Wireless Access

Community,

 

I am trying to implement the captive portal/splash page on one of my SSIDs but am having a heck of time figuring out how to do it. I have an SSID (Virtual AP) called CDT-Green. The SSID is currently using WPA2 PSK with AES for its authentication. I would like users of this network to be redirected to the Captive Portal once they authenticate using the password. However, I am having trouble finding where to apply the captive portal profile to this SSID. I looked everywhere and cant find where to apply it. Could someone please give me a guide on how to apply captive portal profiles to an SSID? Any requirements I need to be aware of etc?

 

Thanks so much!

Hey, take a look at the below. You'll need to make sure that the Captive Portal is referenced in your initial role (logon) so that the re-direct occurs. Don't forget the client will also need a working DNS server as well fo the Captive Portal to be displayed!

 

http://www.arubanetworks.com/techdocs/ArubaOS_60/UserGuide/Captive_Portal.php

 

Or if you are using a later version :)

 

www.arubanetworks.com/techdocs/ArubaOS_65x_WebHelp/Content/ArubaFrameStyles/Captive_Portal/Captive_Portal.htm

Zalion,

 

Thank you for the links, those are helpfule. Two questions:

 

1) Does the SSID have to be set for no other forms of authentication for the redirect to work? Currently the SSID is set to use WPA2 PSK. I applied the default captive portal profile to the User Role but its not redirecting.

 

2) Do I need to have a valid server certificate applied on the WLC in order to use captive portal? 

 

Thanks.

Hey, 

 

1) You can use any kind of encryption with this whether it is Open/PSK etc. This merely encrypts the traffic between the client and the AP. What do your User Role look like (#show rights XXXX) ? Is it referenced in the AAA profile as the Initial Role?

 

2) Preferably you would need a valid server certificate. All Aruba controllers shipped with a certificate which was recently revoked by the CA. As a result of this the cert is not trusted by devices. For testing purposes you can also configure the Captive Portal to use HTTP (the credentials are not encrypted) just to confirm your configuration is correct.

Zalion,

 

Here is the output of some show commands that might help:

 

(wlan01.cedardoc.com) #show rights

RoleTable
---------
Name ACL Bandwidth ACL List Type
---- --- --------- -------- ----
CDTGreen_Role 84 Up: No Limit,Dn: No Limit global-sacl/,apprf-CDTGreen_Role-sacl/,CDTGreen_Policy/ User

 

(wlan01.cedardoc.com) # show ip access-list br

Access list table (4 - IPv4, 6 - IPv6)
--------------------------------------
Name Type Use Count Roles
---- ---- --------- -----
CDTGreen_Policy session(4) 1 CDTGreen_Role

 

ip access-list session CDTGreen_Policy
CDTGreen_Policy
---------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any any svc-dhcp permit Low 4
2 any any tcp 443 permit Low 4
3 any any tcp 80 permit Low 4
4 any any udp 53 permit Low 4

 

wlan virtual-ap "CDTGreen"
aaa-profile "CDTGreen_AAA"
ssid-profile "CDTGreen_SSID"
no vap-enable
vlan 1109
deny-inter-user-traffic

 

aaa profile "CDTGreen_AAA"
initial-role "CDTGreen_Role"
authentication-dot1x "dot1x_prof-ckz60"

 

user-role CDTGreen_Role
captive-portal "default"
access-list session global-sacl
access-list session apprf-CDTGreen_Role-sacl
access-list session CDTGreen_Policy

 

Your initial role (CDTGreen_Role) is missing the parts to re-direct to the Captive Portal. Chang your initial role to be "logon" and this will re-direct to Captive Portal (don't forget to assign your Captive Portal to the logon role).

 

 

Do you mean I need to change the "initial role" in the CDTGreen_AAA profile to be "logon"? or somehwere else? The only place I see to specify the captive portal profile is in the CDTGreen_Role role, and that is being referenced by the CDTGreen_AAA profile. Im very confused, sorry. Just too many profiles to keep track of in this WLC.

 

Thanks.

Hey, exactly that! Change initial-role in the AAA profile to be logon. Don’t forget to change the captive portal under the logon role like you did before

Sent from my iPhone

Zalion,

 

One more question. How do I tell the captive portal not to use the certificate (for testing purposes)? Thanks.

Zalion,

 

I think I see what youre saying now. The "captiveportal" policy was not added to the CDTGreen_Role user role so it wasnt redirecting. However, the "logon" user role does have the "captiveportal" policy. I went ahead and changed my inital role to "logon" and added the "default" captive portal profile to the "logon" role. But now im faced with a different issue. When I go to say www.yahoo.com, I believe the traffic is being redirected but the web page coming up is not the default "Aruba" captive portal web page. Chrome just kicks back saying my connection isnt private and I can see my controller certificate is being used. I cant get to any websites on the internet, im not sure where the redirect is getting stuck. Could it be a DNS issue where 8.8.8.8 cant resolve the controller IP?

 

Thanks.

Nevermind, it is redirecting as expected. Thanks for the help Zalion! 

That's great! Glad its all sorted now! 

Hey, to change to use HTTP, do the following:

 

(host)(config) #aaa authentication captive-portal XXXX
protocol-http

Zalion,

 

Thanks so much for your help. I think i can take it from here! 

Does your initial-role permit DNS permit DNS traffic? Is your client assigned a DNS server and are they able to resolve URL's to IP addresses?