Controllerless Networks

Hi,


I am using the internal captive portal provided by the iap (no controller here only virtual one) at the moment. I works ok but the lack of customization made me want to have an external one.

I noticed that the iap contact google ip through 216.58.192.0/19 or 173.194.0.0/16
exemple or reached page : 216.58.211.78/generate_204
Is it possible to configure the IAP so that it goes to the external http page directly.

I don't know where the problem comes from but I can only display html page with the captive portal, any php cause the page to be blank or even unreachable.

Is it at all possible to use php? Or do I have to use html and a radius server on the side? I wanted to use pfsense captive portal, but since I can't manage to display a single php page on an completely different host I wonder if it is even possible.
Is there anywhere in the doc an explicit answer to what the html page should return to the iap and how?

Thanks for the reading.

Hi,

What kind of captive portal experience are you trying to provide? Is it a simple "Click to agree to terms and conditions and then get online" or something more complex such as register for a free username and password and then login with it?

Thanks,

Yan Liu

Hi,

 

I would like something pretty simple with therms and conditions with a voucher or login/password.

I don't mind putting up a radius server on the side for authentication.

What the pfsense captive portal offers would be great.

 

 

We don't use the guest portal very often, maybe 3-5 times a week. But it still bothers me to have a very minimalistic designed page.

does this help at all?

 

http://community.arubanetworks.com/t5/Aruba-Instant-Cloud-Wi-Fi/Captive-portal-on-IAP-without-using-Clearpass/td-p/79362

Thansk, It helps a little.

I manage to see the page but It still don't work after validation of the form.

 

I have this error at the http://securelogin.arubanetworks.com/cgi-bin/login url.

<html><pre>Error in invocation. Error string - Internal error 001, please contact support</pre></html>

 

I tried changing the url by the VIP of the iaps but it didn't work. I also added the master ip in the host to securelogin.arubanetworks.com

 

I also changed the hidden input values from the value in the url like that :

http://<portal-ip>/index.php?cmd=login&mac=<mac>&essid=guest%20test&ip=192.168.3.103&apname=<ap>&vcname=<name>&switchip=securelogin.arubanetworks.com&url=<url>

But with no success yet.

 

Edit:

My bad... I didn't configure enough access rule for it to work, but the basic html page v8 in the thread http://community.arubanetworks.com/t5/Aruba-Instant-Cloud-Wi-Fi/Captive-portal-on-IAP-without-using-Clearpass/td-p/79362 works !

 

Do you mind posting your final code?

I am stuck at the same place. Same error.

 

Trying to just force acknowledgement before accessing Guest network.

 

<p>
<form method=POST action="http://<IAP VC IP ADDRESS>/cgi-bin/login">
<span class="bodytext">
<input name=cmd value="authenticate" type="hidden">
<input name=mac value="" type="hidden">
<input name=ip value="" type="hidden">
<input name=essid value="" type="hidden">
<input name=url value="http://www.arubanetworks.com" type="hidden">
<input type="submit" name="Login" value=" I Agree" class="button" />
</span>
</form>
</p>

 

Thanks.

Can you post your config from CLI?

18:64:72:c7:a2:e0# sh captive-portal

:Captive Portal Configuration
Background Color:13421772
Banner Color :13369344
Decoded Texts :
Banner Text :Welcome to the Guest Network
Use Policy :Please read terms and conditions before using Guest Network
Terms of Use :This network is not secure, and use is at your own risk
Internal Captive Portal Redirect URL:http://www.school.org/
Captive Portal Mode:Acknowledged
Custom Logo :
:External Captive Portal Configuration
Server:localhost
Port :80
URL :/
Authentication Text:Authenticated
External Captive Portal Redirect URL:
Server Fail Through:No
Auto White List :Disable
18:64:72:c7:a2:e0#

Your captive portal should look like this:

wlan external-captive-portal CPPM_GUEST-CP-PROFILE
server 192.168.1.100
port 443
url "/guest/guest_registration_page.php"
auth-text ""
https

 

Follow the steps in this video:

https://www.youtube.com/watch?t=32&v=JJXyLWtfQRo

 

Found it:

 

wlan ssid-profile Guest
enable
index 3
type guest
essid Guest
opmode opensystem
max-authentication-failures 0
vlan 67-69
rf-band all

 

wlan external-captive-portal "Captive Portal"
server 192.168.20.151
port 8060
url "/"
auth-text "Welcome to the Guest Network"
auto-whitelist-disable
captive-portal external profile "Captive Portal"
dtim-period 1
inactivity-timeout 1000
broadcast-filter all
dmo-channel-utilization-threshold 90
local-probe-req-thresh 30
max-clients-threshold 64

This example is using Guest with Mac Auth and you can configure Mac caching using the ClearPass templates 

 

Captive Portal Profile:

wlan external-captive-portal CPPM_GUEST-CP-PROFILE
server <ClearPass IP or DNS Name>
port 443
url "/guest/guest_registration_page.php"
auth-text ""
https

 

Roles:

wlan access-rule GUEST-ROLE
index 9
rule any any match udp 53 53 permit
rule any any match udp 67 68 permit
rule any any match tcp 80 80 permit
rule any any match tcp 443 443 permit

 

wlan access-rule GUEST-CP-ROLE
index 16
captive-portal external profile CPPM_GUEST-CP-PROFILE
rule any any match udp 67 68 permit
rule any any match udp 53 53 permit

 

SSID Profile

wlan ssid-profile <ssid-name/profile>
disable
index 2
type guest
essid iap_cppm_guest_ssid
opmode opensystem
max-authentication-failures 0
vlan 101
auth-server <CPPM-SERVER>
set-role-pre-auth GUEST-CP-ROLE
set-role-mac-auth GUEST-ROLE
rf-band all
captive-portal external profile CPPM_GUEST-CP-PROFILE
mac-authentication
mac-authentication-delimiter :
hide-ssid
dtim-period 1
inactivity-timeout 1000
broadcast-filter arp
radius-accounting
radius-interim-accounting-interval 15
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

 

Whitelist ClearPass servers:

lan walled-garden
white-list "<ClearPass server IP"