Wireless Access

Hello,

I've recently taken over a position at this company and I'm unfamiliar with the Aruba product line, so please excuse my ignorance.

System

Aruba 3200

OS Version: 3.3.1.3 (Yes I know it's out of date)

There's a Guest and an Employee SSID.  Guests go to the Captive Authentication Web Page and the Employee SSID uses AD Authentication through my AD Radius Server.

Last week we started getting Web Authentication Disabled when people on the Employee SSID would open their Browsers.  Guests are not able to Authenticate either.

I was able to get the Employee SSID working by changing the Employee AAA Profile Role from logon to authenticated, but then that SSID is pretty much wide open now.

Again, every AD User trying to Authenticate to the Employee SSID failed until I changed that role.  I thought it may have been a Certificate issue, so I tried to have the Aruba Generate the CSR, but I never got the email.

Any help on this at all would be greatly appreciated.

If you go to Configuration > Security > Authentication > L3 Authentication and select your captive portal profile, is "User Login" checked?

(Screenshot may look a little different based on version)

Thank you for the reply.  No, see below.  However, no one has been into my Controller to have changed any settings like this.  There's only myself and my HD guy.  And he doesn't even know what any of this stuff is.

Strange. If you want to use AD credentials, you need to enable User Login and choose a server group that contains your LDAP servers (DCs).

You can also use show audit-trail to see what changes were made since the last reload of the controller.

I tried that and set the AAA Profile back to logon.

Once connected I opened the web browser.  I'm able to browse pages for a few minutes, but when I went to youtube or any other secure site I get the Browser Security Error "This Connection is Untrusted" even if I just go to Google.com

EDIT: Also after a perioed of time the Web Authentication Disabled message will come up again.

The connection is untrusted message is expected behavior because your http session is being redirected to the captive portal. If you click to accept the certificate, does it bring you to the captive portal?

No. it usually goes onto to the page or to the WAD error

The way this Employee wifi is setup, they use there AD Credentials to connect to the Employee SSID.  Like if they choose CT_WIRELESS it prompts for their AD credentials.

The Captive portal only comes up when someone connects to the CT_GUEST.

---

@minfinger wrote:

No. it usually goes onto to the page or to the WAD error

 

The way this Employee wifi is setup, they use there AD Credentials to connect to the Employee SSID.  Like if they choose CT_WIRELESS it prompts for their AD credentials.

 

The Captive portal only comes up when someone connects to the CT_GUEST.

---

minfinger,

If a role that a user is in contains the Captive Portal ACL, but the role does not have a Captive Portal Authentication profile assigned, that is why a user would be redirected to "Controller Web Authentication Disabled"

You production or employee role should NOT have the Captive Portal ACL so that your production users will not see it.  Your Guest initial role should have a Captive Portal authentication profile assigned.

To check up on both roles, please go to Configuration> Security> Access Control.