Command of the Day

Upcoming community maintenance Oct. 27th through Oct. 29th
For more info click here
Aruba Employee

COTD: ip cp-redirect-address

Problem Statement:
I am currently trying to configure an additional SSID for guest use. We would like to use Captive Portal to display our AUP/TOS prior to accessing the guest wireless network.
VLAN 1: This vlan contains the controller’s internal management/main IP, employees connect to this VLAN which provides them secure internal network Slave controllers communicate with the master over the secure network.
VLAN 3: This vlan is configured for guest access. The unsecure vlan (3) connects to the inside of an Internet firewall running DHCP and default gateway services for this subnet. The firewall assigns clients IPs from the range of IP addresses. The Aruba controller is assigned on vlan interface 3.
On VLAN 3 guests are able to connect and receive an IP address from the firewall. The problem we see is that when captive portal is enabled it is using an address from secure VLAN 1 (ie. rather than the address from the guest VLAN 3 ( The IP address from VLAN 1 is not accessible to the hosts on VLAN 3 (by design)…therefore captive portal authentication is failing.
I have been unable to find a way to define the IP that the captive portal page originates from. If I was able to define the captive portal login as the problem would be solved.
The interface used by Captive Portal can be configured from CLI as in the following example:
(Aruba6000-wifi) #config t
(Aruba6000-wifi) (config) #ip cp-redirect-address
(Aruba6000-wifi) #exit

Re: COTD: ip cp-redirect-address

Problem Statement:
The interface used by Captive Portal can be configured from CLI as in the following example:
(Aruba6000-wifi) #config t
(Aruba6000-wifi) (config) #ip cp-redirect-address
(Aruba6000-wifi) #exit

The 3.4 user manual lists "ip cp-redirect-address
" but then says to use the following with PEF license:
netdestination cp-redirect ipaddr
ip access-list session captiveportal
user alias cp-redirect svc-https permit
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081

I'm guessing this is only required if you have multiple captive portals in different vlans and the "ip cp-redirect-address
" will work fine for PEF license installation with only 1 CP? Or how exactly does one interpret this?

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found a post helpful or important? Click the "Thumbs Up" icon to give kudos.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: