Security

Hi all,

I'm going nuts with this captive portal. I'm actually using 3600 (6.1.3.3) controller with AP 105 in RAP mode. I have one private SSID (which is working) and I'd like to implement captive portal on a separate VLAN (192.168.100.0/24)

I've followed this KB in order to implement it : http://support.arubanetworks.com/ArubaOSKB/tabid/111/Default.aspx 

I've also used the 6.1 documentation and followed many many thread in this forum in order to find solution without any succes :(

Here is the situation :

• DHCP is provided by the controller.
• APs are in split-tunneled mode
• ip cp-redirect is set on the controller (192.168.100.254)
• DNS is resolving (securelogin.arubanetworks.com)
• user-role is (seems to be) the correct one
• HTTP authentication checked in order to avoid OSCP trouble
• ping to the controller is working
• http to the controller is NOT working

Issue :

The captive portal web page is not showing up; even when I'm trying with the web browser

Do you have any ideas on what I did wrong?

Thanks per advance.

Thomas

Please try to make it work in tunneled mode, first.

I have changed the forward mode to tunneled and it's working fine...

So it should work in split tunnel right?

What is the initial role that the user gets before authenticating?  On the commandline, type "show rights <role>" so we can see what rules you are using..

Here is the result from the command line :

show rights vbn-guest-logon

Derived Role = 'vbn-guest-logon'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 71/0
 Max Sessions = 65535

 Captive Portal profile = vbn-guest

access-list List
----------------
Position  Name                     Location
--------  ----                     --------
1         vbn-guest-control
2         vbn-guest-captiveportal

vbn-guest-control
-----------------
Priority  Source  Destination  Service   Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------   ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    any          udp 68    deny                             Low                                                           4
2         any     any          svc-dhcp  permit                           Low                                                           4
3         any     any          svc-dns   permit                           Low                                                           4
4         any     any          svc-icmp  permit                           Low                                                           4
vbn-guest-captiveportal
-----------------------
Priority  Source  Destination  Service    Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------    ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    controller   svc-https  dst-nat 8081                           Low                                                           4
2         user    any          svc-http   dst-nat 8080             Yes           Low                                                           4
3         user    any          svc-https  dst-nat 8081                           Low                                                           4

Expired Policies (due to time constraints) = 0

Okay.  Change it to split and try to reach the controller by typing 192.168.100.254 in the browser.

On the commandline, type "show datapath session table <ip address of client>" to see what is happening at the time.

During the browser request :

#show datapath session table 192.168.100.253

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       u - User Index

  Source IP     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination TAge UsrIdx UsrVer Flags
--------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- ---- ------ ------ -----

Once I get the timeout message:

#show datapath session table 192.168.100.253

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       u - User Index

  Source IP     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination TAge UsrIdx UsrVer Flags
--------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- ---- ------ ------ -----
192.168.100.253 10.156.4.53     17   64027 53     0/0     0 0   0   tunnel 36   4    10     4c     FSCI
192.168.100.253 10.156.4.53     17   57448 53     0/0     0 0   0   tunnel 36   4    10     4c     FSCI
192.168.100.253 10.156.4.53     17   59643 53     0/0     0 0   0   tunnel 36   4    10     4c     FSCI
192.168.100.253 10.156.4.53     17   54485 53     0/0     0 0   0   tunnel 36   4    10     4c     FSCI
192.168.100.253 10.156.4.53     17   52452 53     0/0     0 0   1   tunnel 36   c    10     4c     FSCI

NB : before the device connect to the AP, it has the same output than up there.

it looks like traffic is not being returned from your DNS server at 10.156.4.53.  Is the DNS server at 10.156.4.53 routable to the 192.168.100.x address?  Do you have ip nat inside on the guest vlan?  Also, try to bring up the controller web page by typing 192.168.100.254 into the browser on the guest side.

This was my conclusion too but if I'm not wrong as I'm requesting the IP address, it shouldn't go to the DNS, right?

Anyway, 10.156.4.53 is routable to 192.168.100.0/24

Concerning the guest vlan, yes I have :

interface vlan 3
        ip address 192.168.100.254 255.255.255.0
        ip nat inside
        description "Vlan Guest"

I'm trying to bring up the controller web page by typing controller IP on the guest side but when I'm checking the "datapath session table" it always request the DNS...

Please reboot the AP entirely, and try again

I have rebooted all APs by power off/power on. Nothing change.

Any clues?

PS : I cannot purge AP as they are already mounted on the ceiling.

If this is urgent, please open a TAC case so that they can work to resolve your issue more quickly.