Enabling Captive Portal Enhancements

ArubaOS introduces the following enhancements in Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.:

https://securelogin.example.com/cgi-bin/login?cmd=login&mac=00:24:d7:ed:84:14&ip=10.15.104.13&essid=example-test-tunnel&apname=ap135&apgroup=example&url=http%3A%2F%2Fwww%2Eespncricinfo%2Ecom%2F

The Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. enhancements are available on Tunnel and Split-Tunnel forwarding modes.

The following section describes the various enhancements in Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.:

Configuring the Redirect-URL

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure the Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. redirect URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet.:

(host) [md] (config) # aaa authentication captive-portal REDIRECT

(host) [md] (Captive Portal Authentication Profile "REDIRECT") #redirect-url <absolute-URL>

Example:

(host) [md] (config) # aaa authentication captive-portal REDIRECT

(host) [md] (Captive Portal Authentication Profile "REDIRECT") #redirect-url https://test-login.php

Configuring the Login URL

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure a Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. login URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. up to 2048 characters:

(host) [md] (config) # aaa authentication captive-portal LOGIN

(host) [md] (Captive Portal Authentication Profile "LOGIN")#login-page "https://clearpass-dev1.dev.arubademo.net/guest/aos8_self-reg.php?_browser=1"

You can configure the login URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. with “?” (question mark) character in it provided the URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. containing the question mark is within the double quotes.

Defining Netdestination Descriptions

You can provide a description (up to 128 characters) for the netdestination using the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands provide description for an IPv4 netdestination:

(host) [md] (config) #netdestination Local-Server

(host) [md] (config-dest) #description “This is a local server for IPv4 client registration”

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands provide description for an IPv6 netdestination:

(host) [md] (config) #netdestination6 Local-Server6

(host) [md] (config-dest) #description “This is a local server for IPv6 client registration”

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command displays the details of the specified IPv4 netdestination in the managed device:

(host) (config-dest)#show netdestination Local-Server

 

Name: Local-Server

Description: This is a local server for IPv4 client registration

Position Type IP addr Mask-Len/Range

-------- ---- ------- --------------

1 name 0.0.0.1 yahoomail

2 name 0.0.0.2 mycorp

3 name 0.0.0.3 cricinfo

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command displays the details of the specified IPv6 netdestination in the managed device:

(host) (config-dest) #show netdestination Local-Server6

 

Name: Local-Server6

Description: This is a local server for IPv6 client registration

-------------------------------------------------------------------------------

Position Type IP addr Mask-Len/Range

-------- ---- ------- --------------

1 name ::9 yahoomail

2 name ::a mycorp

3 name ::b cricinfo

Configuring a Whitelist

You can now configure a whitelist in Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. using the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

This section describes the following topics:

Configuring the Netdestination for a Whitelist:

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure a netdestination alias for Whitelist:

(host) [md] (config) #netdestination whitelist

(host) [md] (config-dest) #description guest_whitelist

(host) [md] (config-dest) #name mycorp

Associating a Whitelist to Captive Portal Profile

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands associate a whitelist to the Captive profile:

(host) [md] (config) #aaa authentication captive-portal CP_Profile

(host) [md] (Captive Portal Authentication Profile "CP_Profile”) #white-list whitelist

Applying a Captive Portal Profile to a User-Role

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands apply the Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile to a user-role:

(host) [md] (config) # user-role guest_role

(host) [md] (config-submode) #access_list logon-control

(host) [md] (config-submode) #access_list captiveportal

(host) [md] (config-submode) #captive-portal CP_Profile

Verifying a Whitelist Configuration

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command verifies the whitelist alias in the managed device:

(host) (config) #show netdestination whitelist

 

whitelist Description: guest_whitelist

--------------------------------------

Position Type IP addr Mask-Len/Range

-------- ---- ------- --------------

1 name 0.0.0.6 mycorp

Verifying a Captive Portal Profile Linked to a Whitelist

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command verifies the Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile linked to the whitelist in the managed device:

(host) (config) #show aaa authentication captive-portal CP_Profile

 

Captive Portal Authentication Profile "CP_Profile"

