Security

Hi everybody,

I've setup a wired mac-based service with a redirect to a self registration page for guests. I've a guest client connects to the switch, I can see that the correct profile is assigned. But when I try to open a page in the browser I get the following error:

The connection for this site is not secure. www.google.de uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH; Unsupported protocol; The client and server don't support a common SSL protocol version or cipher suite.

I've installed a SSL and a CaptivePortal certificate on the switch.

Any ideas?

Kind regards
Matthias

Are you able to browse directly to the CPPM Guest Page URL? 

Hi everybody,

I've setup a wired mac-based service with a redirect to a self registration page for guests. I've a guest client connects to the switch, I can see that the correct profile is assigned. But when I try to open a page in the browser I get the following error:

The connection for this site is not secure. www.google.de uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH; Unsupported protocol; The client and server don't support a common SSL protocol version or cipher suite.

I've installed a SSL and a CaptivePortal certificate on the switch.

Any ideas?

Kind regards
Matthias

Are you able to browse directly to the CPPM Guest Page URL? 

Hi everybody,

I've setup a wired mac-based service with a redirect to a self registration page for guests. I've a guest client connects to the switch, I can see that the correct profile is assigned. But when I try to open a page in the browser I get the following error:

The connection for this site is not secure. www.google.de uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH; Unsupported protocol; The client and server don't support a common SSL protocol version or cipher suite.

I've installed a SSL and a CaptivePortal certificate on the switch.

Any ideas?

Kind regards
Matthias

Do you mind posting a scrubbed copy of your switch config? 

Are you able to browse directly to the CPPM Guest Page URL? 

Hi everybody,

I've setup a wired mac-based service with a redirect to a self registration page for guests. I've a guest client connects to the switch, I can see that the correct profile is assigned. But when I try to open a page in the browser I get the following error:

The connection for this site is not secure. www.google.de uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH; Unsupported protocol; The client and server don't support a common SSL protocol version or cipher suite.

I've installed a SSL and a CaptivePortal certificate on the switch.

Any ideas?

Kind regards
Matthias

Switch Config:

; JL357A Configuration Editor; Created on release #YC.16.11.0010
; Ver #14:67.44.38.04.99.03.b3.b8.ef.74.61.fc.68.f3.8c.fc.e3.ff.37.2f:73

hostname "HNEVGM040CP"
module 1 type jl357a
mirror-port 45
console idle-timeout 300
console idle-timeout serial-usb 300
aruba-central disable
no rest-interface
include-credentials
password operator user-name "operator" XXX
password manager user-name "manager" XXX
password minimum-length 8
radius-server host X.X.X.X key "KEY"
radius-server host X.X.X.X dyn-authorization
radius-server host X.X.X.X time-window 0
timesync ntp
ntp unicast
ntp server X.X.X.X iburst
ntp enable
no telnet-server
time daylight-time-rule western-europe
time timezone 60
web-management ssl
ip default-gateway 10.251.2.1
ip dns server-address priority 1 X.X.X.X
ip dns server-address priority 2 X.X.X.X
ip ssh filetransfer
ip source-interface radius vlan 65
ip client-tracker trusted
interface 1
   name "01/01"
   exit
.
.
.

interface 52
   name "NOT USED"
   exit
   
snmp-server community "public" unrestricted
snmp-server contact "oc.it@opitz-consulting.com" location "Holding OC.IT"
snmpv3 engineid "00:00:00:0b:00:00:08:f1:ea:50:d1:00"
aaa accounting update periodic 3
aaa accounting commands stop-only radius
aaa accounting exec start-stop radius
aaa accounting network start-stop radius
aaa accounting system stop-only radius
aaa authentication login privilege-mode
aaa authentication web login radius local
aaa authentication web enable radius local
aaa authentication ssh login radius local
aaa authentication ssh enable radius local
aaa authentication port-access eap-radius
aaa authentication captive-portal enable
aaa port-access authenticator 2-10,12-14,16-30,32,34,36-42,44-48
aaa port-access authenticator 1 client-limit 3
.
.
.
aaa port-access authenticator 48 client-limit 3
aaa port-access authenticator active
aaa port-access mac-based 2-10,12-14,16-30,32,34,36-42,44-48
aaa port-access mac-based 1 addr-limit 2
.
.
.
aaa port-access mac-based 48 addr-limit 2
vlan 1
   name "DEFAULT_VLAN"
   no untagged 1-48
   untagged 49-52
   no ip address
   exit
.
.
.

vlan 55
   name "OC-GM-User-Gast"
   untagged 2-10,12-14,16-30,32,34,36-42,44-48
   tagged 49-52
   no ip address
   exit
.
.
.
vlan 65
   name "OC-GM-ClearPass-Profiling"
   tagged 49-52
   ip address 10.251.2.40 255.255.255.0
   ip helper-address X.X.X.X
   exit
primary-vlan 250
spanning-tree
no tftp client
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
no dhcp tr69-acs-url

CPPM Profile:

Do you mind posting a scrubbed copy of your switch config? 

