Security

Hi Guys,

I'm hoping someone can help me out here.

I'm setting up a basic guest captive portal with internal DB auth. Here are some details...

Roles:

winterfell-guest-logon (logon-control + captiveportal)(captive portal profile = winterfell-guest-cp-auth-prof)

winterfell-guest-authenticated (deny-internal-networks + allow all)

Captive Portal Auth Profile

winterfell-guest-cp-auth-prof (default role = winterfell-guest-authenticated)

login page (see more below) - /upload/custom/winterfell-guest-cp-auth-prof/winterfell-cp-page.html

welcome page disabled

redirect url - http://www.google.com

AAA profile

winterfell-guest-aaa-prof ( initial role - winterfell-guest-logon)

The "winterfell-cp-page.html" is a carbon copy of the HTML from the default captive portal page. I have not changed anything in the code. I plan to change the CSS file it will use once I can get the auth to work but that's a seperate thing for now.

So here is what the problem is...

I connect to the winterfell-guest ssid

Check user table and see I am in winterfell-guest-logon role. Great!

I open a web browser and navigate to anywebsitehere.com.

I get redirected to the captive portal. Great!

I enter in the credentials of the single user in the internal database and click Log In.

The web browser processes that for a second or two and I am presented with the captive portal login page, again.

I check the user table and I am still in the winterfell-guest-logon role.

If go in and change the captive portal profile used by "winterfell-guest-logon" back to "default" everything works. My role is chaged to "winterfell-guest-authenticated" and I am redirected to google.com (I changed that in the default CP prof).

I'm really hoping someone can provide some insight here. I'm lost.

Thanks in advance!

Current OS is 6.4.2.12. Upgrading to 6.4.3.4 currently to see if that helps.

The upgrade made no impact.

Doublecheck the "default role" that is listed in your Captive Portal profile?  This is the role that will be assigned to the user after they sucessfully login.    Also, check to see if you if your server group you are using (internal/default/etc.) has a server rule applied that is assigning the role assigned to the user in the internal DB.

Lastly, run the following after you attempt your login and view the Role Derivation; it will tell you how the role was assigned.

Hi clembo, thanks for your input.

I have triple checked the default role under the "winterfell-guest-cp-auth-prof" profile and it is correctly configured for "winterfell-guest-authenticated"

I wouldn't have thought to check your second suggestion. No luck though, no rule in place there.

I'm not sure what you are saying for the last part. The role isnt changing from "winterfell-guest-logon" after the credentials are supplied. If I run the command to show how it was derived would it not be from the AAA profile "winterfell-guest-aaa-prof"? Also, what is the command so I can give it a shot anyway?

Thanks.

If you are authenticating a user with username and password, the default role it what that user should get.  The default guest role only applies if you have guest login checked and the user is only putting in his/her email address for authentication.

Maybe you should run your HTML by TAC so that you can have it checked...

Try to re-create the html, but not by copy/past the default. Check out page 338-> in the 6.4 UserGuide and start with the pure basics to verify that it works before applying more html to the portal. Might be just some tiny error caused by the copy/paste.

This is the minimum you need:

<HTML>
<HEAD>
</HEAD>
<BODY>
<FORM method="post" autocomplete="off" ACTION="/auth/index.html/u">
Username:<BR>
<INPUT type="text" name="user" accesskey="u" SIZE="25" VALUE="">
<BR>
Password:<BR>
<INPUT type="password" name="password" accesskey="p" SIZE="25"
VALUE="">
<BR>
<INPUT type="submit">
</FORM>
</BODY>
</HTML>

And/or just add the file here and we can take a look at it :)

Thanks jsolb! I ended up using the basic HTML you posted and it works so I will start with that and build off it to customize.

Any suggestion on what the html code should be if we're not requiring login - only click on "I Accept"?

I tried to follow the sample here (https://community.arubanetworks.com/aruba/attachments/aruba/aaa-nac-guest-access-byod/10187/1/Custom%20Captive%20Portal%20Web%20Guest%20Access.pdf) - but when I click on I Accept, the portal doesn't do anything just keeps reloading the same captive portal page.

As you can tell - no HTML background here.. so ANY help you can provide would be greatly appreciated.

Thanks in advance!

That would be the minimum HTML you would need to make it work in that article.  Did you also implement the Captive Portal authentication profile piece of it? 

Under AAA Profiles:

Guest Profile

-> Inital role seto to "Guest_Initial_Role"

-> MAC and 802.1x role set to "guest"

-> MAC Auth Server group set to default

Under L3 authentication -> Captive Portal Authentication

Guest Profile

-> Default Role set to "Guest_PostAuth"

-> Default Guest Role set to "Guest_PostAuth"

-> Authentication Protocal set to PAP

-> Login page set to /auth/index.html

-> Welcome page set to /auth/welcome.html

-> Server group set

Given that what we want is for the user to just click "I ACCEPT" before being allowed to connect- are the above settings seems correct?

By the way - when we do a factory default reset on the Captive Portal and we set the guest profile to use the "Your Custom Background" (but don't actually specify any jpgs), we'll get a black screen with an empty "User Agreement Policy", the ACCEPT button works and we can connect.  But when we try to upload customized HTML (even basic one), we can see the nicer formatted portal page but the "I ACCEPT" button doesn't work and just looks to just reloads the same portal page (stuck in a loop?)

Thanks again for your time and help with this..