Security

We have two wireless LAN's configured one with internal access to our network the other for guest which is connected directly to our ISP modem. The controller is on our internal LAN as well, this separation of the guest wireless network from the firewall was the last network change made since the last time i knew the portal to be redirecting. Would the fact that the wireless vlan associated to this guest network no longer has connectivity to the private lan cause the portal NOT to work, i would think since the vlan obviously has connectivity to the controller via the AP and the controller is where the portal, accounts, and policies are created me seperating it from the LAN would not have broken anything. In terms of how it was previously connected, the physical port on the controller designated as the guest wirless lan was connected to a port on our perimeter firewall and i created access rules there for it accessing internal servers/services. Where as now that port is connected directly to the ISP modem. Any help is greatly appreciated.

Yes.

 

The controller:

 

- Needs a physical port on that ISP VLAN

- Needs an ip address in the private range of that ISP modem that it is giving out to its clients via DHCP

- Needs to have a command run "ip cp-redirect-address <ip address of controller on that private range>"

 

 

Thank you for the quick reply, the wireless network using the portal is configured as such clients get DHCP from the controller, there GW is 172.17.1.1 which is also the GW for the private network of the ISP modem, 172.17.1.6 is the address of the local interface on the controller. So i believe the first steps you suggested i did already, the last step, issuing the captive portal redirect command pointing it to 172.17.1.6 unfortunately it still does not auto redirect, if i manually type in the url for the portal including ip it works.

 

 

does DNS function for those clients?

 

yes DNS is pointing to the ISP DNS servers, i just did a nslookup and it resolves. I have total Internet connectivity just w/o authenticating through the portal.

And the client can resolve DNS BEFORE authenticating, is what I meant...

no authentication occurs, from a laptop you can simply select the wireless network and hit connect and you have internet access your not sent to the portal to enter the username and pw as was the case before i eliminated the FW from the setup.

Okay. 

 

So what role does the user end up in when he associates to the network?  You would have to change your Initial role for the AAA profile of that WLAN to "***logon" to bring up the Captive Portal.

thats the part that's confused me when i look at the list of clients and find the laptop im troubleshooting with it has the role "graham-guest-cplogon" which in that role i have the captive portal selected. the AAA profile i have configured is called "graham-aaa-guest" within that the initial role is guest and 802.1X default role is "graham-guest-cplogon"

The initial role should be graham-guest-cplogon.

 

If it is guest, that means that when the user attaches, he gets the post-authentication role, and gets a free pass.

Makes sense but that didn't fix it, Question, is there a method to disconnect a client other than the "disconnect" option in the GUI im wondering if disconnecting  the traditional way from within windows isn't constituting as a new connection attempt on the controller but rather a resume of the session already created where i wasn't authenticating.

Is it necessary to specifiy the VLANID in the user role which uses the captive portal policy?

It is not.

 

what is important is that client can resolve DNS.

 

"AAA user delete" on the command line.

You are right, a device disconnecting does not remove it from the user table.

aaa user clear sessions  worked too but my hunch was wrong, still not being redirected. btw i really appreciate your help with this, any other thoughts or info i can give you that might point to the problem?

tech support just responded back to my email and apparantly they did purchase arubacare so i'm sending them the logs now. I'll come back and post what the problem was in case anyone else encounters this issue.