Aruba Instant's captive portal whitelist URL option would only work with HTTP sites. There maybe scenarios where permitting HTTPS location is required (example Apple App Store / Google Play Store to download apps). For such scenarios, domain-name ACLs can be used.
- This Article applies to Aruba Instant 4.0 or above.
- As of 4.0 release, we can support a max of 127 domains and 2048 IP address mappings of the 127 domains
Environment : Any Instant deployment running 4.0 release or above with domain-name ACL.
Network Topology :
+--------------------------------------------+
| |
| Switch |
| |
| |
| |
+----------+---------------------------+-----+
| |
| |
+-----+---------+ +------+-------+
| | | |
| | | |
| IAP1 | | IAP2 |
| (Master) | | (Slave) |
| | | |
+---------------+ +--------------+
With 4.0 release, we have additional option of domain name for Destination
The ACL is mapped to the role
From the client, we can initiate traffic to the specified URL and validate traffic is going by using show datapath session command.
The ACL domains which have been created in config and whether they are in use (i.e. mapped to role) can be validated by using command "show acl domain"
show acl domains
role-domain
-----------
role-domain inused
----------- ------
facebook.com used(1)
To check if user is falling to right role, we would use "show datapath user" and "show datapath acl <ID>"
show datapath user
Datapath User Table Entries
---------------------------
Flags: P - Permanent, W - WEP, T- TKIP, A - AESCCM
R - ProxyARP to User, N - VPN, L - local, I - Intercept, D - Deny local routing
FM(Forward Mode): S - Split, B - Bridge, N - N/A
IP MAC ACLs Contract Location Age Sessions Flags Vlan FM
--------------- ----------------- ------- --------- -------- ----- --------- ----- ---- --
192.168.103.128 AC:A3:1E:C3:32:B4 105/0 0/0 0 1 2/65535 P 1 B
0.0.0.0 20:02:AF:1E:4B:5E 109/0 0/0 0 0 0/65535 P 4 B
172.16.99.1 AC:A3:1E:C3:32:B4 105/0 0/0 0 19 2/65535 P 1 B
172.16.99.241 00:08:22:60:3D:12 109/0 0/0 0 0 3/65535 4 B
# show datapath acl 109
Datapath ACL 138 Entries
-----------------------
Flags: P - permit, L - log, E - established, M/e - MAC/etype filter
S - SNAT, D - DNAT, R - redirect, r - reverse redirect m – Mirror
I - Invert SA, i - Invert DA, H - high prio, O - set prio, C - Classify Media
A - Disable Scanning, B - black list, T - set TOS, 4 - IPv4, 6 - IPv6
d - Domain DA
----------------------------------------------------------------
1: any any 17 0-65535 8209-8211 P4
2: any facebook.com any Pd4
3: any any any P4
Each AP would intercept and cache the DNS requests and responses from client devices. This cache can be checked using command "show datapath dns-id-map".
show datapath dns-id-map
Hash index entries:
id:1 entry:0
Entry:1 id:0 www.facebook.com
173.252.120.6
1 entries
---------