Controllerless Networks

last person joined: yesterday 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

iAP Captive Portal only working on Virtual-Master-AP

This thread has been viewed 2 times

  • 1.  iAP Captive Portal only working on Virtual-Master-AP

    Posted Jan 28, 2015 08:19 AM

    Hi guys,

    I've got some issues with my iAP Setup...

    It provides two Wireless Networks, an internal one for employees (which works great) and guest access wich is behaving strange...

    It uses "Virtual Controller Assigned" Network and has a "Internal - Authenticated" Captive Portal, which also works great but only on the actual Virtual-Master AP...

    If I connect to this WiFi using any other Access-Point i get a correct IP-Address assigned (which I configured in System -> DHCP) but the Captive portal Redirect won't work :(

     

    And some Background Information (I suppose this is where something's wrong)

    We have multiple VLANs, for example wen use VLAN30 to manage the iAP's. That's why Virtual-Master and all the other AP's have 192.168.30.xx IP-Addresses. Employees on the internal network use 192.168.70.xx (VLAN70) and Guets use 192.168.80.xx (VLAN80). Every AP gets theese VLAN's tagged and our Core-Switch seems to route everything properly...

     

    Any ideas?

     

    Here's the config

    Spoiler
    version 6.3.1.0-4.0.0
    syslocation XXX
    virtual-controller-country XX
    virtual-controller-key XXXXX
    name "Instant AP"
    virtual-controller-ip 192.168.30.50
    virtual-controller-vlan 30 255.255.255.0 192.168.30.1
    terminal-access
    ntp-server 192.168.50.3
    clock timezone XXXX
    clock summer-time CEST recurring last sunday march 00:00 last sunday october 03:00
    rf-band all

    allow-new-aps
    allowed-ap XX
    allowed-ap XX
    allowed-ap XX
    allowed-ap XX
    allowed-ap XX
    allowed-ap XX
    allowed-ap XX
    allowed-ap XX


    snmp-server community XXXX
    snmp-server host XX version 2c public inform

    arm
     wide-bands 5ghz
     min-tx-power 18
     max-tx-power 127
     band-steering-mode prefer-5ghz
     air-time-fairness-mode fair-access
     client-aware
     scanning

    ip dhcp pool
     subnet 192.168.80.0
     subnet-mask 255.255.255.0
     dns-server 192.168.50.3
     domain-name internal.local
     lease-time 720


    syslog-level warn ap-debug
    syslog-level warn network
    syslog-level warn security
    syslog-level warn system
    syslog-level warn user
    syslog-level warn user-debug
    syslog-level warn wireless






    user gast XXXX portal
    user testgast XXXX portal

    user XX XXXX radius
    user XX XXXX radius
    user XX XXXX radius
    user XX XXXX radius

    mgmt-user XX XXXX

    wlan access-rule default_wired_port_profile
     index 0
     rule any any match any any any permit

    wlan access-rule InternalUser
     index 1
     rule any any match any any any permit

    wlan access-rule guestUser
     index 2
     rule 192.168.50.3 255.255.255.255 match udp 53 53 permit
     rule 192.168.80.0 255.255.255.0 match any any any permit
     rule 192.168.30.1 255.255.255.255 match any any any permit
     rule 192.168.0.0 255.255.0.0 match any any any deny
     rule 172.16.0.0 255.240.0.0 match any any any deny
     rule 10.0.0.0 255.0.0.0 match any any any deny
     rule any any match any any any permit

    wlan access-rule wired-instant
     index 3
     rule 192.168.30.51 255.255.255.255 match tcp 80 80 permit
     rule 192.168.30.51 255.255.255.255 match tcp 4343 4343 permit
     rule any any match udp 67 68 permit
     rule any any match udp 53 53 permit

    wlan ssid-profile InternalUser
     enable
     index 0
     type employee
     essid InternalUser
     wpa-passphrase XXXX
     opmode wpa-psk-tkip,wpa2-psk-aes
     max-authentication-failures 0
     vlan 70
     auth-server InternalServer
     rf-band all
     captive-portal disable
     mac-authentication
     hide-ssid
     dtim-period 1
     inactivity-timeout 1000
     broadcast-filter none
     dmo-channel-utilization-threshold 90
     local-probe-req-thresh 0
     max-clients-threshold 64

    wlan ssid-profile guestUser
     enable
     index 1
     type guest
     essid guestUser
     opmode opensystem
     max-authentication-failures 0
     vlan guest
     auth-server InternalServer
     rf-band all
     captive-portal internal
     dtim-period 1
     inactivity-timeout 1000
     broadcast-filter none
     dmo-channel-utilization-threshold 90
     local-probe-req-thresh 0
     max-clients-threshold 64

    auth-survivability cache-time-out 24



    wlan captive-portal
     background-color 16750848
     banner-color 3368703
     decoded-texts terms
     redirect-url "http://www.company.tld""
     banner-text "COMPANY"
     terms-of-use "57;69;6c;6c;6b;6f;6d;6d;65;6e;20;7a;75;6d;20;56;65;72;6c;61;2d;50;68;61;72;6d;20;47;e4;73;74;65;20;57;4c;41;4e;2e;"
     use-policy "XXXX"
     authenticated

    wlan external-captive-portal
     server localhost
     port 80
     url "/"
     auth-text "Authenticated"


    wlan walled-garden
     white-list "^https?://([A-Za-z0-9.-]*\.)?COMPANY\.TLD/?"

