Wireless Access

last person joined: an hour ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

iPad, CP and CPNA... help?

This thread has been viewed 0 times

  • 1.  iPad, CP and CPNA... help?

    Posted Dec 05, 2012 10:34 AM

    Been reading about CPNA which jumps up on detection of CP to allow user to login so the device can very connectivity by retrieving the "Success" page..  Users are able to login to CP, but the "close button" doesnt work, I assume as it is appearing within the CPNA rather than the browser, consequently the conneciton is terminated.

     

    Connection to apple therefre needs to be allowed without the need to lgoin to the CP, and therefore not invoke the CPNA?  Once the iPad has then done this, it would then be possible to activate it, the open safari and be presented with the CP?

     

    Ive found this thread:

    http://community.arubanetworks.com/t5/ArubaOS-and-Mobility-Controllers/Captive-Portal-Welcome-Page/m-p/31554/highlight/true#M2788

     

    But cant even find how to enable the dns server on the gui!

     

    Figuring it out..  slowly!!

     

    config t
ip name-server 8.8.8.8
ip domain-name <your company.com>
ip domain-lookup
netdestination apple
name *.apple.com
exit

     Cant seem to insert the list line

    name *.apple.com

     

     

     

    v5049

     

     



  • 2.  RE: iPad, CP and CPNA... help?

    Posted Dec 06, 2012 08:44 AM

    Ive been able to get this working by opening up the test captive portal to essentially go anywhere.. as I wasnt having any joy trying to restrict it to the "apple" alias.. however, I dont think Ive been able to configure this correctly, as it wouldnt accept the last line of code.

     

    Most place I like, are wanting me to define an IP/Subnet for the destination network, which I very much doubt Im going to be able to find.  Ive gone onto cli to ping apple.com and it is resolving.... so this seems ok.. but it wont work unless I have the permit any/any at the top.. so tomthings not quite right somewhere...



  • 3.  RE: iPad, CP and CPNA... help?

    Posted Dec 12, 2012 07:48 AM

    Assumptions:

    • You're using a setup with Controller having the captive portal.
    • The client you connect to the wireless lands in the guest-logon (or equivalent) role and is given basic network access through the logon-control and captiveportal policies.
    • The client is assigned correct network info (ip/gateway/dns etc).

     

    This CLI command should then do it for you:

     

    conf t

    netdestination "apple.com"
    name apple.com
    !


    ip access-list session "ios-cnafix"
    alias "user" alias "apple.com" svc-http permit position 1 queue low
    !

     

    user-role "guest-logon"
    access-list session "ios-cnafix" position 1
    !

     

    Basics here are to

    • create the alias for the destination you want to open access for
    • add that alias to a (new) firewall policy
    • add that firewall policy to the logon role which your users land in once connected

    Another option I belive should give the same result would be the Walled Garden access (excerpt from 6.1UG, but should work the same in 5.x also):

     

    (host)(config)# conf t

    (host)(config)# netdestination "apple.com"
    (host)(config)#name apple.com

    (host)(config)#!

     

    (host) (config) #aaa authentication captive-portal default
    (host)(Captive Portal Authentication Profile "default")#white-list apple.com

    (host)(Captive Portal Authentication Profile "default")#!

     



  • 4.  RE: iPad, CP and CPNA... help?

    Posted Dec 12, 2012 10:11 AM

    Thanks for your assistnace..

     

    failing at the first hurdle again!

     

    conf t

netdestination "apple.com"
name apple.com

    " name" isnt a recognised command...

     

     (config) #netdestination "apple.com"
     (config-dest) #name
                                              ^
    % Invalid input detected at '^' marker.

     (config-dest) #?
    host                    Configure a single host
    invert                  Use all destinations EXCEPT this destination
    network                 Configure a subnet
    no                      Delete Command
    range                   Configure a range of IP addresses

     I carried on regardless.. and saw the config in the gui.. which was the same as Id tried before.. and the cna still pops up. domain lookup is enabled and I can ping apple.com.. so I know its resolving from the box ok.

     

    We are using an upstream proxy server, but this info should be getting obtained from wpad.dat file.. which is the first rule in the guest logon policy.  I know the wpad file works, as when on !auto" and logged in, I can see conections going through the proxy server... 

     

    For sanity testing.. I added an "any any permit" rule which worked... so Im 99.9% sure it is an aruba fw config issue...  Ive tried hosting the "success" page on the proxy/dns server with a static dns entry resolivng apple.com to itself.. and successfully tested with the www.apple.com/library/test/success.html.. but still didnt work.  Ive tried an apple.com destination nat to the proxy server, hoping to retrieve the "success" page this way.. but that didnt work either!