Security

Hi:

I'm trying to create a captive portal with single click passthrough as outlined here:

https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-154

But I'm not having luck.- the captive portal won't display.

I'm wondering if my problem is in the initial role? I'm also a bit confused about what creates the redirect....?

The purpose of this is to create a captive portal that tells a user that the 'Student' network is going away, hence the name 'StudentPhaseOut.'

Can anyone point me in the right direction?

Here is a relevant config excerpt:

ip access-list session captiveportal
user alias controller svc-https dst-nat 8081
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
user any svc-http-proxy1 dst-nat 8088
user any svc-http-proxy2 dst-nat 8088
user any svc-http-proxy3 dst-nat 8088
user alias mswitch svc-https dst-nat 8081

ip access-list session logon-control
user any udp 68 deny
any any svc-icmp permit
any any svc-dns permit
any any svc-dhcp permit
any any svc-natt permit
any network 169.254.0.0 255.255.0.0 any deny
any network 240.0.0.0 240.0.0.0 any deny

aaa authentication captive-portal "StudentPhaseOut-cp"
default-role "StudentPhaseOut-cp-logon"
default-guest-role "StudentPhaseOut-cp-logon"
no user-logon
guest-logon
no logout-popup-window
login-page "/upload/custom/StudentPhaseOut-cp/studentphaseoutcp.html"
no enable-welcome-page

user-role StudentPhaseOut-cp-logon
captive-portal "StudentPhaseOut-cp"
session-acl logon-control
session-acl captiveportal

aaa profile "StudentPhaseOut"
initial-role "StudentPhaseOut-cp-logon"
authentication-dot1x "default-psk"

wlan ssid-profile "Student6"
essid "Student6"
opmode wpa2-psk-aes
wpa-passphrase abcdefghijklmop...

wlan virtual-ap "Student6"
aaa-profile "StudentPhaseOut"
ssid-profile "Student6"
vlan 19
band-steering
vlan-mobility

ap-group "Dorms6"
virtual-ap "Student6"
ap-system-profile "comes-up-on-local1"

Hi Tim:

Thanks for the response.

I had forgotten about that requirement.

The controllers now have IP addresses. A client can connect, get an IP address on the proper subnet, and ping the controllers, but no redirect. Just a browser message that the webpage cannot be displayed.

What might be the next item to check?

Thanks,

Tony

You need to have public DNS resolution for the redirect to work. The controller intercepts the DNS response and sends a "temporarily moved" to the client.

Hi Tim:

I do have dns ability on the client. I can use nslookup and resolve addresses.

Right now the client gets the address an external dns server.

Does it need an internal server, i.e, does it need to resolve the controller's IP?

If so, what name is it looking for?

I'm confused by how the redirect works...

Does the captive portal ACL NAT requests to a port where the login page can be accessed?

From a wired connection I can type in:

http://<controller ip>/upload/custom/StudentPhaseOut-cp/studentphaseoutcp.html

and see the custom page I created.

Is there some way I can test if the wireless client can even see that page?

As I mentioned, I can ping the controller, and I can even telnet to port 80 of the controller, so I have connectivity.

thank you!

Tony

They only need to resolve the place they are first trying to get to, usually an internet home page so public resolution is fine.

The CP ACL does the business of forcing it to the page - have you modified their logon role - the ordering of the rules is sometimes an issue.

One possibility is to add the "ip cp-redirect address <controlleripinguestvlan>" global command to the controller.

I created a brand new ACL and applied it to that role:

ip access-list session studentphaseout-cpacl
user alias mswitch svc-http dst-nat 8080
user alias mswitch svc-https dst-nat 8081
user alias controller svc-https dst-nat 8081
user alias controller svc-http dst-nat 8080
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
user any svc-http-proxy1 dst-nat 8088
user any svc-http-proxy2 dst-nat 8088
user any svc-http-proxy3 dst-nat 8088

Still no redirect.

Any other ideas?

I'm afraid of a global command for captive portal redirect, as I have a working guest network with a CP redirect to a CPPM Guest server. Would that command break that network?

Thanks.

Are you using the controller's factory certificate for the captive portal?

If so, you should try whitelisting http access to ocsp.geotrust.com.

Hi Tim:

Thanks for your persistance!

I finally added the master controller IP address explicity in the redirect path, instead of just the relative path. That got the redirect working.

It was trying to redirect to the local controller that the client was attached to.

Should I normally have to upload content to all my local controllers as well as the master?

I'm in the home stretch on this one, but I have two questions about the role change.

The captive portal config lists

Default Role

and

Default Guest Role.

Do I set one of these to the before authentication role, and the other to the after authentication role? (or do I set that somewhere else?)

Secondly, how does the accept button post method listed here change roles?

(This is from https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-154)

<form name="form1" method="post" action="/auth/index.html/u">
<span class="bodytext">
<input type="hidden" id="email" name="email" type="text" value="user@company.com" class="text" accesskey="e" />
<input type="hidden" name="cmd" value="authenticate" />
<input type="submit" name="Login" value="I ACCEPT" class="button" />

Is /auth/index.html built into the controller, ready to accept these values, or do I have to modify something here?

Thank you!