How does Internal Captive Portal work in Aruba Instant ON?

Employee
Employee

How does Internal Captive Portal work in Aruba Instant ON?

  • When a Client Device connects to a Network, the device will start sending multiple traffic based on the Applications opened on that device.
  • The initial set of traffic triggered by the Client will identify if there is a Captive Portal Authentication configured on that wireless network.
  • Let us consider a Windows Client connecting to the Wi-Fi, configured with Internal Captive-Portal Authentication.

Internal config.JPGCaptive Portal Authentication

DNS request and Response.JPGDNS Request / Response to www.msftconnecttest.com

  • Once the Client Device gets the IP address of www.msftconnecttest.com through DNS resolution, it will initiate a TCP handshake to that IP address.

TCP to msft.JPGTCP Connection to www.msftconnecttest.com

  • According to the Client Device, it has established a TCP connection with www.msftconnecttest.com.
  • But in turn, the Aruba Instant On APs spoofs the TCP connections initiated by the Guest Clients and respond to those TCP connection requests, on behalf of www.msftconnecttest.com.
  • The above TCP connection is hence between the Guest Client and the AP.
  • Once the TCP connection is established, the Guest Client sends a HTTP Get, to get the webpage of www.msftconnecttest.com.

http get to msft.JPGHTTP Get request to www.msftconnecttest.com

302 Redirection.JPG302 Captive Portal redirection and TCP connection termination

  • The Guest Client then sends out a DNS request to resolve the IP address of URL received through 302 Redirection - http://captive-2019.aio.cloudauth.net/swarm.cgi
  • Since this URL belongs to the Aruba Instant On APs, the DNS servers will not have an IP address entry to the above mentioned URL.
  • The APs will hence spoof the DNS response from the DNS server and respond back to the Guest Client with the Internal IP address (172.31.98.1) of the AIO AP.

Captive Portal DNS Request and Response.JPGDNS Request and Response to resolve the IP address of http://captive-2019.aio.cloudauth.net/swarm.cgi

  • The Guest Client will initiate a TCP connection with the AP’s IP address 172.31.98.1 followed by HTTP Get.
  • The HTTP Get is for the Guest Client to fetch the Captive Portal Page hosted by the Aruba Instant On AP.

http get to CP page.jpgHTTP Get to fetch the Captive Portal Page hosted by the AP

  • The Aruba Instant ON AP will send the Captive Portal page to the Guest Client.
  • The complete TCP stream when the Guest Client gets the Captive Portal Page is as below.

Client gets Captive Portal Page.JPGHTTP stream when the Guest Client gets the Captive Portal page

  • Below is the Captive Portal page hosted on the test client.
  • The TCP connections is terminated by the client once it receives the Captive Portal Page.

10.JPGCaptive Portal page Hosted on the Guest Client by the AP

  • Once the Client Device clicks on Accept, the browser will send a HTTP Post, acknowledging the Captive Portal Authentication.
  • When the AP receives this HTTP Post, it authenticates the Guest Client and provides access to the Internet.

Post Auth.JPGHTTP stream when Guest Client clicks on Accept Button on the Captive Portal Page

  • Once the Authentication is complete, whenever the Guest Client contacts msftconnecttest.com, the AP will not spoof the TCP connection.
  • The Guest Client will hence not get a 302 redirect message from msftconnecttest.com, but will get a HTTP 200 Ok.
  • The Guest Client will then assume that there is no Captive Portal Authentication configured on the Wireless Network or the Captive Portal Authentication is successful.

Post Auth msft.JPGGuest Client checking for Captive Portal Login post Authentication

Regards,
Krishna Prasad
Labels (1)