Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Cannot access internet when don't authenticated by portal

This thread has been viewed 2 times

  • 1.  Cannot access internet when don't authenticated by portal

    Posted Sep 13, 2013 12:24 AM
      |   view attached

    Hi all,

     

    I have used 650 controller with version 6.1.2.4.

    I have  two SSID

    - SSID "Guest" authenticated by captive portal. It work well

    - SSID "Employee" authentcated by 802.11.

     

    If client connect by SSID "Guest" then can access internet well.

     

    If client connect with SSID "Employee" then client only ping to address and cannot accesst to any website and service

     

    I have attach config file.

    !

    !

    ap-group "PCST"
    virtual-ap "PCST_Employee"
    virtual-ap "PCST_Guest"

    !

    wlan virtual-ap "PCST_Employee"
    aaa-profile "employee-aaa"
    ssid-profile "ssid-employee"
    vlan 1

    !

    aaa profile "employee-aaa"
    dot1x-default-role "employee"

    !

    user-role employee
    access-list session allowall
    access-list session v6-allowall

    !
    user-role logon
    access-list session logon-control
    access-list session vpnlogon
    access-list session v6-logon-control

    !

    wlan ssid-profile "ssid-employee"
    essid "PCST_Employee"
    wpa-passphrase ff71bd82d86b29ad5064cfd6632f6e2ea7feee63d72ea7bc

     

    Please help me. Thanks very much

     

    Attachment(s)

    txt
    aruba 650 config.txt   18 KB 1 version


  • 2.  RE: Cannot access internet when don't authenticated by portal

    EMPLOYEE
    Posted Sep 13, 2013 01:00 AM

    When you do not authenticate, what role is the user in?  You can type "show rights <role>" to see what ACLs are applied.



  • 3.  RE: Cannot access internet when don't authenticated by portal

    Posted Sep 13, 2013 03:13 AM

    Hi cjoseph

     

    When do not authentication, i permit all service as

    Please help me

     

    (Aruba650) #show rights employee

    Derived Role = 'employee'
    Up BW:No Limit Down BW:No Limit
    L2TP Pool = default-l2tp-pool
    PPTP Pool = default-pptp-pool
    Periodic reauthentication: Disabled
    ACL Number = 45/0
    Max Sessions = 65535


    access-list List
    ----------------
    Position Name Location
    -------- ---- --------
    1 allowall
    2 v6-allowall

    allowall
    --------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
    1 any any any permit Low 4
    v6-allowall
    -----------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
    1 any any any permit Low 6

    Expired Policies (due to time constraints) = 0

    (Aruba650) #show rights logon

    Derived Role = 'logon'
    Up BW:No Limit Down BW:No Limit
    L2TP Pool = default-l2tp-pool
    PPTP Pool = default-pptp-pool
    Periodic reauthentication: Disabled
    ACL Number = 1/0
    Max Sessions = 65535


    access-list List
    ----------------
    Position Name Location
    -------- ---- --------
    1 logon-control
    2 vpnlogon
    3 v6-logon-control

    logon-control
    -------------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
    1 user any udp 68 deny Low 4
    2 any any svc-icmp permit Low 4
    3 any any svc-dns permit Low 4
    4 any any svc-dhcp permit Low 4
    5 any any svc-natt permit Low 4
    vpnlogon
    --------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
    1 user any svc-ike permit Low 4
    2 user any svc-esp permit Low 4
    3 any any svc-l2tp permit Low 4
    4 any any svc-pptp permit Low 4
    5 any any svc-gre permit Low 4
    v6-logon-control
    ----------------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
    1 user any udp 68 deny Low 6
    2 any any svc-v6-icmp permit Low 6
    3 any any svc-v6-dhcp permit Low 6
    4 any any svc-dns permit Low 6

    Expired Policies (due to time constraints) = 0

    (Aruba650) #

     

    Thanks very much



  • 4.  RE: Cannot access internet when don't authenticated by portal

    EMPLOYEE
    Posted Sep 13, 2013 03:15 AM

    Type "show datapath session table <ip address of client>" to see if anything is being blocked.



  • 5.  RE: Cannot access internet when don't authenticated by portal

    Posted Sep 13, 2013 04:24 AM

    Hi cjoseph,

     

    please check and help me. Thanks very much

     

    it can only ping to destination address (example ip:8.8.8.8).

     

    (Aruba650) #show datapath session table 192.168.1.31

    Datapath Session Table Entries
    ------------------------------

    Flags: F - fast age, S - src NAT, N - dest NAT
    D - deny, R - redirect, Y - no syn
    H - high prio, P - set prio, T - set ToS
    C - client, M - mirror, V - VOIP
    Q - Real-Time Quality analysis
    I - Deep inspect, U - Locally destined
    E - Media Deep Inspect, G - media signal

    Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Flags
    -------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- -----
    192.168.1.31 198.145.13.22 6 61130 80 0/0 0 0 0 tunnel 13 2 FDYC
    192.168.1.31 198.145.13.22 6 61131 80 0/0 0 0 0 tunnel 13 1 FDYC
    192.168.1.31 224.0.0.252 17 60751 5355 0/0 0 0 0 tunnel 13 3 FDC
    123.30.215.12 192.168.1.31 6 80 61018 0/0 0 0 0 1/3 5 FDC
    192.168.1.31 8.8.8.8 17 54073 53 0/0 0 0 0 tunnel 13 4 FCI
    192.168.1.31 74.125.142.125 6 61126 5222 0/0 0 0 0 tunnel 13 4 FDYC
    192.168.1.31 74.125.142.125 6 61127 5222 0/0 0 0 0 tunnel 13 3 FDYC
    192.168.1.31 123.30.215.12 6 61120 80 0/0 0 0 0 tunnel 13 8 FDYC
    192.168.1.31 113.171.253.231 6 61124 443 0/0 0 0 0 tunnel 13 4 FDYC
    192.168.1.31 113.171.253.231 6 61125 443 0/0 0 0 0 tunnel 13 4 FDYC
    192.168.1.31 8.8.8.8 17 59967 53 0/0 0 0 0 tunnel 13 4 FCI
    192.168.1.31 8.8.8.8 17 59708 53 0/0 0 0 1 tunnel 13 f FCI
    192.168.1.31 8.8.8.8 17 62387 53 0/0 0 0 0 tunnel 13 2 FCI
    8.8.8.8 192.168.1.31 17 53 54073 0/0 0 0 0 tunnel 13 4 FI
    192.168.1.31 222.255.27.169 6 61121 80 0/0 0 0 0 tunnel 13 5 FDYC

     



  • 6.  RE: Cannot access internet when don't authenticated by portal

    EMPLOYEE
    Posted Sep 13, 2013 07:30 AM

    Those pings are being denied by a firewall policy.  You need to find out what firewall policy is being applied in that role.

     

    Type "show user" to find the role of the user, then type "show rights <role>" to find out what firewall policies are being enforced in that role.

     



  • 7.  RE: Cannot access internet when don't authenticated by portal

    Posted Sep 15, 2013 11:47 PM

    Hi Cjoshep,

     

    firewall policy allow all to it run well for "employee" ssid.

    I must config aaa profile "employee-aaa" as beloww then it run

    (PCST) #show aaa profile employee-aaa

    AAA Profile "employee-aaa"
    --------------------------
    Parameter Value
    --------- -----
    Initial role employee
    MAC Authentication Profile N/A
    MAC Authentication Default Role guest
    MAC Authentication Server Group N/A
    802.1X Authentication Profile dot1x-employee
    802.1X Authentication Default Role employee
    802.1X Authentication Server Group N/A
    L2 Authentication Fail Through Disabled
    RADIUS Accounting Server Group N/A
    RADIUS Interim Accounting Disabled
    XML API server N/A
    RFC 3576 server N/A
    User derivation rules N/A
    Wired to Wireless Roaming Enabled
    SIP authentication role N/A
    Device Type Classification Enabled
    Enforce DHCP Disabled

    (PCST) #

     

    If i change Initial role from "employee" to "logon" then client only ping to ip address, cannot open browser.

     

    (PCST) #show user

    Users
    -----
    IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type
    ---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ----
    192.168.1.41 b4:b6:76:1a:78:4f employee 00:00:03 00:1a:1e:c7:d1:96 Wireless PCST_Employee/00:1a:1e:fd:19:68/a employee-aaa tunnel Windows
    192.168.1.31 00:16:ea:5e:1c:90 employee 00:00:09 00:1a:1e:c7:ce:34 Wireless PCST_Employee/00:1a:1e:fc:e3:48/a employee-aaa tunnel Windows

    User Entries: 2/2

    (PCST) #show rights employee

    Derived Role = 'employee'
    Up BW:No Limit Down BW:No Limit
    L2TP Pool = default-l2tp-pool
    PPTP Pool = default-pptp-pool
    Periodic reauthentication: Disabled
    ACL Number = 46/0
    Max Sessions = 65535


    access-list List
    ----------------
    Position Name Location
    -------- ---- --------
    1 allowall
    2 v6-allowall

    allowall
    --------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
    1 any any any permit Low 4
    v6-allowall
    -----------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
    1 any any any permit Low 6

    Expired Policies (due to time constraints) = 0

    (PCST) # show rights logon

    Derived Role = 'logon'
    Up BW:No Limit Down BW:No Limit
    L2TP Pool = default-l2tp-pool
    PPTP Pool = default-pptp-pool
    Periodic reauthentication: Disabled
    ACL Number = 1/0
    Max Sessions = 65535


    access-list List
    ----------------
    Position Name Location
    -------- ---- --------
    1 logon-control
    2 vpnlogon
    3 v6-logon-control
    4 captiveportal6

    logon-control
    -------------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
    1 user any udp 68 deny Low 4
    2 any any svc-icmp permit Low 4
    3 any any svc-dns permit Low 4
    4 any any svc-dhcp permit Low 4
    5 any any svc-natt permit Low 4
    vpnlogon
    --------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
    1 user any svc-ike permit Low 4
    2 user any svc-esp permit Low 4
    3 any any svc-l2tp permit Low 4
    4 any any svc-pptp permit Low 4
    5 any any svc-gre permit Low 4
    v6-logon-control
    ----------------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
    1 user any udp 68 deny Low 6
    2 any any svc-v6-icmp permit Low 6
    3 any any svc-v6-dhcp permit Low 6
    4 any any svc-dns permit Low 6
    captiveportal6
    --------------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
    1 user controller6 svc-https captive Low 6
    2 user any svc-http captive Low 6
    3 user any svc-https captive Low 6
    4 user any svc-http-proxy1 captive Low 6
    5 user any svc-http-proxy2 captive Low 6
    6 user any svc-http-proxy3 captive Low 6

    Expired Policies (due to time constraints) = 0

    (PCST) #

     

    Thanks very much