-----------------------------------------------------------------

Parameter Value

--------- -----

Default Role guest

Default Guest Role guest

Server Group default

Redirect Pause 10 sec

User Login Enabled

Guest Login Disabled

Logout popup window Enabled

Use HTTP for authentication Disabled

Logon wait minimum wait 5 sec

Logon wait maximum wait 10 sec

logon wait CPU utilization threshold 60 %

Max Authentication failures 0

Show FQDN Disabled

Use CHAP (non-standard) Disabled

Login page /auth/index.html

Welcome page /auth/welcome.html

Show Welcome Page Yes

Add switch IP address in the redirection URL Disabled

Adding user vlan in redirection URL Disabled

Add a controller interface in the redirection URL N/A

Allow only one active user session Disabled

White List whitelist

Black List N/A

Show the acceptable use policy page Disabled

Redirect URL N/A

Verifying Dynamic ACLs for a Whitelist

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command verifies the dynamically created ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. for the whitelist in the managed device:

(host) (config)#show rights guest_role

 

Derived Role = 'guest_role'

Up BW:No Limit Down BW:No Limit

L2TP Pool = default-l2tp-pool

PPTP Pool = default-pptp-pool

Periodic reauthentication: Disabled

ACL Number = 79/0

Max Sessions = 65535

Captive Portal profile = CP_Profile

 

access-list List

----------------

Position Name Location

-------- ---- --------

1 CP_Profile_list_operations

2 logon-control

3 captiveportal

CP_Profile_list_operations

-----------------------------------------

Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6

-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------

1 user whitelist svc-http permit Low 4

2 user whitelist svc-https permit Low 4

logon-control

-------------

Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6

-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------

1 user any udp 68 deny Low 4

2 any any svc-icmp permit Low 4

3 any any svc-dns permit Low 4

4 any any svc-dhcp permit Low 4

5 any any svc-natt permit Low 4

captiveportal

-------------

Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6

-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------

1 user controller svc-https dst-nat 8081 Low 4

2 user any svc-http dst-nat 8080 Low 4

3 user any svc-https dst-nat 8081 Low 4

4 user any svc-http-proxy1 dst-nat 8088 Low 4

5 user any svc-http-proxy2 dst-nat 8088 Low 4

6 user any svc-http-proxy3 dst-nat 8088 Low 4

Expired Policies (due to time constraints) = 0

Verifying DNS Resolved IP Addresses for Whitelisted URLs

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command verifies the DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. resolved IP addresses for the whitelisted URLs Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. in the managed device:

(host) #show firewall dns-names ap-name <AP-name>

Example:

(host)[md] #show firewall dns-names ap-name ap135

 

Firewall DNS names

------------------

Index Name Id Num-IP List

----- ---- -- ------ ----

0 bugzilla 10 1 0.0.0.0

1 cricinfo 9 0

2 yahoo 1 0

3 mycorp 6 1 1.1.1.1

Bypassing Captive Portal Landing Page

An increasing number of user sessions in Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. pre-authenticated role, repeatedly request the Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. login page from the managed devices. This impacts the number of browser-based user login requests handled per second by the managed devices. This eventually delays the loading of the Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. page and logging into Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.. Most of the increased activities are from non-browser based applications running on smart phones and tablets.

Bypassing Captive Portal Landing Page is disabled by default, hence the managed devices send 200 OK status code message to the non-browser based apps Short form for application. It generally refers to the application that is downloaded and used on mobile devices..

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands enable Bypassing Captive Portal Landing Page from the managed devices. When doing so, non-browser apps Short form for application. It generally refers to the application that is downloaded and used on mobile devices. continue to request Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. login page from the managed devices and they are responded with 302 Temporarily Moved status code. This increases the load of the httpd process of the managed devices.

(host) [md] (config) #web-server profile

(host) [md] (Web Server Configuration) #bypass-cp-landing-page

The landing page contains the meta-refresh tag to reload the page using real browser applications.

Captive Portal Authentication in Bridge Mode

Starting from ArubaOS 8.7.0.0, captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication is supported for VAPs in the bridge forwarding mode. This feature supports only external captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. servers which generate XML Extensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software./Radius CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. to the controller Only the following parameters of the aaa authentication captive-portal command will be supported for APs in the bridge forwarding mode:

  • ap-mac-in-redirection-url
  • ip-addr-in-redirection-url
  • login-page
  • switchip-in-redirection-url
  • url-hash-key
  • user-vlan-in-redirection-url

The login-page should be configured with an absolute path, starting with http:// or https://. This feature is supported for wireless users on all Campus AP and Remote AP models in cluster and non-cluster topology. To support captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication in the bridge forwarding mode, it is required to enable the ageout-bridge-user parameter in the aaa profile command.