Are you able to browse directly to the CPPM Guest Page URL? 

Hi everybody,

I've setup a wired mac-based service with a redirect to a self registration page for guests. I've a guest client connects to the switch, I can see that the correct profile is assigned. But when I try to open a page in the browser I get the following error:

The connection for this site is not secure. www.google.de uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH; Unsupported protocol; The client and server don't support a common SSL protocol version or cipher suite.

I've installed a SSL and a CaptivePortal certificate on the switch.

Any ideas?

Kind regards
Matthias

If you run:
show crypto pki local-certificate 

do you see a cert listed with the usage "CaptivePortal"

Switch Config:

; JL357A Configuration Editor; Created on release #YC.16.11.0010
; Ver #14:67.44.38.04.99.03.b3.b8.ef.74.61.fc.68.f3.8c.fc.e3.ff.37.2f:73

hostname "HNEVGM040CP"
module 1 type jl357a
mirror-port 45
console idle-timeout 300
console idle-timeout serial-usb 300
aruba-central disable
no rest-interface
include-credentials
password operator user-name "operator" XXX
password manager user-name "manager" XXX
password minimum-length 8
radius-server host X.X.X.X key "KEY"
radius-server host X.X.X.X dyn-authorization
radius-server host X.X.X.X time-window 0
timesync ntp
ntp unicast
ntp server X.X.X.X iburst
ntp enable
no telnet-server
time daylight-time-rule western-europe
time timezone 60
web-management ssl
ip default-gateway 10.251.2.1
ip dns server-address priority 1 X.X.X.X
ip dns server-address priority 2 X.X.X.X
ip ssh filetransfer
ip source-interface radius vlan 65
ip client-tracker trusted
interface 1
   name "01/01"
   exit
.
.
.

interface 52
   name "NOT USED"
   exit
   
snmp-server community "public" unrestricted
snmp-server contact "oc.it@opitz-consulting.com" location "Holding OC.IT"
snmpv3 engineid "00:00:00:0b:00:00:08:f1:ea:50:d1:00"
aaa accounting update periodic 3
aaa accounting commands stop-only radius
aaa accounting exec start-stop radius
aaa accounting network start-stop radius
aaa accounting system stop-only radius
aaa authentication login privilege-mode
aaa authentication web login radius local
aaa authentication web enable radius local
aaa authentication ssh login radius local
aaa authentication ssh enable radius local
aaa authentication port-access eap-radius
aaa authentication captive-portal enable
aaa port-access authenticator 2-10,12-14,16-30,32,34,36-42,44-48
aaa port-access authenticator 1 client-limit 3
.
.
.
aaa port-access authenticator 48 client-limit 3
aaa port-access authenticator active
aaa port-access mac-based 2-10,12-14,16-30,32,34,36-42,44-48
aaa port-access mac-based 1 addr-limit 2
.
.
.
aaa port-access mac-based 48 addr-limit 2
vlan 1
   name "DEFAULT_VLAN"
   no untagged 1-48
   untagged 49-52
   no ip address
   exit
.
.
.

vlan 55
   name "OC-GM-User-Gast"
   untagged 2-10,12-14,16-30,32,34,36-42,44-48
   tagged 49-52
   no ip address
   exit
.
.
.
vlan 65
   name "OC-GM-ClearPass-Profiling"
   tagged 49-52
   ip address 10.251.2.40 255.255.255.0
   ip helper-address X.X.X.X
   exit
primary-vlan 250
spanning-tree
no tftp client
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
no dhcp tr69-acs-url

CPPM Profile:

Do you mind posting a scrubbed copy of your switch config? 

Are you able to browse directly to the CPPM Guest Page URL? 

Hi everybody,

I've setup a wired mac-based service with a redirect to a self registration page for guests. I've a guest client connects to the switch, I can see that the correct profile is assigned. But when I try to open a page in the browser I get the following error:

The connection for this site is not secure. www.google.de uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH; Unsupported protocol; The client and server don't support a common SSL protocol version or cipher suite.

I've installed a SSL and a CaptivePortal certificate on the switch.

Any ideas?

Kind regards
Matthias

If you run:
show crypto pki local-certificate 

do you see a cert listed with the usage "CaptivePortal"

Switch Config:

; JL357A Configuration Editor; Created on release #YC.16.11.0010
; Ver #14:67.44.38.04.99.03.b3.b8.ef.74.61.fc.68.f3.8c.fc.e3.ff.37.2f:73

hostname "HNEVGM040CP"
module 1 type jl357a
mirror-port 45
console idle-timeout 300
console idle-timeout serial-usb 300
aruba-central disable
no rest-interface
include-credentials
password operator user-name "operator" XXX
password manager user-name "manager" XXX
password minimum-length 8
radius-server host X.X.X.X key "KEY"
radius-server host X.X.X.X dyn-authorization
radius-server host X.X.X.X time-window 0
timesync ntp
ntp unicast
ntp server X.X.X.X iburst
ntp enable
no telnet-server
time daylight-time-rule western-europe
time timezone 60
web-management ssl
ip default-gateway 10.251.2.1
ip dns server-address priority 1 X.X.X.X
ip dns server-address priority 2 X.X.X.X
ip ssh filetransfer
ip source-interface radius vlan 65
ip client-tracker trusted
interface 1
   name "01/01"
   exit
.
.
.

interface 52
   name "NOT USED"
   exit
   
snmp-server community "public" unrestricted
snmp-server contact "oc.it@opitz-consulting.com" location "Holding OC.IT"
snmpv3 engineid "00:00:00:0b:00:00:08:f1:ea:50:d1:00"
aaa accounting update periodic 3
aaa accounting commands stop-only radius
aaa accounting exec start-stop radius
aaa accounting network start-stop radius
aaa accounting system stop-only radius
aaa authentication login privilege-mode
aaa authentication web login radius local
aaa authentication web enable radius local
aaa authentication ssh login radius local
aaa authentication ssh enable radius local
aaa authentication port-access eap-radius
aaa authentication captive-portal enable
aaa port-access authenticator 2-10,12-14,16-30,32,34,36-42,44-48
aaa port-access authenticator 1 client-limit 3
.
.
.
aaa port-access authenticator 48 client-limit 3
aaa port-access authenticator active
aaa port-access mac-based 2-10,12-14,16-30,32,34,36-42,44-48
aaa port-access mac-based 1 addr-limit 2
.
.
.
aaa port-access mac-based 48 addr-limit 2
vlan 1
   name "DEFAULT_VLAN"
   no untagged 1-48
   untagged 49-52
   no ip address
   exit
.
.
.

vlan 55
   name "OC-GM-User-Gast"
   untagged 2-10,12-14,16-30,32,34,36-42,44-48
   tagged 49-52
   no ip address
   exit
.
.
.
vlan 65
   name "OC-GM-ClearPass-Profiling"
   tagged 49-52
   ip address 10.251.2.40 255.255.255.0
   ip helper-address X.X.X.X
   exit
primary-vlan 250
spanning-tree
no tftp client
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
no dhcp tr69-acs-url

CPPM Profile:

Do you mind posting a scrubbed copy of your switch config? 

Are you able to browse directly to the CPPM Guest Page URL? 

Hi everybody,

I've setup a wired mac-based service with a redirect to a self registration page for guests. I've a guest client connects to the switch, I can see that the correct profile is assigned. But when I try to open a page in the browser I get the following error:

The connection for this site is not secure. www.google.de uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH; Unsupported protocol; The client and server don't support a common SSL protocol version or cipher suite.

I've installed a SSL and a CaptivePortal certificate on the switch.

Any ideas?

Kind regards
Matthias

It is hard to say exactly what's going on here without digging into a log session. 
Here are a couple steps I would take for troubleshooting.

