Wireless Access

Reply
Highlighted
Occasional Contributor II

Re: Best way to force guests to use a proxy?

So, the user logs in , we get the capitve portal, which is successful but its not assigning our test user 'guest2010' into the guest profile and using the guest-web policy that has our NAT rule


(P7FUJI01) #show user

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- -------
10.36.2.246 00:24:2b:c1:47:43 guest-logon 00:00:38 00:24:6c:c3:1f:91 Wireless PincG/00:24:6c:b1:f9:11/g-HT guest-aaa-profile
10.36.3.253 00:1c:bf:23:51:aa guest-logon 00:00:54 00:24:6c:c3:1f:91 Wireless PincG/00:24:6c:b1:f9:11/g guest-aaa-profile
10.36.3.250 00:1e:c2:c3:8a:ce guest2010 guest 00:00:46 Web 00:24:6c:c3:1f:91 Wireless PincG/00:24:6c:b1:f9:19/a-HT guest-aaa-profile

User Entries: 3/3

(P7FUJI01) #show acl hits

User Role ACL Hits
------------------
Role Policy Src Dst Service Action Dest/Opcode New Hits Total Hits Index
---- ------ --- --- ------- ------ ----------- -------- ---------- -----
guest guest-blacklist any any any permit 28 28 15801
guest-logon guest-control user any svc-dhcp permit 0 1 15775
guest-logon guest-control user DNSServers svc-dns permit 0 17 15776
guest-logon captiveportal user mswitch svc-https dst-nat 8081 0 8 15778
guest-logon captiveportal user any svc-http dst-nat 8080 0 2 15779
guest-logon any any 0 deny 9 31 15781

Port Based Session ACL
----------------------
Policy Src Dst Service Action Dest/Opcode New Hits Total Hits Index
------ --- --- ------- ------ ----------- -------- ---------- -----
validuser any any any permit 0 86 7954
deny-corporate-to-mgmt any controller-vrrp svc-syslog permit 8 1157 8266
deny-corporate-to-mgmt inband-ip inband-ip any permit 1365 646665 8267
deny-corporate-to-mgmt inband-ip vrrp-mcast any permit 0 8881 8268
deny-corporate-to-mgmt airwave inband-ip any permit 20 11660 8270
deny-corporate-to-mgmt guest-users inband-ip svc-http permit 0 213 8271
deny-corporate-to-mgmt any inband-ip svc-papi permit 13 7427 8275
deny-corporate-to-mgmt any inband-ip svc-gre permit 0 4 8276
deny-corporate-to-mgmt any inband-ip svc-http permit 0 115 8280
deny-corporate-to-mgmt any inband-ip svc-syslog permit 0 11 8284
deny-corporate-to-mgmt any inband-ip svc-icmp permit 0 2 8285
deny-corporate-to-mgmt any any 0 deny 34 3353 8286

Port ACL Hits
-------------
ACL ACE New Hits Total Hits Index
--- --- -------- ---------- -----

(P7FUJI01) #
Highlighted
Guru Elite

Captive Portal Authentication Profile


So, the user logs in , we get the capitve portal, which is successful but its not assigning our test user 'guest2010' into the guest profile and using the guest-web policy that has our NAT rule


(P7FUJI01) #show user

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- -------
10.36.2.246 00:24:2b:c1:47:43 guest-logon 00:00:38 00:24:6c:c3:1f:91 Wireless PincG/00:24:6c:b1:f9:11/g-HT guest-aaa-profile
10.36.3.253 00:1c:bf:23:51:aa guest-logon 00:00:54 00:24:6c:c3:1f:91 Wireless PincG/00:24:6c:b1:f9:11/g guest-aaa-profile
10.36.3.250 00:1e:c2:c3:8a:ce guest2010 guest 00:00:46 Web 00:24:6c:c3:1f:91 Wireless PincG/00:24:6c:b1:f9:19/a-HT guest-aaa-profile

User Entries: 3/3

(P7FUJI01) #show acl hits

User Role ACL Hits
------------------
Role Policy Src Dst Service Action Dest/Opcode New Hits Total Hits Index
---- ------ --- --- ------- ------ ----------- -------- ---------- -----
guest guest-blacklist any any any permit 28 28 15801
guest-logon guest-control user any svc-dhcp permit 0 1 15775
guest-logon guest-control user DNSServers svc-dns permit 0 17 15776
guest-logon captiveportal user mswitch svc-https dst-nat 8081 0 8 15778
guest-logon captiveportal user any svc-http dst-nat 8080 0 2 15779
guest-logon any any 0 deny 9 31 15781

Port Based Session ACL
----------------------
Policy Src Dst Service Action Dest/Opcode New Hits Total Hits Index
------ --- --- ------- ------ ----------- -------- ---------- -----
validuser any any any permit 0 86 7954
deny-corporate-to-mgmt any controller-vrrp svc-syslog permit 8 1157 8266
deny-corporate-to-mgmt inband-ip inband-ip any permit 1365 646665 8267
deny-corporate-to-mgmt inband-ip vrrp-mcast any permit 0 8881 8268
deny-corporate-to-mgmt airwave inband-ip any permit 20 11660 8270
deny-corporate-to-mgmt guest-users inband-ip svc-http permit 0 213 8271
deny-corporate-to-mgmt any inband-ip svc-papi permit 13 7427 8275
deny-corporate-to-mgmt any inband-ip svc-gre permit 0 4 8276
deny-corporate-to-mgmt any inband-ip svc-http permit 0 115 8280
deny-corporate-to-mgmt any inband-ip svc-syslog permit 0 11 8284
deny-corporate-to-mgmt any inband-ip svc-icmp permit 0 2 8285
deny-corporate-to-mgmt any any 0 deny 34 3353 8286

Port ACL Hits
-------------
ACL ACE New Hits Total Hits Index
--- --- -------- ---------- -----

(P7FUJI01) #




So users in a captive portal are assigned roles based on the Captive Portal authentication profile assigned to that captive portal. In the Captive Portal authentication profile, there is a server group that says the database you are using to authenticate users, as well as a Default Role, that decides what role users who are authenticated will be placed in. Find your captive portal authentication profile under Configuration> All Profiles> Wireless> Captive Portal Authentication Profile. Change the default role to be the one you want the user to be in AFTER authentication.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba Technical Webinars
Highlighted
Occasional Contributor II

Re: Best way to force guests to use a proxy?

Thakns, ive just checked that captiveportal role and its set to 'guest' which is correct, i also checked that guest-web firewall policy is associated to userrole guest..
Highlighted
Guru Elite

show rights guest

Okay, let's see "show rights guest", then.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba Technical Webinars
Highlighted
Occasional Contributor II

Re: Best way to force guests to use a proxy?

(P7FUJI01) #show rights guest

Derived Role = 'guest'
Up BW contract = 1Mbps (1000000 bits/sec) Down BW contract = 1Mbps (1000000 bits/sec)
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 3/0
Max Sessions = 65535


access-list List
----------------
Position Name Location
-------- ---- --------
1 guest-blacklist
2 cplogout
3 guest-web
4 vpnlogon

guest-blacklist
---------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 any any any permit Low
cplogout
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 user controller svc-https dst-nat 8081 Low
guest-web
---------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 any 192.168.0.0 255.255.0.0 any deny Yes Low
2 any 172.16.0.0 255.240.0.0 any deny Yes Low
3 any 10.0.0.0 255.0.0.0 any deny Yes Low
4 user any svc-http dst-nat ip 163.8.85.68 8080 Low
5 user any svc-https permit Low
6 user any svc-dhcp permit Low
7 user any svc-icmp permit Low
8 user any svc-dns permit Low
9 any any any deny Yes Low
vpnlogon
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 user any svc-ike permit Low
2 user any svc-esp permit Low
3 any any svc-l2tp permit Low
4 any any svc-pptp permit Low
5 any any svc-gre permit Low

Expired Policies (due to time constraints) = 0

(P7FUJI01) #
Highlighted
Guru Elite

any any permit low

The first policy is guest-blacklist, which is what all packets hit. (any any permit low). Since the rules are evaluated from top to bottom, they never make it past this rule. Remove guest-blacklist from that ruleset.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba Technical Webinars
Highlighted
Occasional Contributor II

Re: Best way to force guests to use a proxy?

Ive just done a test telnet to the proxy ip/port form the wireless client and I can see it works, however, it doesnt appear as if the controller is doing the nat as it should... i cant see how I can find hits based on the guest-web policy

thanks
kris
Highlighted
Occasional Contributor II

Re: Best way to force guests to use a proxy?

*slaps forehead* of course!! ok, fixed that. We still cant get through, on the firewall we can see the packet but no web access :( ill check our proxy
Highlighted
Guru Elite

Guest Web

Remove all the ACLs besides the guest-web ACL from the user role, because all of the others just get in the way. You can add security back in, when functionality works. I repeat, remove guest-blacklist, cplogout and vpnlogon from that guest role.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba Technical Webinars
Highlighted
Occasional Contributor II

Re: Best way to force guests to use a proxy?

Thanks Colin, we've got it working now :) you're a star, thanks!
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: