I need some help please. Guest users have been reporting a Web Authentication is Disabled error after authenticating to the CP page. Although they get the error they have successfully been put into the correct authenticated role and if they ignore this message they can browse the net. I am not sure when this started but its a global issue.
Recent changes
New SSL cert on all controllers for securelogins.fluor.com
Captive portal ACL change added two permit lines to the acl for CPPM. Tried taking these out had the same issue.
Changed AmigoPod to CPPM last night and I am not 100% sure but I was told this issue predates that change.
I was told Aruba support did some test with a test CP page and authentication role and everything works. Leads me to believe I have a configuration error. BTW this worked as is for a year plus on the same AOS.
Running AOS 6.1.3.7 on 70 controllers all models. Same issue globally able to reproduce.
aaa authentication captive-portal "amigopod"
default-role "ShortTerm" <<< one or two authenticated guest roles
server-group "AmigoPods"
login-page "https://guestaccess.fdnet.com/fluor_guestmanage_cert_login.php"
aaa server-group "AmigoPods"
auth-server AmigoPod
set role condition Filter-Id equals "ShortTerm" set-value ShortTerm <<<< David added these years ago when we installed AmigoPod. I dont think they are needed now with CPPM based on new setup Steve did. Not sure.
set role condition Filter-Id equals "LongTerm" set-value LongTerm <<<< David added these years ago when we installed AmigoPod. I dont think they are needed now with CPPM based on new setup Steve did. Not sure.
!
ip access-list session captiveportal
user alias mswitch svc-https dst-nat 8081
user alias controller svc-https dst-nat 8081
user alias CPPM svc-http permit <<<< Newer addition
user alias CPPM svc-https permit <<<< Newer addition
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
user any svc-http-proxy1 dst-nat 8088
user any svc-http-proxy2 dst-nat 8088
user any svc-http-proxy3 dst-nat 8088
user-role Guest-Logon-AP <<< Unauthenticated initial role no changes worked for a year+
captive-portal "amigopod"
access-list session Guest-Logon-Policy
access-list session Guest-Printing
access-list session guest-pw-portal
access-list session captiveportal
user-role LongTerm <<< one or two authenticated guest roles
access-list session Guest-Logon-Policy
access-list session Guest-Printing
access-list session guest-pw-portal
access-list session cplogout
access-list session deny_LLMNR_acl
access-list session deny_mDNS_acl
access-list session deny_SSDP_and_UPnP_acl
access-list session deny_netbios_acl
access-list session inside-exceptions
access-list session Block-Inside-Networks-Policy
access-list session Guest-Access-Policy
user-role ShortTerm <<< one or two authenticated guest roles
access-list session Guest-Logon-Policy
access-list session Guest-Printing
access-list session guest-pw-portal
access-list session cplogout
access-list session deny_LLMNR_acl
access-list session deny_mDNS_acl
access-list session deny_SSDP_and_UPnP_acl
access-list session deny_netbios_acl
access-list session inside-exceptions
access-list session Block-Inside-Networks-Policy
access-list session Guest-Access-Policy
(FLRFC01-Aruba01) #
(FLRFC01-Aruba01) #show user | include 08:70:45:ca:b5:ae
10.236.116.21 08:70:45:ca:b5:ae test@fc01.com LongTerm 00:01:24 Web FC01-TGUB12-AP01 Wireless IWL900/6c:f3:7f:3e:b6:00/g-HT AAA-Guest-Logon tunnel iPhone
(FLRFC01-Aruba01) #
(FLRFC01-Aruba01) #
(FLRFC01-Aruba01) #
(FLRFC01-Aruba01) #
(FLRFC01-Aruba01) #
(FLRFC01-Aruba01) #
(FLRFC01-Aruba01) #show rights LongTerm
Derived Role = 'LongTerm'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 89/0
Max Sessions = 65535
access-list List
----------------
Position Name Location
-------- ---- --------
1 Guest-Logon-Policy
2 Guest-Printing
3 guest-pw-portal
4 cplogout
5 deny_LLMNR_acl
6 deny_mDNS_acl
7 deny_SSDP_and_UPnP_acl
8 deny_netbios_acl
9 inside-exceptions
10 Block-Inside-Networks-Policy
11 Guest-Access-Policy
Guest-Logon-Policy
------------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user any udp 68 deny Low 4
2 user Fluor-Approved-Public-DNS svc-dns permit Low 4
3 user mswitch svc-icmp permit Low 4
4 any guest-gateways svc-dhcp permit Low 4
5 any 255.255.255.255 svc-dhcp permit Low 4
6 any any svc-dhcp deny Low 4
Guest-Printing
--------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 guest-networks guest-printers any permit Low 4
2 guest-printers guest-networks any permit Low 4
guest-pw-portal
---------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user amigopods svc-https permit Low 4
2 user amigopods svc-http permit Low 4
cplogout
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user mswitch svc-https dst-nat 8081 Low 4
2 user controller svc-https dst-nat 8081 Low 4
deny_LLMNR_acl
--------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any 239.255.255.252 any deny Low 4
deny_mDNS_acl
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any udp 5353 deny Low 4
deny_SSDP_and_UPnP_acl
----------------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any 239.255.255.250 any deny Low 4
2 any 239.255.255.253 any deny Low 4
deny_netbios_acl
----------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any udp 137 deny Low 4
2 any any udp 138 deny Low 4
inside-exceptions
-----------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user Fluor-Websense-Servers tcp 15871 permit Low 4
2 user mswitch svc-https permit Low 4
3 user 10.25.2.38 svc-http permit Low 4
4 user 10.26.14.40 svc-http permit Low 4
5 user 10.252.149.190 any permit Low 4
Block-Inside-Networks-Policy
----------------------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user inside-networks any deny Low 4
2 inside-networks user any deny Low 4
Guest-Access-Policy
-------------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user any svc-http permit Low 4
2 user any svc-https permit Low 4
3 user any any permit Low 4
Expired Policies (due to time constraints) = 0
(FLRFC01-Aruba01) #