Enabling Captive Portal Enhancements

AOS-8 introduces the following enhancements in Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.:

https://securelogin.example.com/cgi-bin/login?cmd=login&mac=00:24:d7:ed:84:14&ip=10.15.104.13&essid=example-test-tunnel&apname=ap135&apgroup=example&url=http%3A%2F%2Fwww%2Eespncricinfo%2Ecom%2F

The Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. enhancements are available on the following forwarding modes as shown in the following table:

Table 1: Captive Portal Enhancements

APs

Tunnel

D-Tunnel

Split-Tunnel

Bridge

Campus AP Campus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on.

External /Internal Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.

External /Internal Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.

NA

External Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.

Remote AP Remote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link.

External /Internal Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.

NA

External /Internal Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.

External Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.

The following section describes the various enhancements in Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.:

Configuring the Redirect-URL

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure the Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. redirect URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet.:

(host) [md] (config) # aaa authentication captive-portal REDIRECT

(host) [md] (Captive Portal Authentication Profile "REDIRECT") #redirect-url <absolute-URL>

Example:

(host) [md] (config) # aaa authentication captive-portal REDIRECT

(host) [md] (Captive Portal Authentication Profile "REDIRECT") #redirect-url https://test-login.php

Configuring the Login URL

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure a Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. login URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. up to 2048 characters:

(host) [md] (config) # aaa authentication captive-portal LOGIN

(host) [md] (Captive Portal Authentication Profile "LOGIN")#login-page "https://clearpass-dev1.dev.arubademo.net/guest/aos8_self-reg.php?_browser=1"

You can configure the login URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. with “?” (question mark) character in it provided the URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. containing the question mark is within the double quotes.

Defining Netdestination Descriptions

You can provide a description (up to 128 characters) for the netdestination using the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands provide description for an IPv4 netdestination:

(host) [md] (config) #netdestination Local-Server

(host) [md] (config-dest) #description “This is a local server for IPv4 client registration”

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands provide description for an IPv6 netdestination:

(host) [md] (config) #netdestination6 Local-Server6

(host) [md] (config-dest) #description “This is a local server for IPv6 client registration”

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command displays the details of the specified IPv4 netdestination in the managed device:

(host) (config-dest)#show netdestination Local-Server

 

Name: Local-Server

Description: This is a local server for IPv4 client registration

Position Type IP addr Mask-Len/Range

-------- ---- ------- --------------

1 name 0.0.0.1 yahoomail

2 name 0.0.0.2 mycorp

3 name 0.0.0.3 cricinfo

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command displays the details of the specified IPv6 netdestination in the managed device:

(host) (config-dest) #show netdestination Local-Server6

 

Name: Local-Server6

Description: This is a local server for IPv6 client registration

-------------------------------------------------------------------------------

Position Type IP addr Mask-Len/Range

-------- ---- ------- --------------

1 name ::9 yahoomail

2 name ::a mycorp

3 name ::b cricinfo

Configuring a Allowlist

You can now configure a allowlist in Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. using the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

This section describes the following topics:

Configuring the Netdestination for a Allowlist:

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure a netdestination alias for Allowlist:

(host) [md] (config) #netdestination allowlist

(host) [md] (config-dest) #description guest_allowlist

(host) [md] (config-dest) #name mycorp

Associating a Allowlist to Captive Portal Profile

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands associate an allowlist to the Captive profile:

(host) [md] (config) #aaa authentication captive-portal CP_Profile

(host) [md] (Captive Portal Authentication Profile "CP_Profile”) #allow-list allowlist

Applying a Captive Portal Profile to a User-Role

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands apply the Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile to a user-role:

(host) [md] (config) # user-role guest_role

(host) [md] (config-submode) #access_list logon-control

(host) [md] (config-submode) #access_list captiveportal

(host) [md] (config-submode) #captive-portal CP_Profile

Verifying a Allowlist Configuration

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command verifies the allowlist alias in the managed device:

(host) (config) #show netdestination allowlist

 

allowlist Description: guest_allowlist

--------------------------------------

Position Type IP addr Mask-Len/Range

-------- ---- ------- --------------

1 name 0.0.0.6 mycorp

Verifying a Captive Portal Profile Linked to a Allowlist

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command verifies the Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile linked to the allowlist in the managed device:

(host) (config) #show aaa authentication captive-portal CP_Profile

 

Captive Portal Authentication Profile "CP_Profile"

