Wireless Access

Hi,

I have a guest access using Captive portal.

Everything seems to work, web, pop, imap, etc... but there is one problem, I can't get uers to connect to their VPN (in that case "Contivity VPN client" from Nortel).

I'm 99 % sure the problem is the Captive portal because if I use another method of authentication (like wpa) then everything works.

Are they any ports that are blocked with captive portal ?

Or do you have another idea ?

thanks
sorry for my english

Which role is the Captive Portal user in ? Is it Guest ? If yes, then
that explains what you are seeing. The default Guest role does not
allow VPN. Every installation I do, I add VPN to the guest role ;)

If its not guest, which role ?

---

Which role is the Captive Portal user in ? Is it Guest ? If yes, then
that explains what you are seeing. The default Guest role does not
allow VPN. Every installation I do, I add VPN to the guest role ;)

If its not guest, which role ?

---

yes it's guest

I'm sorry, I'm really new at aruba products...

what is the easiest way to add vpn to this role ??

aruba controller 500

thanks

No worries. Here is the configuration I typically leverage when I am
doing installations and also provide to folks I work with in my area to
make their installs go efficiently.

Step #1 - The policy, apply from the command line of the controller,
under the config t mode

!
ip access-list session VPN-Clients
user any svc-l2tp permit
user any svc-esp permit
user any svc-ike permit
user any tcp 17 permit
user any udp 51 permit
user any udp 4500 permit
user any tcp 10000 10001 permit
user any udp 10000 10001 permit
user any svc-pptp permit
user any svc-gre permit
!

Step #2 -- Associate the new policy with the guest account as follows
(also from command line)

!
user-role guest
access-list session VPN-Clients
!

Step #3 -- Your users, in the guest role, should now have full VPN
capabilities, regardless of the device or client they are using
(Nortel(R.I.P.) included) :)

JF

No worries. Here is the configuration I typically leverage when I am
doing installations and also provide to folks I work with in my area to
make their installs go efficiently.

Step #1 - The policy, apply from the command line of the controller,
under the config t mode

!
ip access-list session VPN-Clients
user any svc-l2tp permit
user any svc-esp permit
user any svc-ike permit
user any tcp 17 permit
user any udp 51 permit
user any udp 4500 permit
user any tcp 10000 10001 permit
user any udp 10000 10001 permit
user any svc-pptp permit
user any svc-gre permit
!

Step #2 -- Associate the new policy with the guest account as follows
(also from command line)

!
user-role guest
access-list session VPN-Clients
!

Step #3 -- Your users, in the guest role, should now have full VPN
capabilities, regardless of the device or client they are using
(Nortel(R.I.P.) included) :)

JF

Thank you very much

that just did the trick !

thanks again !

Glad it worked out!

You have happy guests now :)

---

Glad it worked out!

You have happy guests now :)

---

yes they are !

As you seems to know well the product, instead of using internal database for the Captive portal users/passwords, I suppose it's possible to use a radius server ?

question 2 : do you know if there is a way to automatically open browser on the captive portal when user connect to the network ?

edit : ok I found the place in the web interface for the first question.

Hi,

It is the user that opens the browser which then redirects to the Captive Portal page.

You can configure it to direct to a specific page after they have entered their credentials by adding it to the Captive portal config,

aaa authentication captive-portal "Guest"
welcome-page http://someaddress.com

Hope this helps

---

Hi,

It is the user that opens the browser which then redirects to the Captive Portal page.

---

For typical desktop operating systems that is correct. Many of the smart phone operating systems will attempt to ping via http an Internet connected resource upon successful network association in order to see if they have Internet connectivity. Apple iOS for instance will try to ping apple.com, and if necessary will auto-launch a browser to complete the captive portal authentication.

Still, the action is initiated by the client (user or device), not by the wireless infrastructure.

JF - I was just checking your ACL and these two entries:

 

user any tcp 17 permit
user any udp 51 permit

 

What are these?  I think with UDP 51 you were going for AH, which IP protocol 51.  Not sure what you were going for with tcp 17 though.

 

For AH, you want:

 

user any 51 permit

 

 

 

 

Hi Mike,

 

Thanks for the note.  Good eyes :)

 

My policy (as-is) is working at many a site... but adapting it on the 51 will work as well (your config is a superset of my own for that port).  Thanks for the feedback.

 

As for TCP port 17... that is a fun one!      It's for Nortel Contivity VPN client (blast from the past...but still alive in the wild).   It brings up a pop-up message called message of the day / quote of the day.   If the port is blocked the client will refuse to complete the VPN transaction.       

 

JF