Security

last person joined: 20 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Guest network with proxy

This thread has been viewed 4 times

  • 1.  Guest network with proxy

    Posted Feb 05, 2015 01:41 PM

    Hello,

     

        I have a hard time getting a guest network with login page working right.  This particular network has a proxy server that all web traffic must go trought.  The proxy information is automatically setup with a .pac file downloaded from a web server on the internal network.   The problem is that the guest network is a layer 3 VLAN existing only up to the controller (172.16.44.1/24) with the internal DHCP server.  I've put the right option in the DHCP setup and the clients receive the .PAC file correcty the first time, but if I disconnect the client and reconnect, the login page never comes back and I can't browse anywhere.  Is there something to check for in the .PAC file to make it work?

     

    Thank you!



  • 2.  RE: Guest network with proxy

    Posted Feb 05, 2015 02:36 PM

    What proxy port are you forcing your clients to within the .pac file?  Can you share the file contents.    Also, share the results of the following:

     

    show rights <name-of-captive-portal-role>



  • 3.  RE: Guest network with proxy

    Posted Feb 09, 2015 03:08 PM
    Hello,

    Here is the content of the .pac file:

    function FindProxyForURL(url, host)

    if (isPlainHostName(host) ||
    shExpMatch ( host,"*.mydomain.com") ||
    isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
    isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0"))
    return "DIRECT";
    else
    return "PROXY myproxy.mydomain.com:8080";
    }

    And here is the show rights guest-logon:

    Derived Role = 'guest-logon'
    Up BW:No Limit Down BW:No Limit
    L2TP Pool = default-l2tp-pool
    PPTP Pool = default-pptp-pool
    Periodic reauthentication: Disabled
    ACL Number = 6/0
    Max Sessions = 65535

    Check CP Profile for Accounting = TRUE
    Captive Portal profile = Invite-cp_prof

    access-list List
    ----------------
    Position Name Type Location
    -------- ---- ---- --------
    1 guests-logon-access session
    2 captiveportal session
    3 block-internal-net session

    guests-logon-access
    -------------------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
    1 user any udp 68 deny Low 4
    2 any any svc-dhcp permit Low 4
    3 user internal-DNS svc-dns src-nat Low 4
    captiveportal
    -------------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
    1 user 10.134.229.17 svc-http permit Low 4
    2 user 10.128.27.124 svc-http permit Low 4
    3 user controller svc-https dst-nat 8081 Low 4
    4 user any svc-http dst-nat 8080 Low 4
    5 user any svc-https dst-nat 8081 Low 4
    6 user any svc-http-proxy1 dst-nat 8088 Low 4
    7 user any svc-http-proxy3 dst-nat 8088 Low 4
    block-internal-net
    ------------------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
    1 user internal-net any deny Low 4

    Expired Policies (due to time constraints) = 0

    The 10.128.27.124 adress is the webserver hosting the .pac file.


    Thank you!

    [daniel_paquet-fr]