Wireless Access

Hi all,

I have a problem with Captive portal on Aruba7210), Version 6.5.1.

I've configured a Guest SSID on controller intergate with Clearpass guest. When I access the SSID there is no Popup for the captive portal even though i can revice ip, dhcp, dns and able to access to login page via web browser.

 

Any one can help me fix this issue ?

Many thanks for help

Maybe try setting the initial role in your AAA profile to Guest_Logon?

 

Hi JR,

i've tried it before, but it still not work. I think that "initial role" will be used if client fail authentication, but my client has their ip, dns from dhcp server. So i don't think i have problem with that role ;(

Ok, so you're trying to do 802.1X authentication and then captive portal authentication?

That's not a recommended setup. Why do you want to authenticate your users twice?

Hi James,

My target is captive portal authentication using user on Clearpass (I've already created an "Open"SSID) . I think that my controller need to point to Clearpass via one of method to perform captive portal, so i'm trying to do with both 802.1x and Mac auth .

Am i right or wrong ? If i wrong, could you please explain to me clearly and let me know an example about what i need?

Many thanks for help.

---

wrote:
Ok, so you're trying to do 802.1X authentication and then captive portal authentication?

That's not a recommended setup. Why do you want to authenticate your users twice?

---

 

You need a number of things:

1.  Your client needs to be able to resolve DNS

2.  Your guest VLAN on the controller needs an ip address

3.  you need a command "ip cp-redirect-address <ip of vlan on guest network>" on the controller

4.  You need a AAA profile that has an initial role that has the Captive Portal ACL.

5.  The ACL in the role in step 4 needs a line that permits all traffic to the ip address of the ClearPass server

6.  The intial role in step 4 should have a Captive Portal Profile configured.

7.  The Captive Portal authentication profile in step 6 should have the URL of the ClearPass server login page in the "Login Page" parameter as "http://clearpass server login page URL" or "https://<clearpass server login page URL"

 

Here is how it should work:

 

1.  Client gets an ip address, dns server and dhcp server.  The client ends up in the "inital role" for the AAA profile that has the Captive Portal ACL.

2.  Client Opens browser, resolves DNS, and attempts to open a http or https page.

3.  The controller sees that the client is in a role that has the captive portal acl and looks to see what Captive Portal authentication profile is attached to that role.

4.  The Controller redirects the client's browser to the http or https URL in the "login page" parameter in the Captive Portal authentication profile.

 

I skipped some detail, but check everything to make sure it is in place.  The initial role is indeed used to put the user in a role that has the Captive Portal ACL to redirect the user's traffic to bring up the Captive Portal page.  In other authentication methods, the initial role is where the user ends up, after failure, but in Captive Portal it is used to deliver the Captive Portal ACL to the user.

Hi Colin,
Thanks for your response, could you please clarify more about these thing?
1. Your client needs to be able to resolve DNS (Does my client needs DNS as the Controller's ip address ?)
2. Your guest VLAN on the controller needs an ip address (That mean my controller need an ip address even though the gateway of Guest VLAN is placed on the Core Switch?)

 

I'm very appreciate for your help

1.  No.  The client can use any DNS server.

2.  Correct.  The VLAN of the guest network needs an ip address on the controller.

Hi Colin,

I've already configured as your comments above, but it still not work, please see them in attachments. Captive portal still not pop-up

1.  Your client needs to be able to resolve DNS.  Done: 

2.  Your guest VLAN on the controller needs an ip address . Done 

3.  you need a command "ip cp-redirect-address <ip of vlan on guest network>" on the controller . Done :My clearpass ip is 172.23.3.168

4.  You need a AAA profile that has an initial role that has the Captive Portal ACL. Done

5.The ACL in the role in step 4 needs a line that permits all traffic to the ip address of the ClearPass server . Done: i have a line that permits any traffic

6.The intial role in step 4 should have a Captive Portal Profile configured. Done

7.The Captive Portal authentication profile in step 6 should have the URL of the ClearPass server login page in the "Login Page" parameter as "http://clearpass server login page URL" or "https://<clearpass server login page URL" .Done

#3, the ip address needs  to be the ip address of the VLAN on the controller, NOT clearpass..

Hi Colin,

I've already change IP to Controller's ip but captive portal still not pop-up 

Is there any way to test Captive Portal on Controller's command ?

In your CaptivePortal-ACL, remove the line allowing all traffic.

user - any - any - allow

---

@jrwhiteheadwrote:
In your CaptivePortal-ACL, remove the line allowing all traffic.

user - any - any - allow

---

Hi James,

I've used this line to make sure that there is nothing is blocked :)

---

@petpkcuiwrote:

---

@jrwhiteheadwrote:
In your CaptivePortal-ACL, remove the line allowing all traffic.

user - any - any - allow

---

Hi James,

I've used this line to make sure that there is nothing is blocked :)

---

In your Guest_Logon role, there's a default firewall policy called captiveportal. This firewall policy is used for captive portal redirection.

 

As you have a firewall policy above this named CaptivePortal-ACL with a rule "user any any allow" nothing will hit the captive portal firewall policy mentioned above and therefore users will not get redirected.

 

Just try remove the "user any any allow" rule from that policy.

 

---

@jrwhiteheadwrote:
In your CaptivePortal-ACL, remove the line allowing all traffic.

user - any - any - allow

---

Hi James and Colin,

Many thanks for help :) 

I've already resolved this issue . As James mention above :) i need remove the line allowing all traffic to force client get captive portal authen :)

---

@petpkcui wrote:

Hi Colin,

I've already change IP to Controller's ip but captive portal still not pop-up 

Is there any way to test Captive Portal on Controller's command ?

---

No, there is not a way, to do that. 

 

 

Please consult the document here:  https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=10345

Thanks Colin :)

I've already referred this guide and your recomments to configured what had showed you. But i don't know how to troubleshoot it :) Maybe i need TAC case and hope it will  help :D

Yes, tac would be the best thing.