Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Access Captive Portal using Mozilla Firefox - OSCP

This thread has been viewed 1 times

  • 1.  Access Captive Portal using Mozilla Firefox - OSCP

    Posted Dec 06, 2011 12:36 AM

    Unable access Aruba captive portal by using Mozilla firefox. I have add all of the OCSP host on the Policy (ACL) and apply the policy to the logon initial role, but it doesn't work.

     

    Below are the OCSP host list that i add in :

    91.199.212.174

    91.209.196.4

    208.116.56.4

    149.5.128.4

    91.209.196.5

    205.234.175.175

    91.209.196.169

    91.199.212.169

    149.5.128.169

    199.66.201.169

     

    If i disable the https for captive portal webpage the laptop was able the access the captive portal by using Mozilla firefox, but when i enable (https) it again the captive portal was not accessible on Mozilla firefox.

     

    Please advise.



  • 2.  RE: Access Captive Portal using Mozilla Firefox - OSCP
    Best Answer

    EMPLOYEE
    Posted Dec 06, 2011 03:53 AM

    SSH into the controller that you are having the problem.

     

    Find the client ip and do a "show datapath session table <client's ip address>" to see what port 80 traffic is being denied.  This is my output here:

     

    (host) #show datapath session table 192.168.1.192

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal

  Source IP     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination TAge Flags 
--------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- ---- -----
192.168.1.192   8.8.8.8         17   54242 53     0/0     0 96  1   tunnel 24   2    FSCI
192.168.1.192   10.2.1.226      6    49195 443    0/0     0 96  1   tunnel 24   18   FNCI
192.168.1.192   10.2.1.226      6    49196 443    0/0     0 96  0   tunnel 24   e    FNCI
192.168.1.192   10.2.1.226      6    49197 443    0/0     0 96  0   tunnel 24   4    FNCI
192.168.1.192   199.66.201.169  6    49199 80     0/0     0 96  0   tunnel 24   2    FDY  <---------------------
192.168.1.3     192.168.1.192   6    8081  49196  0/0     0 96  1   tunnel 24   e    FSI
192.168.1.3     192.168.1.192   6    8081  49197  0/0     0 96  0   tunnel 24   4    FSI
192.168.1.3     192.168.1.192   6    8081  49198  0/0     0 96  0   tunnel 24   2    SI
192.168.1.3     192.168.1.192   6    8080  49199  0/0     0 96  0   tunnel 24   2    FS
192.168.1.3     192.168.1.192   6    8081  49195  0/0     0 96  1   tunnel 24   18   FSI

     As you can see, my client's port 80 traffic is being denied to 199.66.201.169.

     

    Do an "nslookup" on the commandline for that ip address to see if it is an ocsp or crl URL:

     

    Host:~ colinjoseph$ nslookup
> server 8.8.8.8
Default server: 8.8.8.8
Address: 8.8.8.8#53
> 199.66.201.169
Server:		8.8.8.8
Address:	8.8.8.8#53

Non-authoritative answer:
169.201.66.199.in-addr.arpa	name = ocsp.usertrust.com.

     Since it is an OCSP URL, I would add the 199.66.201.169 address to your netdestination, and that should fix it for now.

     

     

     

     If this is ArubaOS 6.x and above, I would add the name ocsp.usertrust.com to the netdestination you are using:

     

    netdestination usertrust
  name ocsp.usertrust.com

    Please make sure that ip domain-lookup is on and you have a dns server defined, if this is 6.x and you are using the named netdestination:

     

    config t
ip domain lookup
ip domain-name test.com
ip name-server 8.8.8.8
ip name-server 4.2.2.2

    If you are configuring the ip domain-lookup above, you can ignore the message that you need to reboot.

     

     Test to make sure your domain lookup is working by pinging a url (once again, ONLY if you are using ArubaOS 6.x and above):

     

    (3600 controller) # ping www.zdnet.com
Press 'q' to abort.
Sending 5, 100-byte ICMP Echos to 216.239.116.55, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 61.783/63.033/63.654 ms

     



  • 3.  RE: Access Captive Portal using Mozilla Firefox - OSCP

    EMPLOYEE
    Posted Dec 06, 2011 04:15 AM
    It's probably going to end up being the CRL address that needs to be added.


  • 4.  RE: Access Captive Portal using Mozilla Firefox - OSCP

    Posted Dec 09, 2011 02:23 AM
      |   view attached

    The problem already solved. Thanks for your help. But have some minor issue on Firebox browser. which is 

    before the firefox browser able go to Captive Portal it will pop up a windows for 3 times is about the "Secure Connection Failed". While it pop up I have to click cancel it then it will go to Captive Portal.

     

    Please find the below attached screen capture.

    Attachment(s)

    docx
    SSL.docx   88 KB 1 version


  • 5.  RE: Access Captive Portal using Mozilla Firefox - OSCP

    EMPLOYEE
    Posted Dec 09, 2011 07:12 AM

    Please open the browser initially to a non-secure (non-ssl) site for the captive portal.  It looks like you are opening the browser to a SSL yahoo site, and then the controller is redirecting you to a different one, so to the browser, it looks like an attack.  Open www.yahoo.com instead and see if that works.