Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Explicit Proxy with Captive Portal

This thread has been viewed 2 times

  • 1.  Explicit Proxy with Captive Portal

    Posted Nov 29, 2015 10:56 AM

    Hi,

    I have an explicit proxy that my customer want to use with guest also.

    The customer want to use Captive portal for guest authentication,

    Guests Vlans are Nated ,

    Are there any solution to force guests to use the proxy without any configuration in the browser?



  • 2.  RE: Explicit Proxy with Captive Portal

    EMPLOYEE
    Posted Nov 29, 2015 07:33 PM

    There are ways, but some things need to be in place.

     

    You would need to configure your DHCP server for option 252: http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-I-configure-DHCP-option-252-for-captive-portal-with-proxy/ta-p/182290  The drawback with this method is that the user's browser needs to be set to "auto discovery of proxy server", otherwise it will not work.

     

    There is also a second way that you can try, using the redirect ACL:  http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-to-configure-Aruba-Controller-for-redirecting-traffic-to-the/ta-p/180598  Please note the drawback of using this method - "Note: In the transparent mode, most of the proxy server will process only the http traffic. Few proxyserver like websense or bluecoat will process the https traffic provided ssl inspection in the enabled in theproxy server."

     

     

     

     

     

     

     



  • 3.  RE: Explicit Proxy with Captive Portal

    Posted Nov 30, 2015 04:12 AM
    the issue is that , I'm using Captive Portal , and if i use an ACL to redirect traffic , the Captive portal authentication will not be proceded, if i use a DHCP option , the browser will try to redicrect the traffic directly to the the DHCP, and here to , i will get a probleme with the Captive Portal Authentocation


  • 4.  RE: Explicit Proxy with Captive Portal

    EMPLOYEE
    Posted Nov 30, 2015 04:17 AM

    What is the exact setup?  Your only option that covers all bases is probably a transparent proxy, where the client does not have to configure anything....



  • 5.  RE: Explicit Proxy with Captive Portal

    Posted Nov 30, 2015 04:50 AM

    Hi,

    The customer is using an Explicit Proxy , if he was using a transparent proxy , I would not say this question :)

    so the exact question is how to use an Explicit proxy with Captive Portal

    Regards



  • 6.  RE: Explicit Proxy with Captive Portal

    EMPLOYEE
    Posted Nov 30, 2015 05:13 AM

    There are two parts to this:

    1.  What is needed to bring up the captive portal

    2.  What is needed to redirect the user traffic to the explicit proxy after the captive portal is brought up.

     

    #1 should be straightforward and use the standard captive portal and control  ACLs.  The client would need to be able to resolve DNS, and all http traffic will be redirected to the controller's captive portal on port 8080:

    (Aruba7005-US) # show ip access-list captiveportal

ip access-list session captiveportal
captiveportal
-------------
Priority  Source  Destination  Service          Application  Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------          -----------  ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    controller   svc-https                     dst-nat 8081                           Low                                                           4        
2         user    any          svc-http                      dst-nat 8080                           Low                                                           4        
3         user    any          svc-https                     dst-nat 8081                           Low                                                           4        
4         user    any          svc-http-proxy1               dst-nat 8088                           Low                                                           4        
5         user    any          svc-http-proxy2               dst-nat 8088                           Low                                                           4        
6         user    any          svc-http-proxy3               dst-nat 8088                           Low                                                           4

    The standard logon-control ACL at minimum should allow DNS and DHCP, as well

    (Aruba7005-US) # show ip access-list logon-control

ip access-list session logon-control
logon-control
-------------
Priority  Source  Destination              Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------              -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    any                      udp 68                 deny                             Low                                                           4        
2         any     any                      svc-icmp               permit                           Low                                                           4        
3         any     any                      svc-dns                permit                           Low                                                           4        
4         any     any                      svc-dhcp               permit                           Low                                                           4        
5         any     any                      svc-natt               permit                           Low                                                           4        
6         any     169.254.0.0 255.255.0.0  any                    deny                             Low                                                           4        
7         any     240.0.0.0 240.0.0.0      any                    deny                             Low                                                           4

    Both of the ACLs above should be combined into an intial role that allows to user to bring up the captive portal.

     

    #2 After the user authenticates with the captive portal, that is when it will be necessary to destination-NAT (translate) all http traffic to the explicit proxy using an ACL in the role you use after the client has authenticated.  For example if the proxy is at 10.10.10.10 and the proxy port is 8080 your ACL would look like this for your authenticated client:

    alias "user" any "svc-http" dst-nat ip 10.10.10.10 8080

    You would do the same thing for https client, but like I warned above, it is quite possible that your proxy will not handle https traffic properly so you might have to try to come up with a workaround for that.

     



  • 7.  RE: Explicit Proxy with Captive Portal

    Posted Nov 30, 2015 07:55 AM

    Many Thanks for the Help ,

    i'm trying it , but I remember that i got an issue with the source NAT in the VLAN , because i use VLAN source NAT for security Issue , that i have to use Dest NAT to port the proxy server (8080) , and it do not work for me last time