Controllerless Networks

last person joined: 2 days ago 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

External Captive portal and Instant AP

This thread has been viewed 4 times

  • 1.  External Captive portal and Instant AP

    Posted Jan 01, 2012 07:56 AM
      |   view attached

    I have a problem about integration of IAP ( Instant AP )and home made external captive portal..

     

    The requested configuration is very simple.So User will be redirected to the third party external captive portal after WPA2 auth.

    IAP assigns the pre-auth role( permit only dhcp,dns,and capvite portal server) to users that have authenticated with WPA2.

    I see that IAP assigns Pre-auth role to user after success WPA2 auth.But user can access to anywhere although its role is pre-auth role.

    External captive portal software is a web based software and it uses a own radius server.There are a two factor auth application..

    First screen of captive portal includes username and password, second screen includes  sms passcode..

     

    External captive portal sends a wellcome page after CP auth..This wellcome page includes a text..( for example "authenticated" )  , IAP should be parse this text and assign authenticated role. 

     

     


    Hardware: IAP 105
    Firmware: ArubaInstant_Orion_6.1.2.3-2.0.0.3_31389

     

    Thaks,

    Attachment(s)

    zip
    Config_ExternalCP_IAP105.zip   1 KB 1 version


  • 2.  RE: External Captive portal and Instant AP

    Posted Jan 02, 2012 11:14 AM

    Hey aytan,

     

    Moving the topic under APs category to get better visibility. 



  • 3.  RE: External Captive portal and Instant AP

    Posted Jan 03, 2012 09:16 AM

    Thanks Ozer,



  • 4.  RE: External Captive portal and Instant AP

    Posted Jan 04, 2012 03:27 PM

    Do you mind explaining further about the statement "But user can access to anywhere although its role is pre-auth role."?  We could not reproduce this behavior in house.  Can you also provide the output of "show datapath user" and "show datapath acl-all" when the client is associated to the portal SSID?



  • 5.  RE: External Captive portal and Instant AP

    Posted Jan 04, 2012 03:29 PM

    When we tested in house, the pre-auth role only allowed the user to access the IPs that were permitted in the role.  Other websites all got redirected to the captive portal page.  That is the designed behavior.

     

    Also, are there links off of the captive portal page?  if there are, these links would also be accessible by the user because we have a dynamic whitelist walled garden feature.



  • 6.  RE: External Captive portal and Instant AP

    Posted Jan 12, 2012 02:27 AM
      |   view attached

    Dear Yan,

    Thanks for your answer.

    Im working on IAP  yesterday. I have two big problem. 
    IAP  is assigning Pre-auth role to user after first auth( WPA2).. 
    But IAP could not redirect to external captive portal page after first auth( WPA2 ). 
    So I tried to enter captive portal url manually.After success auth on captive portal , IAP could not assign authenticated role.. 
    User role is not changed by IAP.Please find the topology ,errors and config file in attach..

     

    Are there any incorrect notation for external captive portal URL and  authentication text..

     

     

    By the way, I tried this config with  Controller, It can redirect to same URL successfully.. 

     

    Note: authentication text is hidden in authenticated page of captive portal

     

    Thanks,


    Attachment(s)

    zip
    gunes_case.zip   85 KB 1 version