Wireless Access

Reply
Occasional Contributor II

AOS 8.4 External Captive Portal problem - walled garden not working well

Hi Community. We have two MD 7210 managed by a VMM. We have about 350 AP and give access to about 2500 users. Everything is under release 8.4.0. We upgrade from 8.3 after licenses issues. With release 8.4.0 we are facing very extrange problems with an external Captive Portal. Everything works for some days and then sudenly stop working. It happend randomly in each controller. If the controller is reboot, the problem is solve for some time. The external CP is Socifi and during the error the site can not upload correctly (it only upload the main portal with an image indicating that maybe the walled garden is not well configure because it can not access other sites - so it seems that during the error the walled garden is not working proprerly).
I could not find any related issue. User-table during the error show less sessions - seems logical. I uploaded an alias with the list of all IP that Socifi needs (to bypass the walled garden) but without success.

I made some modifications on the walled garden and it seems that it does not work on the fly - for example add a website that should work during preauth. Maybe there is a service/process that I can check?

I can not figure out how to debug this and find the error. I will downgrade to 8.3.0.6 and check - hope this solve the issue. However I need to understand how to find where the issue is for future debug. I could not simulated the error in my lab.
Regards

Martín Rodriguez
Guru Elite

Re: AOS 8.4 External Captive Portal problem - walled garden not working well

Are you using walled garden with ip addresses or hostname/urls?  See if those hostnames end up with "show firewall dns-names".  Essentially, when a user attempts to go to a hostname, the controller caches the returned DNS address and either allows or blocks traffic to that ip address.  If it does not show up in "show firewall dns-names" on the local controller, that means something is not right.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: AOS 8.4 External Captive Portal problem - walled garden not working well

Hi cjoseph. We are using names (domains/url). However after facing this issue I configured an ACL in the preauth policy allowing every IP involved and the problem continues.

I will try   "show firewall dns-names" and let you know th results. 

Now that you mention the walled garden behaviur, I would like to understand it. When a user try to reach, let say www.google.com, and the page exist in the walled garden (e.g. *.google.com), the controller allow traffic for the IP address resolved by the DNS server that use the user or the DNS server that has the controller? Although we are using the same DNS server, the IP resolve could be different. This Captive Portal is in AWS and they return diffrent IP for the same FQDN. Thanks and regards.

 

 

Martín Rodriguez
Guru Elite

Re: AOS 8.4 External Captive Portal problem - walled garden not working well

If there is an ACL, the controller will return whatever ip address(es) are returned by wireless clients resolving that ip address or hostname.  Later when hostnames are used in an ACL, those ip addresses are used.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: AOS 8.4 External Captive Portal problem - walled garden not working well

Hi. Although we are not facing the problem yet (using version 8.3.6) we now reach the the same sympton explain here https://community.arubanetworks.com/t5/Wireless-Access/firewall-dns-names-and-netdestinations/td-p/489306

Executing "show firewall dns-name" we get the output Module Authentication is busy.

I am monitoring manually this output and the last time I got it, I found some DNS names that are not in the netdestination list of the walled garden. Why the system is recording this DNS names? what other service is populating this firewall list? Regards! 

Martín Rodriguez
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: