Security

I'm looking to see if this solution can be performed. A user connects to a specific SSID, gets prompted to authenicate against a back-end RADIUS server. Once authenticated and connected to said SSID, launches a web browser and have the controller automatically redirect the web browser to a spefic URL. Is is possible to make that redirection automatically occur?

Thank you very much in advance for any and all responses.

Tony Marques

Yes, you should be able to do this.

I have not had time to test this myself, but what you do is to combine 2 techniques:

First you implement Captive Portal on a 802.1x protected SSID.

Then you configure the captive portal like I have described in the tutorial which you can find here:

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Internal-Captive-Portal-with-automatic-guest-auth-and-redirect/td-p/131299

This will redirect the user to your chosen web page without a second login form in the Captive Portal.

As for launching a web browser automatically, that is not possible to configure in the network as this is a configuration on the device that is used to connect to the network. How the device behaves differs greatly depending on how it is localy configured to respond when connecting to a Captive Portal protected network. Some devices do launch a web browser automatically and some dont.

When you say implement Captive Portal on a 802.1x protected SSID, how exatly is that achievied correctly? I've configured what I think is such and it doesn't appear to be working properly.

Regards,

Tony Marques

Do you have layer 3 interfaces on the controller for the user VLANs?

Yes.

I configured the captive portal using your tutorial and used your html code word for word, but the problem I am encountering is a redirect loop.

What is the "initial" role that the user who associates gets?  (show rights <role>)  that has to allow http traffic to whatever is serving up that page...

Hi cjoseph,

Just for the record, TAC stated that my request cannot work because we're using L2 802.1X authentication against the SSID and than wanting to use Captive Portal redirect (i.e. L3 authentication).

Anyways, having said that, the "initial" role within the AAA 802.1X Authentication Profiel is:

show rights logon

Derived Role = 'logon'
 Up BW:No Limit   Down BW:No Limit  
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 1/0
 Max Sessions = 65535

 Captive Portal profile = default

access-list List
----------------
Position  Name              Location
--------  ----              --------
1         logon-control     
2         captiveportal     
3         vpnlogon          
4         v6-logon-control  
5         captiveportal6    

logon-control
-------------
Priority  Source  Destination  Service   Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------   ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    any          udp 68    deny                             Low                                                           4
2         any     any          svc-icmp  permit                           Low                                                           4
3         any     any          svc-dns   permit                           Low                                                           4
4         any     any          svc-dhcp  permit                           Low                                                           4
5         any     any          svc-natt  permit                           Low                                                           4
captiveportal
-------------
Priority  Source  Destination  Service          Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------          ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    controller   svc-https        dst-nat 8081                           Low                                                           4
2         user    any          svc-https        dst-nat 8081                           Low                                                           4
3         user    any          svc-http         dst-nat 8080                           Low                                                           4
4         user    any          svc-http-proxy1  dst-nat 8088                           Low                                                           4
5         user    any          svc-http-proxy2  dst-nat 8088                           Low                                                           4
6         user    any          svc-http-proxy3  dst-nat 8088                           Low                                                           4
vpnlogon
--------
Priority  Source  Destination  Service   Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------   ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    any          svc-ike   permit                           Low                                                           4
2         user    any          svc-esp   permit                           Low                                                           4
3         any     any          svc-l2tp  permit                           Low                                                           4
4         any     any          svc-pptp  permit                           Low                                                           4
5         any     any          svc-gre   permit                           Low                                                           4
v6-logon-control
----------------
Priority  Source  Destination  Service      Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------      ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    any          udp 68       deny                             Low                                                           6
2         any     any          svc-v6-icmp  permit                           Low                                                           6
3         any     any          svc-v6-dhcp  permit                           Low                                                           6
4         any     any          svc-dns      permit                           Low                                                           6
captiveportal6
--------------
Priority  Source  Destination  Service          Action   TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------          ------   ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    controller6  svc-https        captive                           Low                                                           6
2         user    any          svc-http         captive                           Low                                                           6
3         user    any          svc-https        captive                           Low                                                           6
4         user    any          svc-http-proxy1  captive                           Low                                                           6
5         user    any          svc-http-proxy2  captive                           Low                                                           6
6         user    any          svc-http-proxy3  captive                           Low                                                           6
                                                  
Expired Policies (due to time constraints) = 0

I can successfully login against our back-end RADIUS server and get assigned a valid IP Address.

The "802.1X Authentication Default Role" is as follows:

show rights View

Derived Role = 'View'
 Up BW:No Limit   Down BW:No Limit  
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 68/0
 Max Sessions = 65535

 Captive Portal profile = Jefferson-View-captiveportal-profile

access-list List
----------------
Position  Name  Location
--------  ----  --------
1         Test  
2         View  

Test
----
Priority  Source  Destination  Service          Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------          ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    controller   svc-https        dst-nat 8081                           Low                                                           4
2         user    any          svc-https        dst-nat 8081                           Low                                                           4
3         user    any          svc-http         dst-nat 8080                           Low                                                           4
4         user    any          svc-http-proxy1  dst-nat 8088                           Low                                                           4
5         user    any          svc-http-proxy2  dst-nat 8088                           Low                                                           4
6         user    any          svc-http-proxy3  dst-nat 8088                           Low                                                           4
View

I've left out the View rules so as to not provide IP Address'. These rules are the permit rules that allow the DHCP pool to access only the specific URL I want the user to reach and the back-end servers the server up the content.

Regards,

Tony Marques

Forgot to mention that when I test the captive portal via the GUI (using the View Captive Portal link in the Management > Captive Portal > Customize Login Page), I get the custom HTML page where is states to click here if not automatically logged in blah blah blah and than goes to the /auth/index.html page (which is expected since this is just testing the HTML code). So that works fine, but it's just integrating that after having successfully authenticated with RADIUS.

Regards,

Tony Marques

All,

I have this working. I had to upload the custom HTML code to all my controllers. The device I was testing with was connecting to a local controller and I had only initially uploaded the custom HTML code to the master controller. Thanks all for your input.

Regards,

Tony Marques