Security

I would like to configure guest access, using the ArubaOS, with some tcp/udp ports and bandwidth restrictions, however, I do not want to use a captive portal. So when a guest users connects to the guest ssid, and when they launch their web browser, I want them to go to their home page and not be redirected to a captive portal web page. I thought I had it configured correctly, but when I launch my browser, I'm being redirected to securelogin.arubanetworks.com and I get the error web authentication is disabled. 

 

Bob 

.  Go to Configuration> Security> Authentication> AAA profile.  Find the AAA profile for that WLAN and change the initial role to "authenticated"

Thanks for the quick reply. That worked better, because now I'm not getting re-directed to the captive portal web page. However, my http and https traffic is not working. DNS works fine, because I can resolve DNS names, but the http and https traffic is not making it pass the controller. Would that be a configuration in my guest access policy? I only have 3 rules, but that should be enough to get http and https traffic to work: 

user -> any -> svc-dns-> permit

user -> any -> svc-https -> permit

user -> any -> svc-http -> permit

 

Or is there some where else that could be blocking it?  I also tried changing the source from user to any and it still didn't work. 

 

Bob 

 

Are you sure that is the role that your client is getting?  Type "show user" and see what role your client is in, and then type "show rights" to see what ACLs are being applied.  If you made a change to the initial role, you need to remove or disconnect the client from the user table for it to get the "authenticated" role.

Are those the only three rules? And is DNS actually working (nslookup)? I'm just wondering if you're blocking ICMP, etc. The machine needs to ARP to find the default router, and the firewall has an implicit deny at the end. Also, are you sure you're getting an IP via DHCP and not using a static or 169 address? Seems like you'd also be blocking DHCP. From the CLI on that role it might help to do a 'show rights <role>' so we can have a look at the role. 

 

-awl

If it's master local not saving the config could have been the issue. The configuration won't be pushed down to the local until it's saved on the master. Glad it's working for you.

 

-awl

 

 

A disconnect/reconnect may not be all that is needed. If you change an ACL that is used by a role, you have to flush the users from the controllers user table before the change will be noticed by the users. I typically use the "aaa user delete x.x.x.x" command (where x.x.x.x is the users IP address) from the CLI. When you disconnect and reconnect, the user record on the controller most likely doesn't get flushed. It takes a few minutes to notice that the client disconnected. If the reconnect happened before the user record got flushed, it would still use the same ACLs. Thats probably why it didn't work yesterday and does today (the user records would have most likely timed out over night).