Security

I'm trying to allow users to connect to our captive portal page and have the option to change their password via our password change website without authenticating to the captive portal network.

This post looks like what I'm trying to accomplish but adding a policy with http/https and the destination address and then applying that policy to the intial role doesn't appear to be working. I keep getting the redirect to the CP page when I try to load the other url.

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Captive-Portal-Allow-Access-to-resource-without-

authentication/m-p/97933#M16585

A rule allowing http/https to the desired sites should work so long as the rule is in a policy before the captiveportal policy.  Can you show the results of:

show rights <nameofrole>

Derived Role = 'Connect'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Assigned VLAN = 1724
Periodic reauthentication: Disabled
ACL Number = 73/0
Max Sessions = 65535

Captive Portal profile = Connect

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 Android-Market session
2 logon-control session
3 CP_Connect session
4 captiveportal session
5 denyall session

Android-Market
--------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any Android_Market svc-http permit Low 4
2 any Android_Market svc-https permit Low 4
3 any Android_Market tcp 5228 permit Low 4
4 any Android_Market udp 5228 permit Low 4
logon-control
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user any udp 68 deny Low 4
2 any any svc-icmp permit Low 4
3 any any svc-dns permit Low 4
4 any any svc-dhcp permit Low 4
5 any any svc-natt permit Low 4
CP_Connect
----------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user internal_CP svc-http permit Low 4
2 user internal_CP svc-https permit Low 4
captiveportal
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user controller svc-https dst-nat 8081 Low 4
2 user any svc-http dst-nat 8080 Low 4
3 user any svc-https dst-nat 8081 Low 4
4 user any svc-http-proxy1 dst-nat 8088 Low 4
5 user any svc-http-proxy2 dst-nat 8088 Low 4
6 user any svc-http-proxy3 dst-nat 8088 Low 4
denyall
-------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any any deny Low 4
2 any any any deny Low 6

Expired Policies (due to time constraints) = 0

I think it's working fine. I tried it with another exception. The problem was with the url that I was trying to connect to.