Security

Hey Guys, Maybe someone can help me with my problem with captive portal.

 

I have a controller that has several Vlans

Example:

Vlan 1, 10.56.1.40

Vlan 2, 100.56.120.40 Employee

Vlan 3, 172.16.1.40 Guest

Port is setup as 1 Native and also allows 2 and 3

 

Depending on the SSID, it will place the client into the appropriate vlan and the client grabs a correct IP. The controller is not the DHCP server.

 

My Employee clients are able to 802.1X authenticate and it is all good.

My Guest clients can get an IP and just sit there. I “CAN” ping anything on the network. But when I try to http or https, the redirect does not work. I can apply Any any any to the top of the ACL and I can reach everything. So my dstNating is not working with the redirect.

 

Another tidbit,If I:

Create Vlan 4 192.168.1.1

Enable src nat

Do not add to the trunk port

Create a DHCP Scope, 192.168.1.2-254

Apply this to the guest VAP

Captive portal will work, but this is not how we want it.

 

 

 

I am using guest-logon and guest as my roles.

 

 

 

user-role guest-logon

 access-list session logon-control

 access-list session captiveportal

!

user-role guest

 access-list session http-acl

 access-list session https-acl

 access-list session dhcp-acl

 access-list session icmp-acl

 access-list session dns-acl

ip access-list session logon-control

  user any udp 68  deny

  any any svc-icmp  permit

  any any svc-dns  permit

  any any svc-dhcp  permit

  any any svc-natt  permit

ip access-list session captiveportal

  user   alias controller svc-https  dst-nat 8081

  user any svc-http  dst-nat 8080

  user any svc-https  dst-nat 8081

  user any svc-http-proxy1  dst-nat 8088

  user any svc-http-proxy2  dst-nat 8088

  user any svc-http-proxy3  dst-nat 8088

 

 

 

Anything would be great, thanks.

 

Also, what is the url of the captive portal page? can this url be reached by computers already on the network?

What is your ip cp-redirect address.

 

Please see the post here:  http://community.arubanetworks.com/t5/Command-of-the-Day/COTD-ip-cp-redirect-address/m-p/236/highlight/true#M49

 

Thanks, It is the master Vlan 1 address, 10.56.1.40. But this should be fine because the vlan 3 is routable to vlan 1. Even though the guest clients do not get redirected to the captive portal, they can still ping 10.56.1.40.

 

This should still work correct?

Do you have the Captive Portal Profile enabled on your guest-logon role.

 

Example config below:

 

user-role guest-logon
 captive-portal "guestnet"
 access-list session logon-control
 access-list session allow-amigopod
 access-list session captiveportal
 access-list session v6-logon-control
 access-list session captiveportal6
!

Yes. Everything. To do with ACLs in the controller is correct I believe. If i use all the same profiles but change the vlans to 4 captive portal works.

Yes the full role is,

user-role guest-logon  

   captive-portal "DistrictGuestWlan-cp_prof"  

   access-list session logon-control  

   access-list session captiveportal

Are you able to reach DNS from the client(try to do nslookup to google.com)?

 

Also, try to find the datapath session for the client when you pass traffic from the client (show datapath session table <IP address of the client>) . See if there is any "D"-DENY or "Y"-NO sync flag.

 

To isolate the DNS problem, try to put IP address of any website in the URL and see if it re-directs.

 

Captive portal URL : https://securelogin.arubanetworks.com. 

 

Thanks,

Pradeep

Hi, my CP is not redirecting too. I can get to the captive portal page but I have to type it. 

 

 

 

Are you able to reach DNS from the client(try to do nslookup to google.com)?

 YES

Also, try to find the datapath session for the client when you pass traffic from the client (show datapath session table <IP address of the client>) . See if there is any "D"-DENY or "Y"-NO sync flag.

 YES, I see some flags  like:

10.110.30.190   132.245.75.114  6    64726 443    0/0  0    0   1   tunnel 744  43   0          0          NYCI            
10.110.30.190   204.79.197.200  6    64731 80     0/0  0    0   0   tunnel 744  33   0          0          NYC             
132.245.46.130  10.110.30.190   6    443   64737  0/0  0    0   0   0/0/5       e    1          52         FDC             
134.71.2.50     10.110.30.190   6    8081  64744  0/0  0    0   0   tunnel 744  2    1          52         SI              
134.71.2.50     10.110.30.190   6    8081  64738  0/0  0    0   0   tunnel 744  18   1          52         SI              
132.245.82.50   10.110.30.190   6    443   64744  0/0  0    0   0   0/0/5       2    0          0          FDYC            
134.71.2.50     10.110.30.190   6    8081  64740  0/0  0    0   0   tunnel 744  b    4          208        SI              
10.110.30.190   204.79.197.200  6    64736 80     0/0  0    0   0   tunnel 744  1d   0          0          NYC             
10.110.30.190   204.79.197.200  6    64742 80     0/0  0    0   0   tunnel 744  7    2          104        NYC             
134.71.2.50     10.110.30.190   6    8081  64734  0/0  0    0   1   tunnel 744  27   0          0          SI              


134.71.2.50     10.110.30.190   6    8081  64714  0/0  0    0   0   local       7    0          0          FDYC   

To isolate the DNS problem, try to put IP address of any website in the URL and see if it re-directs.

 This is the problem. It won't redirect.

Captive portal URL : https://securelogin.arubanetworks.com. 

I can ping this. I am able to access this but I have to type it manual on web browser.