Controllerless Networks

Hi Airheads!

I have a customer that ask me to give to his clients a WiFi guest network with a captive portal in order to track accesses and collect data.

Ok, no problem, but he wants to use his Landing Page service (instapage) to create the splash page and collect data.

The AP are iAP-204, so, no controller in use.

The good thing is that he doesn't care about authentication, he asks the customers to fill a little form (Name, Surname, Gender, Mail) and then the registration is done, so I don't need an authentication server (Radius) in order to manage the authentication/authorization of the guests.

How can I do the trick? How can I tell to the iAP cluster VC that a specific user (device) has completed the form and is now authenticated, and so change the role from pre-auth to authenticated?

 

Thanx a lot for support!

 

I'm pretty sure this link will give you the answer needed:

 

https://community.arubanetworks.com/t5/Controller-less-WLANs/How-does-IAP-External-captive-portal-Authentication-text-work/ta-p/292486

 

 

GREAT! Thanx a lot!


---
Gianluca Galleani - Sistec S.r.l.
IT Engineer
Mail: ggalleani@sistec.net
Skype: metalgalle
Teamviewer QuickSupport: https://get.teamviewer.com/rw6pa5h
Tel: +39 031 396312 (ext. 101)
Fax: 031565433
Contattami con Kite

________________________________

Hai bisogno di assistenza tecnica?

Registrati ed accedi al portale helpdesk.sistec.net oppure invia una mail a helpdesk@sistec.net
Per l'assistenza remota, utilizza Teamviewer scaricandolo dal seguente indirizzo: https://get.teamviewer.com/rw6pa5h

________________________________

--

Questo messaggio e' stato analizzato da Libra ESVA ed e' risultato non infetto.

This message was scanned by Libra ESVA and is believed to be clean.

Per informazioni: http://helpdesk.sistec.net

Ok, I manage to do that this configuration works, but now I have a problem: once I have correctly authenticated a client, all other clients connecting to that SSID, get the authenticated role without having to land to the captive portal.

In fact, at the time of the connection, they does not get the pre-auth role...

Also forcing to logout the clients with the iAP GUI does not make the pre-auth works again...

 

:-?

Found the problem, i wrongly put the auth text in the landing page.

 

Unfortunately there is no way to make the solution works because I need to make that users stick to the preauth unless they complete the landing page form.

If I put the auth keyword in the form redirect page, it seems that the iAP does not read it, or does not care about it!

Obviously, I checked that the source code of the HTML result page contains the auth Keyword!

 

Strange thing is that if I use CPPM (instead using my Bitnami-LAMPstack test VM) to create the landing page, WITHOUT any type of authentication (no RAIDUS, no MAC, ...), just asking for Name and Mail, and simply put the auth keywork in the receipt page (also without caring about username and password), IT WORKS like a charm!

 

I'm baffled.... :-S  :-(

Can you paste some of your config related to this?

Sure! :-)

 

iAP conf:

version 6.4.4.0-4.2.4
virtual-controller-country IT
virtual-controller-key c6a47e6001b71caca369bfbb2a528823ea5d7f57dc933f7849
name instant-CD:19:64
terminal-access
clock timezone none 00 00
rf-band all

allow-new-aps
allowed-ap 94:b4:0f:cd:19:64



arm
 wide-bands 5ghz
 80mhz-support
 min-tx-power 18
 max-tx-power 127
 band-steering-mode prefer-5ghz
 air-time-fairness-mode fair-access
 client-aware
 scanning


syslog-level warn ap-debug 
syslog-level warn network 
syslog-level warn security 
syslog-level warn system 
syslog-level warn user 
syslog-level warn user-debug 
syslog-level warn wireless 


extended-ssid




mgmt-user admin 592361be961b7c1034ce0042a644321c


wlan access-rule instant
 index 0
 rule masterip 0.0.0.0 match tcp 80 80 permit
 rule masterip 0.0.0.0 match tcp 4343 4343 permit
 rule any any match udp 67 68 permit
 rule any any match udp 53 53 permit

wlan access-rule default_wired_port_profile
 index 1
 rule any any match any any any permit

wlan access-rule wired-instant
 index 2
 rule masterip 0.0.0.0 match tcp 80 80 permit
 rule masterip 0.0.0.0 match tcp 4343 4343 permit
 rule any any match udp 67 68 permit
 rule any any match udp 53 53 permit

wlan access-rule CP-Test
 index 3
 rule any any match any any any permit

wlan access-rule CP-Test_Preauth
 index 4
 rule 10.1.100.165 255.255.255.255 match any any any permit
 rule any any match any any any deny

wlan ssid-profile CP-Test
 enable
 index 0
 type guest
 essid CP-Test
 opmode opensystem
 max-authentication-failures 0
 vlan guest
 set-role-pre-auth CP-Test_Preauth
 rf-band all
 captive-portal external profile CP
 dtim-period 1
 broadcast-filter arp
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 0
 max-clients-threshold 64

auth-survivability cache-time-out 24



wlan external-captive-portal
 server localhost
 port 80
 url "/"
 auth-text "AUTHZ"
 auto-whitelist-disable
 https

wlan external-captive-portal CP
 server 10.1.100.165
 port 80
 url "/guest.php"
 auth-text "AUTHZ"
 redirect-url "http://www.youporn.com"
 auto-whitelist-disable


blacklist-time 3600
auth-failure-blacklist-time 3600

ids
 wireless-containment none


wired-port-profile wired-instant
 switchport-mode access
 allowed-vlan all
 native-vlan guest
 no shutdown
 access-rule-name wired-instant
 speed auto
 duplex auto
 no poe
 type guest
 captive-portal disable
 no dot1x

wired-port-profile default_wired_port_profile
 switchport-mode trunk
 allowed-vlan all
 native-vlan 1
 shutdown
 access-rule-name default_wired_port_profile
 speed auto
 duplex full
 no poe
 type employee
 captive-portal disable
 no dot1x


enet0-port-profile default_wired_port_profile

uplink
 preemption
 enforce none
 failover-internet-pkt-lost-cnt 10
 failover-internet-pkt-send-freq 30
 failover-vpn-timeout 180


airgroup
 disable

airgroupservice airplay
 disable
 description AirPlay

airgroupservice airprint
 disable
 description AirPrint

Landing page code:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=8"/>

<?php
if ($_POST['E-mail']!=""){
echo "<meta http-equiv='refresh' content='3;url=http://10.1.100.165/guest_ok.php'>";
}
?>

<html>
<head>
<title>Compila il form per poter accedere alla rete</title>
</head>
<body>
<h2>Inserisci i dati</h2>
<form action="guest.php" method="post" accept-charset="UTF-8" enctype="application/x-www-form-urlencoded" novalidate="novalidate">
Nome: <input type="text" id="Nome" value=""><br>
Cognome: <input type="text" id="Cognome" value=""><br>
E-Mail: <input type="text" id="E-mail" name="E-mail" value=""><br>

<?php
echo $_POST['E-mail'];
if ($_POST['E-mail']!=""){
echo "<input type=hidden value='AUTHZ'>
";
}
?>

<input type="submit" id="Login" value="Accedi"><br>
</form>
</body>
</html>

Here you can find that there are a hidden form field that is displayed only if the POST returns the E-Mail field as not-empty.

And also, if the e-mail field is returned as not-empty, I force a redirect to another blank page that have "AUTHZ" keyword in the Title tag.

Nice redirect for authenticated clients ;)

:-D :-D :-D :-D :-D :-D 

We need some fun also @lab! ;-)