Security

Dear Airheads,

 

i am trying to setup a guest wifi with external captive portal page.

 

I have setup a website , which is available in the same vlan like the guest will be assiged. There is one page where the user need to accept the terms and then get redirected to a second page, where the authentication text is in the html body.

 

The first issue is, that the captive portal page does not pop up, when connecting to the wifi, but i can access the page with the normal webbrowser.

 

The second issue is, that the authentication text does not seem to work.

The role does not change after the user gets redirected to the second page, where the authentication text is integrated. The authentication text is inside a hidden input:

 

<div class="MainLoginSuccess">
<label>Ihr Log-In war erfolgreich.</label><br /><br />
<label><i>Your Log-In was successful.</i></label>
</div>

I have added some images of the configuration.

 

I hope someone can help me.

Is your client assigned a valid and working DNS server? The VC will not be able to re-direct to a Captive Portal if DNS is not working for the client. Also, have you replaced the default Captive Portal certificate on the VC?

Hi,

 

thanks for your reply.

 

the dns server should be correct assigned. It's the same we are using for a password protected wifi in the same vlan.

 

Where should i replace the certificate? And which certificate should i use? The captive portal website is only accessable through http.

I'd still double check your client can perform DNS. It might be more
restrictive on your guest network due to ACL's.

You can take a look at the cert info here.

https://community.arubanetworks.com/t5/Controller-less-WLANs/ArubaOS-Default-Certificate-Revocation-FAQ-Instant/ta-p/275814

I have checked the DNS and added the DNS access in the pre-authentication role.

 

When i am using nslookup, the names are resolved correctly, but still no pop-up.

 

When i am using the access point internal captive portal page, the pop up works.

Have you enabled automatic whitelisting? What is the URL that is presented in the browser? Is this showing as correct?

 

show datapath session | include [CLIENT IP]

Confirm in the first case the client can reach the captive portal via the vlan.

The user can reach the captive portal, by typing it manually into the webbrowser.

 

http://192.168.16.215/Login.html

 

This is the result of the command:

 

show datapath session | include 192.168.16.191
192.168.16.1 192.168.16.191 17 53 53984 0 0 0 0 dev17 17 1 43 FI
192.168.16.191 224.0.0.251 17 5353 5353 0 0 0 0 dev17 17 3 ba FDC
192.168.16.191 192.168.16.1 17 50207 53 0 0 0 0 dev17 1d 2 86 FCI
192.168.16.191 224.0.0.252 17 62456 5355 0 0 0 0 dev17 17 1 38 FDC
192.168.16.1 192.168.16.191 17 53 64774 0 0 0 1 dev17 3f 0 0 FI
192.168.16.1 192.168.16.191 17 53 65319 0 0 0 1 dev17 3e 0 0 FI
192.168.16.191 192.168.16.1 17 63627 53 0 0 0 1 dev17 68 0 0 FCI
192.168.16.191 192.168.16.255 17 137 137 0 0 0 0 dev17 17 2 9c FDC
192.168.16.1 192.168.16.191 17 53 63627 0 0 0 1 dev17 68 0 0 FI
192.168.16.191 104.107.216.169 6 58469 80 0 0 0 0 dev17 36 6 22f FSNC
192.168.16.191 104.81.34.215 6 58467 443 0 0 0 1 dev17 3f 0 0 FSNC
192.168.16.191 104.107.216.169 6 58470 80 0 0 0 0 dev17 1d 4 1df FSNC
192.168.16.191 104.107.216.169 6 58471 80 0 0 0 0 dev17 4 3 1b7 SNC
192.168.16.191 104.107.216.169 6 58464 80 0 0 0 1 dev17 81 0 0 FSNC
192.168.16.191 104.81.34.215 6 58468 443 0 0 0 1 dev17 3e 1 28 FSNC
192.168.16.191 192.168.16.1 17 64774 53 0 0 0 1 dev17 3f 0 0 FCI
192.168.16.191 104.107.216.169 6 58465 80 0 0 0 1 dev17 68 2 50 FSNC
192.168.16.191 104.107.216.169 6 58466 80 0 0 0 1 dev17 4f 3 78 FSNC
192.168.16.1 192.168.16.191 17 53 65457 0 0 0 1 dev17 4f 0 0 FI
192.168.16.191 192.168.16.1 17 51452 53 0 0 0 1 dev17 4e 0 0 FCI
192.168.16.191 192.168.16.1 17 65457 53 0 0 0 1 dev17 4f 0 0 FCI
192.168.16.1 192.168.16.191 17 53 51452 0 0 0 1 dev17 4e 0 0 FI
192.168.16.191 192.168.16.1 17 53984 53 0 0 0 0 dev17 17 1 43 FCI
192.168.16.191 224.0.0.252 17 65288 5355 0 0 0 0 dev17 17 1 38 FDC
192.168.16.191 192.168.16.1 17 65319 53 0 0 0 0 dev17 3e 0 0 FCI
192.168.16.1 192.168.16.191 17 53 50207 0 0 0 0 dev17