    blacklist-time 3600
    auth-failure-blacklist-time 3600

    ids classification

    ids
     wireless-containment none

    ip dhcp InternalUser
     server-type Local,L3
     server-vlan 70
     subnet 192.168.70.0
     subnet-mask 255.255.255.0
     exclude-address 192.168.70.1
     lease-time 28800
     dns-server 192.168.50.3
     domain-name internal.local

    alg
     sccp-disable
     sip-disable
     ua-disable
     vocera-disable

    wired-port-profile default_wired_port_profile
     switchport-mode access
     allowed-vlan all
     native-vlan 30
     shutdown
     access-rule-name default_wired_port_profile
     speed auto
     duplex full
     no poe
     type employee
     auth-server InternalServer
     captive-portal disable
     no dot1x

    wired-port-profile wired-instant
     switchport-mode access
     allowed-vlan all
     native-vlan guest
     no shutdown
     access-rule-name wired-instant
     speed auto
     duplex auto
     no poe
     type guest
     captive-portal disable
     no dot1x


    enet0-port-profile default_wired_port_profile

    uplink
     preemption
     enforce none
     failover-internet-pkt-lost-cnt 10
     failover-internet-pkt-send-freq 30
     failover-vpn-timeout 180


    airgroup
     disable

    airgroupservice airplay
     disable
     description AirPlay

    airgroupservice airprint
     disable
     description AirPrint

    Thanks in advance!


    #3600


  • 2.  RE: iAP Captive Portal only working on Virtual-Master-AP

    Posted Jan 28, 2015 08:25 AM

    can you please upload the configuration.

    i am not able to find the configuration.



  • 3.  RE: iAP Captive Portal only working on Virtual-Master-AP

    Posted Jan 28, 2015 08:32 AM
      |   view attached

    yeah sure,

    i put it inside a spoiler in my first post but attached it additionally on this post as xxcfg.txt

    Attachment(s)

    txt
    xxcfg.txt   4 KB 1 version


  • 4.  RE: iAP Captive Portal only working on Virtual-Master-AP

    Posted Jan 28, 2015 08:41 AM

    At first i would like to advice you to upgrade the IAP into the latest firmware.

     

    FYI.....

    http://www.arubanetworks.com/support/alerts/aruba-psa-2015-001.txt

     

    http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Security-vulnerability-advisories/td-p/176738

     

    If the problem still not solved let us know...



  • 5.  RE: iAP Captive Portal only working on Virtual-Master-AP

    Posted Jan 28, 2015 08:52 AM

    SumaN,

    thanks for the quick reply, but it actually runs 6.3.1.8-4.0.0.8_46401 which apperas to be the latest iap firmware according to download section in aruba support portal

    (see screenshot)

    iap.PNG



  • 6.  RE: iAP Captive Portal only working on Virtual-Master-AP

    Posted Jan 28, 2015 08:56 AM

    What is your model no?

     

    NOTE:  This is a downtime activity, if it is your production network be careful

    @gschwendti wrote:

    SumaN,

    thanks for the quick reply, but it actually runs 6.3.1.8-4.0.0.8_46401 which apperas to be the latest iap firmware according to download section in aruba support portal

    (see screenshot)

    iap.PNG

     



  • 7.  RE: iAP Captive Portal only working on Virtual-Master-AP

    Posted Jan 28, 2015 08:59 AM

    there are seven iAP-105 and one iAP-93



  • 8.  RE: iAP Captive Portal only working on Virtual-Master-AP

    Posted Jan 28, 2015 09:04 AM

    firmware.jpg

     

     

    NOTE:  Remember to take backup.

    please read the release note carefully.



  • 9.  RE: iAP Captive Portal only working on Virtual-Master-AP

    Posted Jan 28, 2015 09:09 AM

    Ok, I wasn't sure about this because it says "early availability" which sounds like a classy word for beta :)

    I'll do that next morning beforer the heavy users are arriving and provide feedback!



  • 10.  RE: iAP Captive Portal only working on Virtual-Master-AP

    Posted Jan 28, 2015 09:24 AM

    you can go for this version also

    firmware.jpg