 1. Configure an L3/SVI on the Guest VLAN used in the initial Role. 
 2. Configure the initial CP Role and associated auth locally on the switch. [see snipet below] 
 3. Double check - aaa authentication mac-based chap-radius server-group

class ipv4 class-dhcp  10 match udp any any eq 53class ipv4 class-dns  10 match udp any any eq 67class ipv4 cppm-captive-portal  10 match tcp any 172.21.0.200 eq 443  20 match tcp any 172.21.0.201 eq 443  30 match tcp any 172.21.0.202 eq 443class ipv4 web-traffic  10 match tcp any any eq 80  20 match tcp any any eq 443  policy user guest-captive-portal    10 class ipv4 cppm-captive-portal  20 class ipv4 class-dhcp  30 class ipv4 class-dns  40 class ipv4 web-traffic action redirect captive-portal  aaa authentication mac-based chap-radius server-group "lab1-cppm"aaa authentication captive-portal profile lab1-captive url https://aaa.lab.arubalabs.com/guest/LabGuest.phpaaa authentication captive-portal enableaaa authorization user-role name guest-captive captive-portal-profile lab1-captive policy guest-captive-portal reauth-period 180 vlan-id 10

If you run:
show crypto pki local-certificate 

do you see a cert listed with the usage "CaptivePortal"

Switch Config:

; JL357A Configuration Editor; Created on release #YC.16.11.0010
; Ver #14:67.44.38.04.99.03.b3.b8.ef.74.61.fc.68.f3.8c.fc.e3.ff.37.2f:73

hostname "HNEVGM040CP"
module 1 type jl357a
mirror-port 45
console idle-timeout 300
console idle-timeout serial-usb 300
aruba-central disable
no rest-interface
include-credentials
password operator user-name "operator" XXX
password manager user-name "manager" XXX
password minimum-length 8
radius-server host X.X.X.X key "KEY"
radius-server host X.X.X.X dyn-authorization
radius-server host X.X.X.X time-window 0
timesync ntp
ntp unicast
ntp server X.X.X.X iburst
ntp enable
no telnet-server
time daylight-time-rule western-europe
time timezone 60
web-management ssl
ip default-gateway 10.251.2.1
ip dns server-address priority 1 X.X.X.X
ip dns server-address priority 2 X.X.X.X
ip ssh filetransfer
ip source-interface radius vlan 65
ip client-tracker trusted
interface 1
   name "01/01"
   exit
.
.
.

interface 52
   name "NOT USED"
   exit
   
snmp-server community "public" unrestricted
snmp-server contact "oc.it@opitz-consulting.com" location "Holding OC.IT"
snmpv3 engineid "00:00:00:0b:00:00:08:f1:ea:50:d1:00"
aaa accounting update periodic 3
aaa accounting commands stop-only radius
aaa accounting exec start-stop radius
aaa accounting network start-stop radius
aaa accounting system stop-only radius
aaa authentication login privilege-mode
aaa authentication web login radius local
aaa authentication web enable radius local
aaa authentication ssh login radius local
aaa authentication ssh enable radius local
aaa authentication port-access eap-radius
aaa authentication captive-portal enable
aaa port-access authenticator 2-10,12-14,16-30,32,34,36-42,44-48
aaa port-access authenticator 1 client-limit 3
.
.
.
aaa port-access authenticator 48 client-limit 3
aaa port-access authenticator active
aaa port-access mac-based 2-10,12-14,16-30,32,34,36-42,44-48
aaa port-access mac-based 1 addr-limit 2
.
.
.
aaa port-access mac-based 48 addr-limit 2
vlan 1
   name "DEFAULT_VLAN"
   no untagged 1-48
   untagged 49-52
   no ip address
   exit
.
.
.

vlan 55
   name "OC-GM-User-Gast"
   untagged 2-10,12-14,16-30,32,34,36-42,44-48
   tagged 49-52
   no ip address
   exit
.
.
.
vlan 65
   name "OC-GM-ClearPass-Profiling"
   tagged 49-52
   ip address 10.251.2.40 255.255.255.0
   ip helper-address X.X.X.X
   exit
primary-vlan 250
spanning-tree
no tftp client
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
no dhcp tr69-acs-url

CPPM Profile:

Do you mind posting a scrubbed copy of your switch config? 

Are you able to browse directly to the CPPM Guest Page URL? 

Hi everybody,

I've setup a wired mac-based service with a redirect to a self registration page for guests. I've a guest client connects to the switch, I can see that the correct profile is assigned. But when I try to open a page in the browser I get the following error:

The connection for this site is not secure. www.google.de uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH; Unsupported protocol; The client and server don't support a common SSL protocol version or cipher suite.

I've installed a SSL and a CaptivePortal certificate on the switch.

Any ideas?