Somehow my answere gets deleted...

 

The captive portal is available through the webbrowser:

 

http://192.168.16.215/Login.html

 

The output of the command is:

show datapath session | include 192.168.16.191
192.168.16.1 192.168.16.191 17 53 53984 0 0 0 0 dev17 17 1 43 FI
192.168.16.191 224.0.0.251 17 5353 5353 0 0 0 0 dev17 17 3 ba FDC
192.168.16.191 192.168.16.1 17 50207 53 0 0 0 0 dev17 1d 2 86 FCI
192.168.16.191 224.0.0.252 17 62456 5355 0 0 0 0 dev17 17 1 38 FDC
192.168.16.1 192.168.16.191 17 53 64774 0 0 0 1 dev17 3f 0 0 FI
192.168.16.1 192.168.16.191 17 53 65319 0 0 0 1 dev17 3e 0 0 FI
192.168.16.191 192.168.16.1 17 63627 53 0 0 0 1 dev17 68 0 0 FCI
192.168.16.191 192.168.16.255 17 137 137 0 0 0 0 dev17 17 2 9c FDC
192.168.16.1 192.168.16.191 17 53 63627 0 0 0 1 dev17 68 0 0 FI
192.168.16.191 104.107.216.169 6 58469 80 0 0 0 0 dev17 36 6 22f FSNC
192.168.16.191 104.81.34.215 6 58467 443 0 0 0 1 dev17 3f 0 0 FSNC
192.168.16.191 104.107.216.169 6 58470 80 0 0 0 0 dev17 1d 4 1df FSNC
192.168.16.191 104.107.216.169 6 58471 80 0 0 0 0 dev17 4 3 1b7 SNC
192.168.16.191 104.107.216.169 6 58464 80 0 0 0 1 dev17 81 0 0 FSNC
192.168.16.191 104.81.34.215 6 58468 443 0 0 0 1 dev17 3e 1 28 FSNC
192.168.16.191 192.168.16.1 17 64774 53 0 0 0 1 dev17 3f 0 0 FCI
192.168.16.191 104.107.216.169 6 58465 80 0 0 0 1 dev17 68 2 50 FSNC
192.168.16.191 104.107.216.169 6 58466 80 0 0 0 1 dev17 4f 3 78 FSNC
192.168.16.1 192.168.16.191 17 53 65457 0 0 0 1 dev17 4f 0 0 FI
192.168.16.191 192.168.16.1 17 51452 53 0 0 0 1 dev17 4e 0 0 FCI
192.168.16.191 192.168.16.1 17 65457 53 0 0 0 1 dev17 4f 0 0 FCI
192.168.16.1 192.168.16.191 17 53 51452 0 0 0 1 dev17 4e 0 0 FI
192.168.16.191 192.168.16.1 17 53984 53 0 0 0 0 dev17 17 1 43 FCI
192.168.16.191 224.0.0.252 17 65288 5355 0 0 0 0 dev17 17 1 38 FDC
192.168.16.191 192.168.16.1 17 65319 53 0 0 0 0 dev17 3e 0 0 FCI
192.168.16.1 192.168.16.191 17 53 50207 0 0 0 0 dev17   

