How does External Captive Portal work in Aruba Instant On?

Highlighted
Employee
Employee

How does External Captive Portal work in Aruba Instant On?

KB Description :

 The flow of External Captive Portal in Aruba Instant ON is very much similar to Internal Captive Portal flow.

  • The AP spoofs the Guest Client traffic and responds with the Captive Portal Page.
  • The only difference here is that the Captive Portal Page is hosted on an external Web Server.
  • It is possible to use various types of Authentication methods such as Username/Password, Acknowledge Method, Self-Registration, Multi-Factor Authentication etc.
  • The Complete flow of External Captive Portal with Username/Password Authentication when a guest client connects to the wireless SSID is explained below.

 Pre-requisites:

 Aruba Instant ON AP

  • Web Server (To host the Captive Portal Page)
  • Radius Server (To authenticate the Guest Clients with the credentials they post)

Configuration on AP:

 Let us again consider a Windows Client connecting to the Wi-Fi configured with External Captive Portal Authentication.

  • Once the Windows Client connects to the Wi-Fi, it initiates a DNS request to www.msftconnecttest.com.
  • Similarly, iOS and Android devices have their own FQDN to check the existence of Captive-Portal Authentication in the Wireless Network.
  • Check the below posts for more details.
    • Android gstatic:
    • Apple CNA:

msftconnecttest.png

  • Once the Client Device gets the IP address of www.msftconnecttest.com through DNS resolution, it will initiate a TCP handshake to that IP address.
  • According to the Client Device, it has established a TCP connection with www.msftconnecttest.com.
  • But in turn, the Aruba Instant On APs spoof the TCP connections initiated by the Guest Clients and respond to those TCP connection requests, on behalf of www.msftconnecttest.com.
  • The above TCP connection is hence between the Guest Client and the AP.
  • Once the TCP connection is established, the Guest Client sends a HTTP Get, to get the webpage of www.msftconnecttest.com.

captive portal rediection.png

  • When the AP receives this HTTP Get message, the AP redirects the Client Device to the External Captive Portal Web Server through a 302 redirect based on the configuration.
  • In our example, the Captive Portal Page hosted on the Server - 10.27.140.22 and the URL for the page is - /guest/AIO_test.php, hence the Client will be redirected to the URL : https://10.27.140.22:443/guest/AIO_test.php?
  • The AP redirects the clients to use HTTPS protocol when requesting for the Captive Portal Page from the CPPM server.
  • Once the client receives the redirection URL, it terminates the TCP connection established with the www.msftconnecttest.com.

Splash page request.png

  • Since the IP address of the Web Server is configured on the AP, the Guest Clients will not send any DNS requests to find the Web Server’s IP address.
  • If the Server’s FQDN is provided as the Server URL in the AP, then the Clients must resolve the FQDN of the server to an IP address through DNS.
  • The Guest Client will initiate a HTTPS connection with the Web Server and request for the Web Page.
  • Since the protocol used is HTTPS, the traffic between the Guest Client and the Web Server is encrypted.
  • Below is the HTTPS stream when the Guest client communicates with the Web Server.

External server communication.png

  • Below is the Captive Portal page hosted on the test client.
  • The TCP connections is terminated by the client once it receives the Captive Portal Page.

splash page.png

  • The Guest Client has to enter a Username and Password in the above text box.
  • When clicking on Log In, the clients will post the Username and Password as a HTTP post to the CPPM Server.
  • The CPPM server will in turn request the Client to post the credentials to the Aruba Instant ON AP.
  • The AP will convert this HTTP post into a Radius request and forward the same to the CPPM server for authentication.

Radius Request.png

  • If the AP gets Access-Accept from the CPPM server, the AP will provide Internet access to the Client.
  • If the AP gets Access-Reject from the CPPM server or if the Authentication times out (Due to Server Unreachability), the Clients will not get Internet Access.

 

  • Once the Authentication is complete, whenever the Guest Client contacts www.msftconnecttest.com, the AP will not spoof the TCP connection.
  • The Guest Client will hence not get a 302 redirect message from www.msftconnecttest.com, but will get a HTTP 200 Ok.
  • The Guest Client will then assume that there is no Captive Portal Authentication configured on the Wireless Network or the Captive Portal Authentication is successful.

Access Accept.png

 

Regards,
Swaathi Ramaswamy
Labels (1)
2 Replies
Highlighted
New Contributor

Re: How does External Captive Portal work in Aruba Instant On?

Hello,

I have tried to integrate my Home AIO with a CPPM but I am stuck on the Web Logon page setup to get it working.

Which adress/name should be configured on the Guest CPPM Logon page to send the Post after the Web authentication
(by default "securelogin.arubanetworks.com"). On controller or IAP this must match the certificate installed but on AIO ??

I have the Logon page on my test PC but after I send the credentials (which are validated OK by CPPM) I never get access
because the post send by my browser is never intercepted by the Instant On APs.

Kind regards

Christian Chautems

ACCP

0 Kudos
Highlighted
New Contributor

Re: How does External Captive Portal work in Aruba Instant On?

Hello,

Forget about my previous post, it was obvious !!

Just connect to the AIO AP with SSL (to the diag page) and get the name of the certificat which is:

captive-2019.aio.cloudauth.net

And it works

Regards

Christian Chautems