Kind regards
Matthias

Remove line 20 from:

class ipv4 web-traffic  10 match tcp any any eq 80  20 match tcp any any eq 443

Because with this configuration you are redirecting HTTPS traffic, which is not possible.

Also, it's not possible to redirect www.google.de (or other Google domains, and many other domains) as these use HSTS which force the browser to use HTTP, which can't be redirected and will give you the warnings/errors. Seems like expected with this configuration.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: May 11, 2023 12:07 PM
From: 802.zak
Subject: Aruba 2540 Captive Portal Redirect not working

It is hard to say exactly what's going on here without digging into a log session. 
Here are a couple steps I would take for troubleshooting.

 1. Configure an L3/SVI on the Guest VLAN used in the initial Role. 
 2. Configure the initial CP Role and associated auth locally on the switch. [see snipet below] 
 3. Double check - aaa authentication mac-based chap-radius server-group

class ipv4 class-dhcp  10 match udp any any eq 53class ipv4 class-dns  10 match udp any any eq 67class ipv4 cppm-captive-portal  10 match tcp any 172.21.0.200 eq 443  20 match tcp any 172.21.0.201 eq 443  30 match tcp any 172.21.0.202 eq 443class ipv4 web-traffic  10 match tcp any any eq 80  20 match tcp any any eq 443  policy user guest-captive-portal    10 class ipv4 cppm-captive-portal  20 class ipv4 class-dhcp  30 class ipv4 class-dns  40 class ipv4 web-traffic action redirect captive-portal  aaa authentication mac-based chap-radius server-group "lab1-cppm"aaa authentication captive-portal profile lab1-captive url https://aaa.lab.arubalabs.com/guest/LabGuest.phpaaa authentication captive-portal enableaaa authorization user-role name guest-captive captive-portal-profile lab1-captive policy guest-captive-portal reauth-period 180 vlan-id 10

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: May 10, 2023 11:31 AM
From: MatthiasP
Subject: Aruba 2540 Captive Portal Redirect not working

Original Message:
Sent: 5/10/2023 11:04:00 AM
From: 802.zak
Subject: RE: Aruba 2540 Captive Portal Redirect not working

If you run:
show crypto pki local-certificate 

do you see a cert listed with the usage "CaptivePortal"

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: May 10, 2023 05:21 AM
From: MatthiasP
Subject: Aruba 2540 Captive Portal Redirect not working

Switch Config:

; JL357A Configuration Editor; Created on release #YC.16.11.0010
; Ver #14:67.44.38.04.99.03.b3.b8.ef.74.61.fc.68.f3.8c.fc.e3.ff.37.2f:73

hostname "HNEVGM040CP"
module 1 type jl357a
mirror-port 45
console idle-timeout 300
console idle-timeout serial-usb 300
aruba-central disable
no rest-interface
include-credentials
password operator user-name "operator" XXX
password manager user-name "manager" XXX
password minimum-length 8
radius-server host X.X.X.X key "KEY"
radius-server host X.X.X.X dyn-authorization
radius-server host X.X.X.X time-window 0
timesync ntp
ntp unicast
ntp server X.X.X.X iburst
ntp enable
no telnet-server
time daylight-time-rule western-europe
time timezone 60
web-management ssl
ip default-gateway 10.251.2.1
ip dns server-address priority 1 X.X.X.X
ip dns server-address priority 2 X.X.X.X
ip ssh filetransfer
ip source-interface radius vlan 65
ip client-tracker trusted
interface 1
   name "01/01"
   exit
.
.
.

interface 52
   name "NOT USED"
   exit
   
snmp-server community "public" unrestricted
snmp-server contact "oc.it@opitz-consulting.com" location "Holding OC.IT"
snmpv3 engineid "00:00:00:0b:00:00:08:f1:ea:50:d1:00"
aaa accounting update periodic 3
aaa accounting commands stop-only radius
aaa accounting exec start-stop radius
aaa accounting network start-stop radius
aaa accounting system stop-only radius
aaa authentication login privilege-mode
aaa authentication web login radius local
aaa authentication web enable radius local
aaa authentication ssh login radius local
aaa authentication ssh enable radius local
aaa authentication port-access eap-radius
aaa authentication captive-portal enable
aaa port-access authenticator 2-10,12-14,16-30,32,34,36-42,44-48
aaa port-access authenticator 1 client-limit 3
.
.
.
aaa port-access authenticator 48 client-limit 3
aaa port-access authenticator active
aaa port-access mac-based 2-10,12-14,16-30,32,34,36-42,44-48
aaa port-access mac-based 1 addr-limit 2
.
.
.
aaa port-access mac-based 48 addr-limit 2
vlan 1
   name "DEFAULT_VLAN"
   no untagged 1-48
   untagged 49-52
   no ip address
   exit
.
.
.

