Wireless Access

last person joined: 21 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

[Captive Portal]: Allow Access to resource without authentication

This thread has been viewed 2 times

  • 1.  [Captive Portal]: Allow Access to resource without authentication

    Posted Sep 13, 2013 07:45 AM

    Hi all,

     

    Im looking to allow my BYOD users to access a single IIS instance without authentication against the Captive Portal.

    The reason for this would be to allow BYOD users to log into our VDI infrastructure without having to authenticate twice.

     

    The way I have the Welcome GUI on the captive portal - it basically splits our BYOD users into two possible routes...

    Route 1 - Internet access only -> Captive Portal Login  -> "authenticate against CP" -> Internet delivered.

    Route 2 - Virtual Desktop -> Captive Portal Login -> authenticate against CP -> authenticate against VDI -> VDI delivered.

     

    Id like to simplify route 2, buy allowing access to an internal IIS server without CP authentication.

    I've been playing around with the statefull firewall but I just cant seem to crack it.

     

    There must be a way for me to specify a port / hst rule to allow this through - I just cant seem to find it :(

     

    Any guidence would be greatly received.



  • 2.  RE: [Captive Portal]: Allow Access to resource without authentication
    Best Answer

    Posted Sep 13, 2013 08:06 AM

    If I understand you correctly, you want to allow access to the VDI infrastructure while someone is the "logon" role.  This should be possible.    The question becomes do you want to allow this through a link on the captive portal page (just no auth)?   In order for the user to get there you'll need to allow access as you suggest through the firewall rules.

     

    In the logon role; add a new poloicy that is going to allow all the appropriate ports and destinations as permit.  You'll need to determine what the hosts are and all the appropriate ports.   These will need to go above the captiveportal ACL so it does not intercept any http/https requests.

     

    For example:

    netdestination "vdi-hosts"

    host x.x.x.x

    host x.x.x.x

     

    ip access-list session "allow-vdi-access"

    user alias vdi-hosts svc-http permit

    user alias vdi-hosts svc-https permit

    user alias vdi-hosts <other services> permit

     

    user-role <your logon role>

    access-list "logon-control"

    access-list "allow-vdi-access"

    access-list "captiveportal"

     



  • 3.  RE: [Captive Portal]: Allow Access to resource without authentication

    Posted Sep 23, 2013 06:03 AM

    Hi Clembo,

     

    Thanks for your speedy reply, (if only mine were so quick)

    Would it be possibe to give me a step by step of what you posted please?

     

    Many thanks,

     



  • 4.  RE: [Captive Portal]: Allow Access to resource without authentication

    Posted Sep 23, 2013 08:34 AM

    Scratch that, Ive figured it out.

     

    Many thanks for your help, really appreciated.