Security

Hi,

Is there the API description for external captive portal usage with IAP? It is not the same as in "normal" controller unfortunatelly. I tried to do reverse engineering and found some parameters but an official document will be helpful.

Many regards,

Marek

Marek,

The IAP captive portal although implemented slightly differently to the ArubaOS captive portal is designed to emulate the same workflow. For example, on the Amigopod external captive portal pages, they are still configured with the same Aruba Networks vendor settings.

The Wi-Fi client is still responsible for performing a HTTP POST to the IAP virtual controller on securelogin.arubanetworks.com or instant.arubanetworks.com.

Let us know if you need any more help in getting your solution up and running.

Cam.

Hi Cam,

Thank you for your response.

I made a test environment for reverse engineering with fake web server and Amigopod. I caught what is posted to authentication server by IAP.

array(8) { ["cmd"]=> string(5) "login" ["mac"]=> string(17) "e0:46:9a:ad:61:16" ["essid"]=> string(9) "testguest" ["ip"]=> string(14) "192.168.11.141" ["url"]=> string(29) "http://www.gazeta.pl/0,0.html" ["GazetaPlBann"]=> string(33) "9114dbe67f44e8512e82452430669114d" ["__utma"]=> string(54) "231422089.483507561.1288819092.1291581717.1321613902.4" ["GazetaPlUser"]=> string(25) "172A20A6A67k1321613897417" }

The Amigopod returns something like that:

POST /cgi-bin/login HTTP/1.1
Host: instant.arubanetworks.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: http://10.1.75.27/aruba_iap.php
Cookie: _mkto_trk=id:009-RUR-657&token:_mch-arubanetworks.com-1314260587714-64535; VISITORID=736679627
Content-Type: application/x-www-form-urlencoded
Content-Length: 184

user=jasio%40aaa.com&password=58664548&cmd=authenticate&mac=e8%3A39%3Adf%3A3f%3A0d%3A56&essid=testguest&ip=192.168.11.101&url=http%3A%2F%2Fwww.gazeta.pl%2F0%2C0.html&Login=%22Log+In%22

I would like to know that there are all parameters used or what is the parameter set.

Amigopod configuration requires the RADIUS server.

There is another option in IAP with 'Authentication text' on page where guest portal parameters are defined. I suppose that it works similarly to ArubaOS XML API, but I am not sure, what is proper set of parameters to POST to the IAP.

Many regards,

Marek

Marek,

You are on the right track. You have two options in terms of triggering the authenticted user state.

The default and the one that Amigopod leverages is the RADIUS protocol support in Instant 2.0. The alternative is the authentication text and this is a very simple method of signalling to the IAP that you have successfully authenitcated the user in question internally on your web server. All you need to do is define a string on the IAP splash page configuration and the IAP will parse any returned page and search for that string. If found the IAP will consider the user authenticated and change the role of the user to your defined authenticated role.

Going down the later path avoids the need to POST any parameters to the IAP as part of the authentication process.

Cam.

---

@-cam- wrote:
[...]

 

 All you need to do is define a string on the IAP splash page configuration and the IAP will parse any returned page and search for that string. If found the IAP will consider the user authenticated and change the role of the user to your defined authenticated role.

 

Going down the later path avoids the need to POST any parameters to the IAP as part of the authentication process.

 

 

---

Hmmm, I do not understand, how it works... How should I return page to the IAP? Or should I return the page to the user and IAP just parsed it looking for a text 'Authenticated' which was typed in 'Authentication text:' box on the IAP?

OK, I am moron. It works for me :) Thank you very much.

Marek,

Good to hear it is all working ok for you now. Sounds like you are working on an interesting project with the IAP. Can you share any details on what sort of user experience you are building with your external splash page server.

Cam.

I'm working on a similar configuration. I want to use the "External - Authentication Text" for captive portal. Do you have a document that explains what I need externally, and how to configure it?

Any update to this topic? I see that a solution has been identified, but it does not detail the settings required on the IAP to make this work, nor provide a sample of the code used on the webserver for the captive portal page.

Any help is GREATLY appreciated! I am stumped!

-Landon

Senior Network Systems Analyst

County of Nevada

Hi, 

There are two options. When you would like to use "Auth text" option you just have to provide the same string as configured,  somewhere at your Web Page where huser has been authenticated.
Second option is little bit more complicated. You have additional RADIUS server to authenticate users (you can use CPPM/GM at your convenience). The scheme is as follows:

User types his/her credentials and submit a form
Form has to be POST form that contains elements that were mentioned previously in this thread.
IAP process request by querying RADIUS
RADIUS accepts/declines creds
User has been authenticated and redirected to requested/configured page 

HTH

Marek

Hi,

It looks like I am at the right thread here. I am trying to use the External Authentication Text method and I have found virtually no useful information that I can understand on exactly how to make it work! So here I am.

All I need is a page with our logo and terms of use and an "Agree" button. I am slightly familiar with html and such and had no problem directing the user TO the terms page and I can easily make a form with an Agree button on it but I don't have a clue how to return the authentication text back to the IAP.

From reading this thread it sounds like I can provide a hidden form field with my authentication text and the IAP will find it, is that correct? If so does the hidden form element need to be named anything in particular?

At that point how do I send my form data back to my IAP? What action should the form take to return the value? Does it go back to the IP address (which is a dynamic IP and I would be using an off site server) or do I need it to go through some additional script? A very simple code sample would be absolutely wonderful!!

I spent hours combing the manual and there is no instructions for this feature and my skills fall short just a bit!! Thank you so much for any help!!

ASchafer, I am trying do the same as you and just have an agree button.  Any luck on getting this working? Thanks

Personally, I don't recommend my clients use Auth-Text. While it does provide a simple means of an ECP, there are too many things that can go wrong with it leaving your users either unconnected or worse yet dialing into your helpdesk. Take for example that many devices (including one of my test devices) will spawn system generated HTTP requests...the issue with this is that the IAP has no means to decipher between a user generated HTTP request or a system generated. In that, upon receipt of a valid HTTP request, the IAP will send the system generated request the ECP URL for login....given all this is happening without the user being aware - when the user actually looks to login, they won't be sent the ECP login page.

Given the IAP runs a version of FreeRadius, I'd suggest baking a POST mechanism into your "accept' button on your ECP landing page. The goodness about this is that it does require user intervention to 'click' to login or accept.

So, create an internal user in the IAP's internal database....a generic uid/passowrd for your WLAN and then ensure that the auth mechanism is internal authenticated. Then bake some simple code into your HTML such as the following:

<HTML>
<HEAD>
External Captive Portal Page <meta http-equiv="Content-Type" content="text/html; charset=GB2312"/>
</HEAD>
<BODY>
<form method=POST action="http://securelogin.arubanetworks.com/cgi-bin/login">
Username: <input name=user value="username">
Password: <input name=password value="password">
<input name=cmd value="authenticate" type="hidden">
<input name=mac value="" type="hidden">
<input name=ip value="" type="hidden">
<input name=essid value="" type="hidden">
<input name=url value="http://www.google.com" type="hidden">
<BR><input type="submit" name="Login" value="login" class="button" />
</form>
</BODY>
</HTML>

Hope that helps! Adam

This worked perfectly for me. I did do one thing different in that made the user and password input hidden so the users will not change it and it works beautifly. 

<form method=POST action="http://securelogin.arubanetworks.com/cgi-bin/login">
<span class="bodytext">
<input name=user value="Guest" type="hidden">
<input name=password value="password" type="hidden">
<input name=cmd value="authenticate" type="hidden">
<input name=mac value="" type="hidden">
<input name=ip value="" type="hidden">
<input name=essid value="" type="hidden">
<input name=url value="http://arubanetworks.com" type="hidden">
<BR><input type="submit" name="Login" value="I Agree" class="button" />
</span>
</form>

Does anyone know why the submit form doesn't work if used as https [<form method=POST action= "https://securelogin.arubanetworks.com/cgi-bin/login">]
I've created a external portal html page using the example form above and it works ok with http form submit. If I try using https on form submit (that the point of hidding the credentials) it doesn't do the the login. Do I have to change the url used or is something else?

EDIT: if used with https it needs a valid certified for IAP controller too because some smartphone refuse to send the data in background to a self signed certifate server. On windows it gives a popup "Continue anyway"
I've uploaded a valid certificate on controller and now the login goes well. [<form method=POST action= "https://aruba.domain.al/cgi-bin/login">]

Now I have a question. For authentication failure scenario does the IAP has an option to respond with authentication failure status to notify the user?