Security

Hi everyone, looking for some experienced users to help me out here.  We have a guest wifi setup with CPPM being the captive portal for users to authenticate against.  While digging through the configs for this setup, I can't for the life of me figure out how I'm being redirected to the captive portal correctly.  The service definitely works and we have no complaints from our users but when I compare my configs to those from an ASE example, it's missing the reference aaa profile that has all the necessary stuff like initial role and the captive portal session, etc.

This is what I have from the Guest ssid section (I've edited the names a bit):

wlan virtual-ap "Guest-vap"
aaa-profile "Guest-redirect-aaa"
ssid-profile "Guest-ssid"
vlan Guest-vlan
broadcast-filter all
deny-inter-user-traffic
!
wlan ssid-profile "Guest-ssid"
essid "Guest"
!
aaa profile "Guest-redirect-aaa"
initial-role "Guest-redirect-role"
enforce-dhcp
!
user-role Guest-redirect-role
access-list session global-sacl
access-list session apprf-Guest-redirect-role-sacl
access-list session logon-control
access-list session Guest-redirect-acl
!
ip access-list session global-sacl
!
ip access-list session apprf-Guest-redirect-role-sacl
!
ip access-list session logon-control
user any udp 68 deny
any any svc-icmp permit
any any svc-dns permit
any any svc-dhcp permit
any any svc-natt permit
any network 169.254.0.0 255.255.0.0 any deny
any network 240.0.0.0 240.0.0.0 any deny
!
ip access-list session Guest-redirect-acl
any any any redirect tunnel 10
!

Normally I would expect the aaa profile to be loaded with all the initial role, mac authentication, dhcp, etc.  But this one doesn't.  There definitely is another aaa profile which houses all the captive portal information and such but it's not being reference in any other configuration whatsoever.

Could there be some other "default" setting that the guest users are hitting and being brought to the captive portal?

Thanks for any suggestions and let me know if you need any additional outputs.

ip access-list session Guest-redirect-acl
any any any redirect tunnel 10

It looks like you might have a tunnel to another controller (maybe a guest anchor controller).

Type "show datapath tunnel table" and "show interface tunnel 10"

The first command done from the local controller spits out a very large table.  The second command is below:

(A7240XM) # show interface tunnel 10

Tunnel 10 is up line protocol is up
Description: 7240XM-Local-1 TO 7210-DMZ active tunnel for ssid Guest, need CP auth
Source 10.204.65.27
Destination 10.204.65.25
Tunnel mtu is set to 1500
Tunnel is a Layer2 GRE TUNNEL
Tunnel is Trusted
Inter Tunnel Flooding is enabled
Tunnel keepalive is enabled
Keepalive type is Default
Tunnel keepalive interval is 10 seconds, retries 3
Heartbeats sent 382864, Heartbeats lost 10
Tunnel is down 1 times
tunnel vlan 110

(A7240XM) #

The DMZ controller is probably where the captive portal is enforced.

I'm going to do a diff on the configs between the master and the achor/dmz controller tomorrow but is there anything in particular I can look for?  On a cursory glance, the configs look almost identical.

Take a look at this:  https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-I-redirect-guest-access-across-a-GRE-tunnel-to-a-DMZ/ta-p/183468

Thanks @cjoseph that certainly helps to explains things better.  And I believe that's likely what's happening here.  The tunnel terminating on the DMZ controller *is* set to untrusted. Based on the article, it says that it puts all user traffic in the "logon" role but that example is for NAT'ing the user traffic.  The "logon" role on our DMZ looks pretty generic but does have a captiveportal reference:

user-role logon
access-list session ra-guard
access-list session logon-control
access-list session captiveportal
access-list session vpnlogon
access-list session v6-logon-control
access-list session captiveportal6
!

Would that be what forces users to hit the captive portal?

Also, the article is a little dated and I'm not sure if some of the commands have changed but I don't have anything configured for derivation which would make total sense for having anyone who associates to the "Guest" SSID to have a guest-logon role.  That's the part that I'm missing from the master perspective.  What forces a user to get the initial role of guest-logon?

Anyone else with any suggestions or tips?

Making a tunnel untrusted forces traffic into the logon role.  The Captive Portal ACL is in the logon role that forces user web traffic to the captive portal.  The logon role has a Captive Portal Authentication Profile parameter.  That is the parameter that determines which Captive Portal profile applies to users to hit the logon role.

Forgot to add that we have a master - local - DMZ local topology where our guest traffic is sent across a tunnel to the dmz controller hence the reference to tunnel 10 in the above config.