-----------------------------------------------------------------

Parameter Value

--------- -----

Default Role guest

Default Guest Role guest

Server Group default

Redirect Pause 10 sec

User Login Enabled

Guest Login Disabled

Logout popup window Enabled

Use HTTP for authentication Disabled

Logon wait minimum wait 5 sec

Logon wait maximum wait 10 sec

logon wait CPU utilization threshold 60 %

Max Authentication failures 0

Show FQDN Disabled

Use CHAP (non-standard) Disabled

Login page /auth/index.html

Welcome page /auth/welcome.html

Show Welcome Page Yes

Add switch IP address in the redirection URL Disabled

Adding user vlan in redirection URL Disabled

Add a controller interface in the redirection URL N/A

Allow only one active user session Disabled

Allow List allowlist

Deny List N/A

Show the acceptable use policy page Disabled

Redirect URL N/A

Verifying Dynamic ACLs for a Allowlist

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command verifies the dynamically created ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. for the allowlist in the managed device:

(host) (config)#show rights guest_role

 

Derived Role = 'guest_role'

Up BW:No Limit Down BW:No Limit

L2TP Pool = default-l2tp-pool

PPTP Pool = default-pptp-pool

Periodic reauthentication: Disabled

ACL Number = 79/0

Max Sessions = 65535

Captive Portal profile = CP_Profile

 

access-list List

----------------

Position Name Location

-------- ---- --------

1 CP_Profile_list_operations

2 logon-control

3 captiveportal

CP_Profile_list_operations

-----------------------------------------

Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P denylist Mirror DisScan ClassifyMedia IPv4/6

-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------

1 user allowlist svc-http permit Low 4

2 user allowlist svc-https permit Low 4

logon-control

-------------

Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P denylist Mirror DisScan ClassifyMedia IPv4/6

-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------

1 user any udp 68 deny Low 4

2 any any svc-icmp permit Low 4

3 any any svc-dns permit Low 4

4 any any svc-dhcp permit Low 4

5 any any svc-natt permit Low 4

captiveportal

-------------

Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P denylist Mirror DisScan ClassifyMedia IPv4/6

-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------

1 user controller svc-https dst-nat 8081 Low 4

2 user any svc-http dst-nat 8080 Low 4

3 user any svc-https dst-nat 8081 Low 4

4 user any svc-http-proxy1 dst-nat 8088 Low 4

5 user any svc-http-proxy2 dst-nat 8088 Low 4

6 user any svc-http-proxy3 dst-nat 8088 Low 4

Expired Policies (due to time constraints) = 0

Verifying DNS Resolved IP Addresses for Allowlisted URLs

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command verifies the DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. resolved IP addresses for the allowlisted URLs Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. in the managed device:

(host) #show firewall dns-names ap-name <AP-name>

Example:

(host)[md] #show firewall dns-names ap-name ap135

 

Firewall DNS names

------------------

Index Name Id Num-IP List

----- ---- -- ------ ----

0 bugzilla 10 1 0.0.0.0

1 cricinfo 9 0

2 yahoo 1 0

3 mycorp 6 1 1.1.1.1

Viewing a Downloaded CP Profile

This command shows the downloaded Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profiles. Issue this command to display the entire downloaded Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile list, including profile status and the number of references to each profile. Include a profile name to display detailed configuration information for that profile:

(host) (config)#show aaa authentication downloaded-cp-profiles

 

Captive Portal Authentication Profile "cp2-d8941734"

------------------------------------------------

Parameter Value

--------- -----

Default Role authenticated

Default Guest Role guest

Server Group cppm-rad-2

Redirect Pause 10 sec

User Login Enabled

Guest Login Disabled

Logout popup window Enabled

Use HTTP for authentication Disabled

Logon wait minimum wait 5 sec

Logon wait maximum wait 10 sec

logon wait CPU utilization threshold 60 %

Max Authentication failures 0

Show FQDN Disabled

Authentication Protocol PAP

Login page /auth/index.html

Welcome page /auth/welcome.html

Show Welcome Page Yes

Add switch IP address in the redirection URL Disabled

Adding user vlan in redirection URL Disabled

Add a controller interface in the redirection URL N/A

Allow only one active user session Disabled

Allow List N/A

Deny List N/A

Show the acceptable use policy page Disabled

User idle timeout -1

Redirect URL N/A

Bypass Apple Captive Network Assistant Disabled

URL Hash Key ********

 

Total Downloaded CP profiles: 1

Bypassing Captive Portal Landing Page

An increasing number of user sessions in Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. pre-authenticated role, repeatedly request the Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. login page from the managed devices. This impacts the number of browser-based user login requests handled per second by the managed devices. This eventually delays the loading of the Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. page and logging into Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.. Most of the increased activities are from non-browser based applications running on smart phones and tablets.

Bypassing Captive Portal Landing Page is disabled by default, hence the managed devices send 200 OK status code message to the non-browser based apps Short form for application. It generally refers to the application that is downloaded and used on mobile devices..

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands enable Bypassing Captive Portal Landing Page from the managed devices. When doing so, non-browser apps Short form for application. It generally refers to the application that is downloaded and used on mobile devices. continue to request Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. login page from the managed devices and they are responded with 302 Temporarily Moved status code. This increases the load of the httpd process of the managed devices.

(host) [md] (config) #web-server profile

(host) [md] (Web Server Configuration) #bypass-cp-landing-page

The landing page contains the meta-refresh tag to reload the page using real browser applications.

Captive Portal Authentication in Bridge Mode

Starting from AOS-8.7.0.0, captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication is supported for VAPs in the bridge forwarding mode. This feature supports only external captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. servers which generate XML Extensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software./Radius CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. to the controller Only the following parameters of the aaa authentication captive-portal command will be supported for APs in the bridge forwarding mode:

  • ap-mac-in-redirection-url
  • ip-addr-in-redirection-url
  • login-page
  • switchip-in-redirection-url
  • url-hash-key
  • user-vlan-in-redirection-url

The login-page should be configured with an absolute path, starting with http:// or https://. This feature is supported for wireless users on all Campus AP and Remote AP models in cluster and non-cluster topology. To support captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication in the bridge forwarding mode, it is required to enable the ageout-bridge-user parameter in the aaa profile command.

Starting from AOS-8.8.0.0, the following configurations available on controllers are applied to APs automatically when a virtual AP is created with captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication in bridge forwarding mode:

The following procedure configures the web server profile on the APs:

  1. Before configuring the web server profile, you must import the server certificate to the controller through the following steps:
    1. In the Managed Network node hierarchy, navigate to the Configuration > System > Certificates tab.
    2. Click + in the Import Certificates section.
    3. Enter the name of the server certificate in the Certificate name text-box.
    4. Click the Browse button in the Certificate filename text-box to add the certificate file.
    5. Enter a passphrase in the Optional passphrase text box and re-type the passphrase.
    6. Select a certificate format from the Certificate format drop-down list.

      You can import certificates of format PEM and PKCS12.

    7. Select ServerCert from the Certificate type drop-down list.
    8. Click Submit.

      The certificate is listed in the Import Certificates section.

  2. Configure the web server profile on the APs through the following steps:
    1. In the Managed Network node hierarchy, navigate to the Configuration > System > Profiles tab.
    2. In the All Profiles list, expand the Other Profiles menu, then select Web Server Configuration.

      The Web Server Configuration window is displayed.

    3. In the enable/disable cipher suite field, select specific ciphers from the supported list of ciphers, all the ciphers or the default setting. Selecting All enables all the ciphers in the supported list and selecting default enables the following GCM ciphers: ECDHE-ECDSA Elliptic Curve Digital Signature Algorithm. ECDSA is a cryptographic algorithm that supports the use of public or private key pairs for encrypting and decrypting information.-AES256-GCM-SHA384, ECDHE-ECDSA Elliptic Curve Digital Signature Algorithm. ECDSA is a cryptographic algorithm that supports the use of public or private key pairs for encrypting and decrypting information.-AES128-GCM-SHA256, ECDHE-RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet.-AES256-GCM-SHA384 and ECDHE-RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet.-AES128-GCM-SHA256.

      A minimum of one cipher must be configured in the cipher suite.

      When the option All is enabled in the FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. mode, the ciphers AES256-SHA256, AES128-SHA256, AES256-SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. and AES128-SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. are not supported.

    4. In the SSL Secure Sockets Layer. SSL is a computer networking protocol for securing connections between network application clients and servers over the Internet./TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. Protocol Config field, select one or more of the following check boxes:
      • tlsv1
      • tlsv1_1
      • tlsv1_2

      You must select the default value tlsv1_2 for the SSL Secure Sockets Layer. SSL is a computer networking protocol for securing connections between network application clients and servers over the Internet./TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. Protocol Config field to establish the most secure HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. connection.

    5. Select the name of the imported certificate from the Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. Certificate drop-down list.

    6. Click Submit.
    7. Click Pending Changes.
    8. In the Pending Changes window, select the checkbox and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure web server profile on APs:

(host) [mynode] (config) #web-server profile (host) (mynode) (Web Server Configuration) #cipher-suite <cipher(s)>

(host) (mynode) (Web Server Configuration) #ssl-protocol tlsv1.2 (host) (mynode) (Web Server Configuration) #captive-portal-cert <captive-portal-cert>