Security

Hi everyone,

 

I have an issue with Captive portal authentication on the mobility controller. The unauthorized users can bypass the authentication step using vpn applications like psiphone.

 

Is there any solution to resolve this issue and force users to get through the captive portal authentication process before connecting to the network?

 

Best regards,

 

Aghiles

Hi Aghiles,

 

The initial role is set to something to force captive portal authentication.

Normally all the traffic, including VPN traffic, will be dropped and a user needs to be authenticated before internet access is available.

 

Please check the ACL’s connected to the initial user role. Can you share the initial role connected to this network?

You can use the command ‘show rights <rolename>’ for this

Hi,

 

For the initial role i used the default "guest-guest-logon" role (ArubaOS v8)

 

You find attached to this post the output of the "show rights" command.

 

Best regards

In the user-role the ACL logon-control has been attached.

In this ACL the traffic for the service svc-natt is permitted. I suppose that this will allow the VPN traffic.
Because the captiveportal ACL is below the logon-control ACL the VPN traffic is allowed.

The logon-control ACL is default. Maybe you can try to duplicate the logon-control ACL and remove the svc-natt rule to see if this will help.

Hi,

 

Thank you, but iven if you delete the Natt rule, this not résolve the issue.

because ssl vpns still work

 

Best regards

Ok. I don't know why this traffic is allowed.
Can you enable logging the in ACL's to log the ACL hits and see which rule will be used for this traffic?

You can show the ACL logs with the command show log security

Use the "show datapath session table <ip.address>" to see what traffic is coming to/from the client while it's connected. This should give you an idea which port(s) the VPN is using, so that you can lock that down as needed.