vlan 55
   name "OC-GM-User-Gast"
   untagged 2-10,12-14,16-30,32,34,36-42,44-48
   tagged 49-52
   no ip address
   exit
.
.
.
vlan 65
   name "OC-GM-ClearPass-Profiling"
   tagged 49-52
   ip address 10.251.2.40 255.255.255.0
   ip helper-address X.X.X.X
   exit
primary-vlan 250
spanning-tree
no tftp client
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
no dhcp tr69-acs-url

CPPM Profile:

Original Message:
Sent: May 09, 2023 06:27 PM
From: 802.zak
Subject: Aruba 2540 Captive Portal Redirect not working

Do you mind posting a scrubbed copy of your switch config? 

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: May 09, 2023 05:23 PM
From: MatthiasP
Subject: Aruba 2540 Captive Portal Redirect not working

Original Message:
Sent: 5/9/2023 1:00:00 PM
From: 802.zak
Subject: RE: Aruba 2540 Captive Portal Redirect not working

Are you able to browse directly to the CPPM Guest Page URL? 

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: May 09, 2023 04:01 AM
From: MatthiasP
Subject: Aruba 2540 Captive Portal Redirect not working

Hi everybody,

I've setup a wired mac-based service with a redirect to a self registration page for guests. I've a guest client connects to the switch, I can see that the correct profile is assigned. But when I try to open a page in the browser I get the following error:

The connection for this site is not secure. www.google.de uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH; Unsupported protocol; The client and server don't support a common SSL protocol version or cipher suite.

I've installed a SSL and a CaptivePortal certificate on the switch.

Any ideas?

Kind regards
Matthias

Hello Herman,

am I right, that there is no problem with my configuration, if it's not possible to redirect many domains?

And what would be a recommendation? How could I get the clients redirected to the self registration page. It is not very user friendly to type in the self registration page URL... 

Original Message:
Sent: May 12, 2023 04:47 AM
From: Herman Robers
Subject: Aruba 2540 Captive Portal Redirect not working

Remove line 20 from:

class ipv4 web-traffic  10 match tcp any any eq 80  20 match tcp any any eq 443

Because with this configuration you are redirecting HTTPS traffic, which is not possible.

Also, it's not possible to redirect www.google.de (or other Google domains, and many other domains) as these use HSTS which force the browser to use HTTP, which can't be redirected and will give you the warnings/errors. Seems like expected with this configuration.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: May 11, 2023 12:07 PM
From: 802.zak
Subject: Aruba 2540 Captive Portal Redirect not working

It is hard to say exactly what's going on here without digging into a log session. 
Here are a couple steps I would take for troubleshooting.

 1. Configure an L3/SVI on the Guest VLAN used in the initial Role. 
 2. Configure the initial CP Role and associated auth locally on the switch. [see snipet below] 
 3. Double check - aaa authentication mac-based chap-radius server-group

class ipv4 class-dhcp  10 match udp any any eq 53class ipv4 class-dns  10 match udp any any eq 67class ipv4 cppm-captive-portal  10 match tcp any 172.21.0.200 eq 443  20 match tcp any 172.21.0.201 eq 443  30 match tcp any 172.21.0.202 eq 443class ipv4 web-traffic  10 match tcp any any eq 80  20 match tcp any any eq 443  policy user guest-captive-portal    10 class ipv4 cppm-captive-portal  20 class ipv4 class-dhcp  30 class ipv4 class-dns  40 class ipv4 web-traffic action redirect captive-portal  aaa authentication mac-based chap-radius server-group "lab1-cppm"aaa authentication captive-portal profile lab1-captive url https://aaa.lab.arubalabs.com/guest/LabGuest.phpaaa authentication captive-portal enableaaa authorization user-role name guest-captive captive-portal-profile lab1-captive policy guest-captive-portal reauth-period 180 vlan-id 10

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: May 10, 2023 11:31 AM
From: MatthiasP
Subject: Aruba 2540 Captive Portal Redirect not working

Original Message:
Sent: 5/10/2023 11:04:00 AM
From: 802.zak
Subject: RE: Aruba 2540 Captive Portal Redirect not working

If you run:
show crypto pki local-certificate 

do you see a cert listed with the usage "CaptivePortal"

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: May 10, 2023 05:21 AM
From: MatthiasP
Subject: Aruba 2540 Captive Portal Redirect not working

Switch Config:

; JL357A Configuration Editor; Created on release #YC.16.11.0010
; Ver #14:67.44.38.04.99.03.b3.b8.ef.74.61.fc.68.f3.8c.fc.e3.ff.37.2f:73

hostname "HNEVGM040CP"
module 1 type jl357a
mirror-port 45
console idle-timeout 300
console idle-timeout serial-usb 300
aruba-central disable
no rest-interface
include-credentials
password operator user-name "operator" XXX
password manager user-name "manager" XXX
password minimum-length 8
radius-server host X.X.X.X key "KEY"
radius-server host X.X.X.X dyn-authorization
radius-server host X.X.X.X time-window 0
timesync ntp
ntp unicast
ntp server X.X.X.X iburst
ntp enable
no telnet-server
time daylight-time-rule western-europe
time timezone 60
web-management ssl
ip default-gateway 10.251.2.1
ip dns server-address priority 1 X.X.X.X
ip dns server-address priority 2 X.X.X.X
ip ssh filetransfer
ip source-interface radius vlan 65
ip client-tracker trusted
interface 1
   name "01/01"
   exit
.
.
.

interface 52
   name "NOT USED"
   exit
   
snmp-server community "public" unrestricted
snmp-server contact "oc.it@opitz-consulting.com" location "Holding OC.IT"
snmpv3 engineid "00:00:00:0b:00:00:08:f1:ea:50:d1:00"
aaa accounting update periodic 3
aaa accounting commands stop-only radius
aaa accounting exec start-stop radius
aaa accounting network start-stop radius
aaa accounting system stop-only radius
aaa authentication login privilege-mode
aaa authentication web login radius local
aaa authentication web enable radius local
aaa authentication ssh login radius local
aaa authentication ssh enable radius local
aaa authentication port-access eap-radius
aaa authentication captive-portal enable
aaa port-access authenticator 2-10,12-14,16-30,32,34,36-42,44-48
aaa port-access authenticator 1 client-limit 3
.
.
.
aaa port-access authenticator 48 client-limit 3
aaa port-access authenticator active
aaa port-access mac-based 2-10,12-14,16-30,32,34,36-42,44-48
aaa port-access mac-based 1 addr-limit 2
.
.
.
aaa port-access mac-based 48 addr-limit 2
vlan 1
   name "DEFAULT_VLAN"
   no untagged 1-48
   untagged 49-52
   no ip address
   exit
.
.
.

vlan 55
   name "OC-GM-User-Gast"
   untagged 2-10,12-14,16-30,32,34,36-42,44-48
   tagged 49-52
   no ip address
   exit
.
.
.
vlan 65
   name "OC-GM-ClearPass-Profiling"
   tagged 49-52
   ip address 10.251.2.40 255.255.255.0
   ip helper-address X.X.X.X
   exit
primary-vlan 250
spanning-tree
no tftp client
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
no dhcp tr69-acs-url

CPPM Profile:

Original Message:
Sent: May 09, 2023 06:27 PM
From: 802.zak
Subject: Aruba 2540 Captive Portal Redirect not working

Do you mind posting a scrubbed copy of your switch config? 

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: May 09, 2023 05:23 PM
From: MatthiasP
Subject: Aruba 2540 Captive Portal Redirect not working

Original Message:
Sent: 5/9/2023 1:00:00 PM
From: 802.zak
Subject: RE: Aruba 2540 Captive Portal Redirect not working

Are you able to browse directly to the CPPM Guest Page URL? 

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: May 09, 2023 04:01 AM
From: MatthiasP
Subject: Aruba 2540 Captive Portal Redirect not working

Hi everybody,

I've setup a wired mac-based service with a redirect to a self registration page for guests. I've a guest client connects to the switch, I can see that the correct profile is assigned. But when I try to open a page in the browser I get the following error:

The connection for this site is not secure. www.google.de uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH; Unsupported protocol; The client and server don't support a common SSL protocol version or cipher suite.

I've installed a SSL and a CaptivePortal certificate on the switch.

Any ideas?

Kind regards
Matthias