Security

Reply
Highlighted
Occasional Contributor II

Guest Network Redirection to portal fails

Hi

 

I inherited a network which has a virtual controller and two different antenas, by clarifying this, I mean that I really have no idea which model the access points are.

 

The problem is regarding the guest network.

Whenever I connect to the network, and get routed to the guest portal, it says that the page cannot be found, if I try to browse any other website I get a certificate error and no option to continue to the sites.

 

Im guessing this has something to do with HTTPS redirection but cannot find the clue.

 

Here are some screens of the configuration.

Highlighted

Re: Guest Network Redirection to portal fails

Hi,

Are you using IAP for this?

and did you see is the AP is provision properly?

 

 

 

Highlighted
Occasional Contributor II

Re: Guest Network Redirection to portal fails

Hi, thanks for answering

I don't know what IAP is.

Additionally, the AP is working fine if that is what you mean

Highlighted
Occasional Contributor II

Re: Guest Network Redirection to portal fails

Sorry, any thoughts?

Highlighted
MVP Expert

Re: Guest Network Redirection to portal fails

We need to make sure IAP have valid CA signed certificate, generally see https errors during redirection if IAP does not have valid certificate.


Pavan Arshewar | ACCP

If my post address your queries, give kudos and accept as solution!
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted
Occasional Contributor II

Re: Guest Network Redirection to portal fails

Hi, ok so you are saying the only way to get the captive portal working is to install a CA Certificate for the HTTPS protocol and there is no way to bypass that?

 

By IAP you mean an access point that's not controlled by a controller? Mine are controlled by a controller

 

Can you provide me a link with instructions on how to do that?

 

Thank you so much!

Highlighted
MVP Expert
MVP Expert

Re: Guest Network Redirection to portal fails

For captive-portal to work your controller need an IP address for the VLAN that is bound to the SSID of the captive portal.

 

For example;

When SSID Guest make use of the VLAN 10, then VLAN 10 need an IP address on the controller or both controllers to reach out the captive-portal. The connection between this IP and the captive-portal IP must be whitelisted in your firewall.

 

Otherthings to check:

  • Be sure which initial user-role will be used and if its re-direct to the captive portal URL (you say the re-direct happens but with a 404 error, so most possible this works correctly and you missing the IP settings as mentioned before). The initial role could be "guest-logon role" or something else you configured.
  •  Be sure you installed a captiveportal certificate on the controller that is exepted by the captive-portal page after submitting the POST-forum on the captive portal. (if the certificate is incorrect the captive-portal keep bouncing around when click the forum POST). Not to be confused with the HTTPS certificate of the captive-portal itself (installed on the captive-portal page (possible Aruba ClearPass) thats used for the clients <> captiveportal encryption.

About the certificates:

  • Install a HTTPS certificated on the captive-portal page (possible ClearPass) from a public CA like COMODO. A Public certificated is need so a guest client can validated the HTTPS certificate against his certficate trust store.
  • Install a webserver certificated from a own PKI private CA (or public CA) on the controller. The common name (DNS) of the certificate, for example controller.organisation.com, must be configured at the captive-portal configuration as the exepted DNS entry the controller will send back to the captive-portal after a POST. And offcourse the Captive-Portal needs the PKI CA (or public CA) root and intermediate certificated to trust the webserver certficate that is send form controller back to the captive-portal. 

 

Kind Regards Marcel Koedijk
HPE ASE Flexnetwork | ACMP | ACCP | Ekahau ECSE Design - Was this post usefull, Kudos are welcome.
Highlighted
Occasional Contributor II

Re: Guest Network Redirection to portal fails

Hello mkk thanks for answering!

 

So you are basically saying my AP Management IP has to be on the same subnet of the guest clients? That is weird.

 

About the certificates, you are saying there are two different ones right?

I still don't get the difference between the two you mentioned.

As far as I know, there's only one type of certificate to secure HTTPS browsing and server trust...

 

Maybe you are referring to server certificate and machine certificate?

What is Aruba ClearPass?

Is there a link or tutorial you can provide me with theortical explanations of the certificates and step by step guide?

 

Thank you!

 

Highlighted
MVP Expert
MVP Expert

Re: Guest Network Redirection to portal fails

Hi Erudes,

 

Ok, i understood now you use the internal captive-portal of the controller.

In that case you need only one https websever certificate on the controller signed by a public CA.

 

The guest VLAN need a IP address on each managed device to hit Captive Portal, offcourse the user-role ACL need a rule that deny trafiic from the user to the controller IP address.

 

Aruba ClearPass is an advanced (external) authentication server that can do RADIUS,TACACS,MAC-AUTH and more. ClearPass have a advanced captive-portal with a lot of nice features.

 

But in your case, how to setup a captive-portal on the internal controllers is documented in the ArubaOS8 User guide, link.

 

In the attachment i create some screenshots for you how i quickly configure captive-portal.

 

Hope this help you!

 

 

 

Kind Regards Marcel Koedijk
HPE ASE Flexnetwork | ACMP | ACCP | Ekahau ECSE Design - Was this post usefull, Kudos are welcome.
Highlighted
Occasional Contributor II

Re: Guest Network Redirection to portal fails

Hey again mkk,

 

So let me see if I have this straight.

 

It is a fact that I need a server certificate for the captive portal that will have to be installed on the controller.

Can I generate a self signed one through a CA on a domain? or through a Linux machine and use it?

 

The network scenario is Wifi_Guest SSID is VLAN ID 500, subnet 192.168.2.X /24. Management VLAN Controller 900, Subnet of 10.8.15.X /24. You are saying that with this configuration on the network, guest clients will never hit the captive portal even WITH the certificate installed on the controller?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: