.  I'll experiment with creating a new initial role and see what I can find.




  • 6.  RE: logon role pops up captive portal on 802.1 PSK Wi-Fi

    Posted Feb 27, 2024 11:38 AM

    Is this just a WPA2 PSK Network only? 

    Are you configuring some other authorization or registration? 

    For WPA2 PSK or .1x WPA AES - those authentication methods happen prior to any L2/L3 communications.

    Are you trying to enforce a new role from ClearPass based on some other authorization attribute? 



    ------------------------------
    If my post was useful, please Accept Solution and Give Kudos.
    ------------------------------
    Zak Chalupka
    Principal Engineer - HPE Aruba
    ACDX | ACMP | ACSP | ACCP
    wifizak@hpe.com
    ------------------------------
    Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
    ------------------------------



  • 7.  RE: logon role pops up captive portal on 802.1 PSK Wi-Fi

    Posted Feb 27, 2024 11:55 AM

    My mistake.  Authenticated role is fine.  The reason it was working in my testing is because this laptop had other working SSID so it had an Internet connection.  The correct role for initial role is Authenticated, or whatever you want the user to have after authentication.  Thank you.




  • 8.  RE: logon role pops up captive portal on 802.1 PSK Wi-Fi

    Posted Feb 27, 2024 12:54 PM

    Great, turning off any other network interfaces to the laptop, was going to be my next troubleshooting step. Glad that was the fix.

    Keep in mind "authenticated" is an allow-all role - may be worth exploring a new role if indeed these students are getting a bit crafty with your LAN. 



    ------------------------------
    If my post was useful, please Accept Solution and Give Kudos.
    ------------------------------
    Zak Chalupka
    Principal Engineer - HPE Aruba
    ACDX | ACMP | ACSP | ACCP
    wifizak@hpe.com
    ------------------------------
    Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
    ------------------------------