Hi,

 

When using 'Authentication Text' method, please refer to the template I posted:

https://community.arubanetworks.com/t5/Controllerless-Networks/Using-external-captive-portal-with-authentication-text/m-p/457350#M21740

 

I've created an external captive portal template. (ref: InstantCPv8.1-NoCSS-AuthText-Error.zip)

 

When you click on accept, it calls the HTML GET which fetches the login.html page which contains a comment, the authenticated text string: Authenticated.

 

This method works using HTTP as the IAP needs to parse HTML code to looks for the authentication text in HTML comment.

 

Paul Gallant, ing.
CWNA, CWSP, ACCA, ACSA, ACEAP, ACMX #377, ACDX #380

Hi,

 

i am using your template right now, but it is still the same. The user role does not change from the pre-authentication to the post-authentication role.

 

Is it maybe a firmware issue? I have currently the version 8.3.0.3 installed.

 

 

 

EXAMPLE OF CONFIGURATION, 4 STEPS CAPTIVE PORTAL:

1.
wlan auth-server RADIUS_CP
ip XX.XX.XX.XX
port 1812
acctport 1813
key ******
nas-ip 172.26.x.x
nas-id *****
drp-ip 172.26.x.x 255.255.255.0 vlan XX gateway 172.26.x.1 //optional drp-ip (DINAMIC RADIUS PROXY)//

 

2.
wlan captive-portal
background-color 16777215
banner-color 16777215
banner-text "Bienvenido a HPE_LAB"
terms-of-use "El usuario se compromete a usar el servicio de acceso WiFi de forma diligente y correcta y se compromete a no utilizarlo para actividades contrarias a la ley."
use-policy "Marque I agree si acepta las condiciones de uso"
authenticated

3.
wlan external-captive-portal
server localhost
port 80
url "/"
auth-text "Authenticated"
auto-whitelist-disable
https

4.
wlan external-captive-portal ILFW
server xxxxxxx.telefonica.es
port 443
url "/login.php?nasid=XXXXXX&platform=aruba"
auth-text ""
auto-whitelist-disable

https

 

___________________________________________________________

EXAMPLE OF CONFIGURATION wlan external OTHER CAPTIVE PORTALS ONLY

wlan external-captive-portal ONDEGO_CP
server x.x.x.x
port 443
url "/login.php/?platform=aruba"
auth-text ""
auto-whitelist-disable
https

wlan external-captive-portal PURPLE_CP
server purpleportal.net
port 80
url "/access/?iapmac=<MACiAP>"
auth-text ""
redirect-url "https://purpleportal.net/login"
auto-whitelist-disable

wlan external-captive-portal Linkyfi_CP
server linkyfi.com
port 443
url "/linkyfi.com/portal"
auth-text ""
redirect-url "https://linkyfi.com/portal"
auto-whitelist-disable
https
___________________________________________________________

 

 

5.
wlan ssid-profile IAP_Inv
enable
type guest
essid IAP_Inv
opmode opensystem
max-authentication-failures 0
vlan XX
auth-server RADIUS_CP
set-role-pre-auth Pre-auth
captive-portal external profile ILFW
broadcast-filter arp
radius-accounting
radius-interim-accounting-interval 5
content-filtering

@JC_HPE

 

Your answeres do not help me to find the solution.

I have testet the radius authentication. That is working. Pop up appears and the authentication works.

 

It is a workaround but not an optimal solution.

 

FYI:
Aruba Instant Access Point: Module 3 – Captive Portal (CP)


https://www.arubanetworks.com/es/recursos/#k=Captive%20Portal

https://www.youtube.com/watch?v=LvK68t4dTGs

Note: Authentication text method does not make use of RADIUS.

 

Paul Gallant, ing.