Wireless Access

Hello experts,

I have this error message when i try to go to the internet in my guest SSID.

This is just a wpa2-aes with PSK and guest portal...
Did I make something wrong? Is it something related to the AAA profile ? I really do not understand ...

Thank you,
AL

Hey, you need to assign a Captive Portal Profile to the initial role in the AAA profile!

Even if I don't use a guest portal? Why?
The goal for the guest users is just to connect, put the PSK and be connected .

AL

What's the role being assigned to your users? Is it logon? This will automatically redirect to the Captive Portal. If you have no Captive Portal assigned to the logon role you will see the Web auth error.

Try changing the user role to authenticated or similar.

Sent from my iPhone

I do not really know what are the different roles... I am new in the Aruba wireless
Why is it mandatory to create a captive portal?
For me I need to create a virtual ap / wlan profile only... why do I have create an aaa profile if an aaa server is not used ?

AL

Hey, every single user on an Aruba wireless network will be assigned a user role. A user role can be a set of firewall rules, VLAN's, attributes and so on.

 

The behaviour you are describing is when a template Guest network has been deployed and inovles a Captive Portal despite not being required in your enivroment.

 

The AAA profile is for authenitcation, so despite no AAA server being used, you are still using psk to authenticate to the BSSID.

 

 I suspect that your clients are being assigned the "logon" role as detailed in the AAA profile. See below for an example

 

Lab620) #show aaa profile weebox-PSK-aaa_prof

AAA Profile "weebox-PSK-aaa_prof"
---------------------------------
Parameter                           Value
---------                           -----
Initial role                        logon

 

Can you run the following commands. This will identify the user role assigned to the end user and also the firewall rules applied to this user. 

 

show user-table | include XXXX (MAC of your client)

 The above will show the user role assigned to your user

show rights XXXX (where XXX is the user role

The above will show the user role and firewall rules assigned to the user.

 

Post the output here for us to review.

 

I don't have a hand on the controler in the moment but I have the backup of the config :

 

wlan virtual-ap "GRB-Corporate"

aaa-profile "default-dot1x-psk"

ssid-profile "GRB-Corporate"

vlan 102

!

wlan ssid-profile "GRB-Corporate"

essid "Private"

opmode wpa2-psk-aes

wpa-passphrase 8043f628c7f645f211fd399e7fa34b336c9d43c11aff9fd1

!

Do I have to create something like:

 

aaa profile "GRB-AAA-Profile"

initial-role "guest-logon"

enforce-dhcp

 

?

 

AL

Hey, are previously mentioned (assuming you haven't modified the defaults) the role being assigned to your users will be the logon role, which  will re-direct users to a Captive Portal (which hasn't been configured).

You can see this in the initial role of the AAA profile

 

 

(Lab) #show aaa profile default-dot1x-psk

AAA Profile "default-dot1x-psk" (Predefined (editable))
-------------------------------------------------------
Parameter                           Value
---------                           -----
Initial role                        logon

See the re-direct (dst-nat) in the logon role (see captiveportal acl)

 

 

 

(Lab) #show rights logon


Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------
Position  Name              Type     Location
--------  ----              ----     --------
1         ra-guard          session  
2         logon-control     session  
3         captiveportal     session  
4         vpnlogon          session  
5         v6-logon-control  session  
6         captiveportal6    session  

Try the following changes instead

 

 

aaa profile "GRB-AAA-Profile"
initial-role "authenticated"
!
wlan virtual-ap "GRB-Corporate"
aaa-profile "GRB-AAA-Profile"
!

However for complete thoroughness it would be recommended to paste the full configuration output.

 

Hello guys,

 

Authenticated user-role solved the issue.

 

But is this profile applied once the user is authenticated, or before ?

 

The role will be applied once they have authenticated. There is no pre/post authentication has such on a PSK VAP.

Thank you Zalion :)