Security

Reply
Highlighted
Occasional Contributor I

Web authentication works but no redirect to switch login page

Hi,

 

I'm having trouble getting web port authentication working as expected. I have configured RADIUS and web auth, and when connecting an un-authenticated computer to the port, I get the IP 192.168.0.2 with a 24 bit mask. At this stage I was expecting HTTP(S) requests to be redirected to the login page, however the requests just fail. I can see that I have 192.168.0.1 configured as the DNS server which was supplied by the switch via DHCP.

 

If I navigate to 192.168.0.1, the login page is displayed and I can authenticate against RADIUS.

 

What do I have to do to change the behaviour so that clients are automatically redirected to 192.168.0.1?

 

Thanks in advance

GM

Highlighted
Super Contributor I

Re: Web authentication works but no redirect to switch login page

Can you give us some more detail as to how you are configured?

Is there a IP address configured on the VLAN that the clients get placed into for captive portal? If not you would need to configure one. It doesn't have to be a gateway, just needs to have an address in the same range.

 

Also do you have a captive portal profile configured in the initial user role, and do you have the captive portal redirect ACLs/policies in that initial role as well? If not the user will not be automatically redirected.

Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMX#509 | ACCP | ACSA | ACDA | ACEA | CCNP | CCDP | CCNA Wireless

If my post address your queries, give kudos and accept as solution!
Occasional Contributor I

Re: Web authentication works but no redirect to switch login page

Hi Dustin

 

Thanks for coming back to me. I've been working from the ArubaOS port security guide but to be honest couldn't find the relevant captive portal config for using the inbuilt web server so probably not.

 

The current test config looks as so:

 

radius-server host 192.168.55.57 key "secret"
radius-server tracking enable
aaa authentication port-access eap-radius
aaa port-access web-based 1-2
aaa port-access web-based 1 redirect-url "https://www.example.com/"
aaa port-access web-based 2 redirect-url "https://www.example.com/"
vlan 1
   name "DEFAULT_VLAN"
   untagged 1-28
   ip address 192.168.55.10 255.255.255.0
   exit

 


As mentioned if I'm unauthenticated and navigate to 192.168.0.1 then I get the following login screen and can successfully auth from RADIUS:

 

image.png


If however I try to navigate anywhere else, the browser fails to load. 

Highlighted
Super Contributor I

Re: Web authentication works but no redirect to switch login page

Can you try a configuration like this:

 

radius-server host 192.168.55.57 key "secret"

aaa authentication port-access eap-radius

radius-server host 192.168.55.57 dyn-authorization

radius-server host 192.168.55.57 time-window 0

 

aaa port-access web-based 1-2

aaa port-access web-based ewa-server www.example.com

aaa port-access web-based 1-2 redirect-url www.google.com

 

The redirect-url is a page that you want to re-direct them to after authentication. the ewa-server will specify the webpage to use for login. Also make sure captive portal is enabled on the switch as well.

Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMX#509 | ACCP | ACSA | ACDA | ACEA | CCNP | CCDP | CCNA Wireless

If my post address your queries, give kudos and accept as solution!
Highlighted
Occasional Contributor I

Re: Web authentication works but no redirect to switch login page

Thanks, I did try configuring ewa-server before but all I ended up with was a timeout and error saying that the EWA server wasn't responding. 

 

I feel like I need to use policies and an IP in the quarantine VLAN although can't find concise docs on how this is done. The documentation on web auth really is a bit thin on detail unless I'm missing something obvious.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: