Environment Information :
Any Aruba Controller
Any Access Point
Any Aruba OS
Symptoms : XML API Server is used for external captive portal and captive portal page is not showing up
Cause : XML API Server can modify user-role and provide location-based information along with providing External Captive Portal
Resolution :
Following is the process that takes place when we configure XML API server and External Captive Portal (CP) URL for Captive Portal.
1) Client associates to the AP
2) Client starts a browser and generates ARP/DNS/HTTP traffic
3) HTTP gets captured by the Controller and then redirected to External CP server URL
4) Client sends a HTTP GET to the External CP server
5) External CP server sends XML-API to query where this client is coming from so that the CP server can provide location-based information
6) Client sees the login page and clicks accept
7) External CP server takes the accept and then send the XML-API user add to the controller and have the user role change
The "authmgr" will record a log message viewable by enabling user-debug, when XML API adds/deletes a user i.e.
# config term
# logging level debugging user-debug <user-mac>
# show log user-debug all
Example:
Mar 13 08:45:44 :522049: <INFO> |authmgr| MAC=e0:f8:47:45:85:ac,IP=10.203.3.71 User role updated, existing Role=ICT-Engineer/ICT-Engineer, new Role=ICT-Engineer/ICT-Engineer, reason=External Captive portal driven role
For issues in getting the captive portal page, other than the regular captive portal troubleshooting (DNS/ACL hits etc.), we need to take a client side pcap, server pcap and/or controller uplink to help verify at which stage the process is failing. We should also check generic captive portal issues like web-max-clients is configured to match the actual simultaneous captive portal users and also check the "show datapath user table" to verify if the user traffic session count is incorrectly high and nearing the role's max-session.
Answer :
Following is the process that takes place when we configure XML API server and External Captive Portal (CP) URL for Captive Portal.
1) Client associates to the AP
2) Client starts a browser and generates ARP/DNS/HTTP traffic
3) HTTP gets captured by the Controller and then redirected to External CP server URL
4) Client sends a HTTP GET to the External CP server
5) External CP server sends XML-API to query where this client is coming from so that the CP server can provide location-based information
6) Client sees the login page and clicks accept
7) External CP server takes the accept and then send the XML-API user add to the controller and have the user role change
The "authmgr" will record a log message viewable by enabling user-debug, when XML API adds/deletes a user i.e.
# config term
# logging level debugging user-debug <user-mac>
# show log user-debug all
Example:
Mar 13 08:45:44 :522049: <INFO> |authmgr| MAC=e0:f8:47:45:85:ac,IP=10.203.3.71 User role updated, existing Role=ICT-Engineer/ICT-Engineer, new Role=ICT-Engineer/ICT-Engineer, reason=External Captive portal driven role
For issues in getting the captive portal page, other than the regular captive portal troubleshooting (DNS/ACL hits etc.), we need to take a client side pcap, server pcap and/or controller uplink to help verify at which stage the process is failing. We should also check generic captive portal issues like web-max-clients is configured to match the actual simultaneous captive portal users and also check the "show datapath user table" to verify if the user traffic session count is incorrectly high and nearing the role's max-session.