Security

Reply
Occasional Contributor II

Captive Portal authentication bypassed with vpn application like psiphone

Hi everyone,

 

I have an issue with Captive portal authentication on the mobility controller. The unauthorized users can bypass the authentication step using vpn applications like psiphone.

 

Is there any solution to resolve this issue and force users to get through the captive portal authentication process before connecting to the network?

 

Best regards,

 

Aghiles

Super Contributor II

Re: Captive Portal authentication bypassed with vpn application like psiphone

Hi Aghiles,

 

The initial role is set to something to force captive portal authentication.

Normally all the traffic, including VPN traffic, will be dropped and a user needs to be authenticated before internet access is available.

 

Please check the ACL’s connected to the initial user role. Can you share the initial role connected to this network?

You can use the command ‘show rights <rolename>’ for this


Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
Highlighted
Occasional Contributor II

Re: Captive Portal authentication bypassed with vpn application like psiphone

Hi,

 

For the initial role i used the default "guest-guest-logon" role (ArubaOS v8)

 

You find attached to this post the output of the "show rights" command.

 

Best regards

Super Contributor II

Re: Captive Portal authentication bypassed with vpn application like psiphone

In the user-role the ACL logon-control has been attached.

In this ACL the traffic for the service svc-natt is permitted. I suppose that this will allow the VPN traffic.
Because the captiveportal ACL is below the logon-control ACL the VPN traffic is allowed.

The logon-control ACL is default. Maybe you can try to duplicate the logon-control ACL and remove the svc-natt rule to see if this will help.

Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
Occasional Contributor II

Re: Captive Portal authentication bypassed with vpn application like psiphone

Hi,

 

Thank you, but iven if you delete the Natt rule, this not résolve the issue.

because ssl vpns still work

 

Best regards

Super Contributor II

Re: Captive Portal authentication bypassed with vpn application like psiphone

Ok. I don't know why this traffic is allowed.
Can you enable logging the in ACL's to log the ACL hits and see which rule will be used for this traffic?

You can show the ACL logs with the command show log security

Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!

Re: Captive Portal authentication bypassed with vpn application like psiphone

Use the "show datapath session table <ip.address>" to see what traffic is coming to/from the client while it's connected. This should give you an idea which port(s) the VPN is using, so that you can lock that down as needed.


Charlie Clemmer
Aruba Customer Engineering
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: