Captiveportal-login Could Not Be Found Aruba Not Authing
Responsive Captive Portal for Aruba Wi-Fi – updated for iOS CNA
Some time back (over 2 years in fact, wow time flies) I wrote a post on how to upload a more than mobile-friendly Captive Portal page to your Aruba controller for mobile devices connecting to your Wi-Fi.
That's served u.s. well at the higher and definitely made the organisation more user friendly. Withal over the summer I've been doing some re-configuration on the network and during testing institute an issue that's cropped up somewhere forth the way of iOS updates that's forced me to make some changes.
for those simply wanting the TL;DR version check out my OneDrive Public folder for the new page download 😉
Something has inverse…
Whilst working on a redirect page for SSL inspection I noticed that the Convict Portal login screen wasn't actualization on the iPad I was using for testing running the latest iOS 10.three.
To be certain it wasn't a global issue I tried on my other devices; an HTC 10 Android device as my primary phone, Nokia Lumia as work phone and a ThinkPad running Windows ten but all of those behaved every bit expected with the portal loading up automatically.
Wanting to get the setup working correctly across all platforms I started researching and via the Aruba forums tried a few suggestions:
- upgrade to latest ArubaOS release (handy as we needed to practice this anyway)
- ensure Convict Portal is set to display over HTTPS
- ensure the HTTPS certificate is signed by a Trusted Root CA (proficient practise anyhow)
- ensure the device can't attain the Apple CNA domains, which announced to non be officially documented anywhere only people have made their own lists although it'due south hard to know how much the domains change.
Dorsum to nuts
Yet none of this fabricated any difference, CNA all the same refused to appear. I raised a ticket with our support partner and their initial suggestion was to create a new CP profile and on information technology revert back to the default Aruba login folio.
Trying this out restored CNA functionality, which was a step forrard as it and so pointed to something in the portal page template that iOS didn't like.
After getting this breakthrough I must've made a dissimilar variation on my forum searches equally it then returned a very useful thread that seemed to be discussing an virtually identical upshot
Ref: http://community.arubanetworks.com/t5/Wireless-Admission/AOS-6-5-ii-0-Captive-Portal-auto-prompt-non-working-on-iOS/td-p/295405
Imagine my surprise to discover that the user "mom" aka Matthias was using my original blog postal service and responsive portal too (!) He had meticulously tested the page, stripping elements out until finding that removing some chunks restored the CNA behaviour.
So it seems Apple take got more than fussy (some may say stringent?) well-nigh what content is allowed in a login page and something was existence blocked.
Looking back at my original page information technology does accept a fair bit of Javascript embedded in it for the smooth page scrolling upshot, custom error handling etc. which would evidence difficult to strip down and retain the same functionality. With that in listen I fabricated the determination to endeavour and rebuild a similar-looking page with a simpler boilerplate pattern.
Skeleton delivers
I shortly found exactly what I needed in the form of the Skeleton framework. A beautifully simple withal effective template that'south nevertheless responsive across all devices simply just 200 lines of CSS!
Ref: http://getskeleton.com/
It didn't accept long to put the Aruba login course into the page template and tweak some of the core styling to match what I had earlier past reusing sure CSS elements from the one-time page. I too used a few elements from the demo page http://getskeleton.com/examples/landing/
A few features from the old login page were left out to keep the new template at its efficient best:
- custom error message handling
removed the JS lawmaking for this entirely, page reloads if login fails but without the customisable error messages - clickable sections in the header
users would need to scroll the page manually instead to read the information and AUP sections - auto smoothen scrolling
motorcar roll to middle of the page no longer required in light of indicate ii higher up - embedded fonts
removed any references to boosted fonts just in case they were beingness blocked
I uploaded the new page and its supporting files (only 2 small-scale CSS files plus a new logo image) and tried to log in again… success!
With more than fourth dimension I could go back and slowly start adding elements back to see exactly what causes issues, my betting would be on the Javascript only while everything is working I don't want to mess with information technology at present. If anyone reading fancies a challenge and finds the offending chemical element let me know in the comments 🙂
And here'south a sample of the new pages in action, along with our new color schemes and then we can easily tell which network people are trying to connect to. I'm using ii separate auth sources for the unlike networks (internal DB for one and NPS-based RADIUS for the other) hence why we keep separate SSIDs and CP Profiles for them both.
After login the controller now redirects to a Welcome page, which also uses the Skeleton framework with some boosted styling. I can be a chip more flexible here as the portal is already open:
Here's i I made before
For those who merely want to get up and running asap I've provided a packaged up sample version of the page in my OneDrive Public binder namedSAMPLE CNA Skeleton .naught
It'south tested working on the following:
- iOS 10.3.one
- Android Nougat
- Windows Mobile eight.one
- Windows x Creators Update
To change the folio colours find and replace the following:
- page background#27AE60
- push button hover colour #EF8A17
Styling tips:
- to make your own matching colour schemes bank check out something like https://coolors.co
- edit logo.png for i of your choosing
- change the text (I recommend using Notepad++ for editing) and abroad you go!
- any other CSS tweaks will either exist in the page body CSS or via the (neatly labelled) skeleton.css
Save yourself from insanity: Aruba Captive Portal RADIUS Accounting
I've been significant to mail service this i for a while but got there in the end! Recently we inverse our content filtering provider and one of the aims of the new organization was to ensure tighter integration between the Wi-Fi controller and filter for authentication \ identification of users.
We particuarly needed the framed-ip-address attribute as that's used to tie a device to a user on our particular filtering product. In theory the setup sounds fairly straightforward:
- set up Windows Network Policy Server to handle RADIUS hallmark
- set upward RADIUS authentication profile against a new Wi-Fi SSID
- fix RADIUS accounting on the wireless controller
- gear up up RADIUS accounting on the filtering server
Initially all went well and we were able to cosign users smoothly onto the Wi-Fi network via the existing convict portal… but (and isn't in that location always a but!) we saw zippo on the filtering server, only an empty void of white space where user account activity should've been 😦
Initial troubleshooting steps
So I checked the simple things first…
- Cheque RADIUS Interim Accounting option is enabled on the AAA profile
- Bank check if shared hugger-mugger is also circuitous \ typo when entering it into various config pages
- Ensure bookkeeping server options in Windows NPS are configured correctly
- Confirm configuration of accounting server details on Wi-Fi controller
- Ensure ports for bookkeeping information are ready as they should be
Everything checked out correctly and authentication still worked fine despite me trying to pause information technology, which made bookkeeping failing even more than strange. With that in listen it was time to move onto some more than in-depth troubleshooting.
Delving deeper
Next step was to endeavour and run across if any accounting traffic was actually being sent and so trusty Wireshark was spooled upwardly to watch traffic for anything on port 1813. We saw plenty on 1812 for hallmark but consistently nothing on 1813. At 1 phase I was beginning to wonder if the NPS server had something to do with it but replies to my posts to TechNet forums suggested otherwise.
A case was then opened with Aruba support which involved upgrading the controller to latest firmware 6.iv.2.12 earlier further troubleshooting could be performed. A few useful commands came out of this procedure, which should be ran before upgrading to ensure the controller has enough resource to run the upgrade:
show memory evidence storage
Every bit an aside the upgrade did give usa a overnice new(er) feature called AppRF that basically brings application-level monitoring to the Aruba UI. Information technology saves going through the firewall to detect the same information and allows u.s. to run across at-a-glance where the bandwidth is going on the wireless network and to which user(south):
image credit: Aruba Networks
The update besides made packet captures on the controller a scrap simpler, which further proved our theory that no bookkeeping traffic was being sent as the controller itself didn't log annihilation on 1813 in its direct captures. All the same despite the upgrade we were nonetheless no closer to resolving the accounting issue.
The breakthrough
Later on escalating through various levels of Aruba back up and production direction one of the technical team finally found our issue, which turned out to be a deceptively simple fix. It's a sneaky niggling setting squirrelled abroad namedConvict Portal Bank check for Accounting
The setting in question lives inside the Misc. Configuration section of Security > User Roles.
You need to edit the settings of the role that is assigned every bit the 802.1X User Default Role for the the AAA Profile associated with your RADIUS-enabled VAP (what a sentence that is!)
Basically untick that box and everything starts working…
By default the Captive Portal Bank check for Bookkeeping box is ticked and therefore bookkeeping won't piece of work if the user has authenticated via a captive portal. The Aruba documentation has this to say nigh information technology:
The check-for-bookkeeping parameter is introduced in ArubaOS 6.3.ane.vii. If disabled, RADIUS accounting is done for an authenticated users irrespective of the captive-portal contour in the office of an authenticated user. If enabled, accounting is not washed as long as the user's office has a convict portal profile on it. Bookkeeping will start when Auth/XML-Add together/CoA changes the role of an authenticated user to a role which doesn't have convict portal profile. This parameter is enabled past default.
Every bit presently as the box was cleared accounting information came flooding in and I was pleasantly surprised to encounter how quick the interim updates were also processed, equally some vendors' interpretations of the RADIUS accounting standards aren't quite and then amiable from what I read during my research.
Was certainly a voyage of discovery to become to the solution but we have gained a few new features forth the style and I've also become well acquainted with the ArubaOS CLI for troubleshooting purposes, so the procedure has added some valuable knowledge too 🙂
Responsive convict portal login folio for Aruba wireless
Notation: for an updated version of the login folio which works on all current OS with Wi-Fi assist please visit the link below:
https://gshaw0.wordpress.com/2017/09/03/responsive-captive-portal-for-aruba-wi-fi-updated-for-ios-cna/
During the grade of the year we've ramped upwards the number of APs on our campus Wi-Fi network in order to increase accept-up of BYOD and provide blanket coverage across all sites.Nosotros've been using the standard out-the-box Aruba login screen for authentication simply have had feedback that information technology isn't the easiest thing to employ on mobile devices (particularly phones).
Fuelled by a large coffee and as large chocolate dessert at lunch I decided to get creative and have a get at improving the login experience.
Aruba controller options
The default Aruba page is functional simply is showing its age now, the controller allows you to change the background image and text just that's about information technology unless you lot go for something more custom, every bit confirmed on 1 of the posts in the Aruba forums
Ref: http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Admission/Captive-Portal-non-resizing-to-fit-mible-device-screen/td-p/83968
In the controller options there's an selection to upload a custom login page, along with supporting files (referred to equally Content in the Aruba interface). Still information technology's not easy to manage the additional files once they've been uploaded, which is a bit of a pain.
The Aruba manual linked below shows where to get in the web interface to customise the portal, just brand certain you select the correct authentication profile for the SSID you lot want to edit!
Ref: http://community.arubanetworks.com/aruba/attachments/aruba/unified-wired-wireless-access/12922/2/customize-captive-portal.pdf
Responsive themes & styling
Fortunately one of the replies about using a custom page got me thinking and initially I looked to use the Verti template equally suggested. Initial attempts to strip information technology down didn't quite look correct so I had a search for something simpler. Before long I'd constitute exactly what I wanted with the Grayscale Bootstrap theme
The beauty of this theme is in the simplicity of it, everything on 1 page and just a couple of images to tweak (along with the usual color changing in CSS). Adding the Aruba code for the login course was fairly fiddling, along with some tweaks to the CSS to increment the height of the fields and then they're easier to hit on a impact device.
For the groundwork I used the very handy advanced search tools on Google Images to find a subtle background. A cropped version of this epitome from the Colorado Clouds blog did the play a joke on nicely, along with the usual Photoshop layer-mask trick to fade out to a solid colour for the remainder of the page.
very handy options in Google Prototype Search
To reduce the number of supporting files that demand to exist uploaded to the Aruba controller I tried to embed as much every bit possible into the login page HTML file. Javascript and CSS were copied into the lawmaking rather than referenced as files and images were encoded into base64 strings, a play tricks I've used a few times in the by with HTAs.
My previous favourite base64 converter website seems to have been taken down then I'm now using http://www.base64-image.de instead.
Advisory text
A dainty feature of the Grayscale template is the way the page is separate into sections with shortcuts in the top carte du jour bar. It fabricated sense to put the AUP text in one of them rather than how information technology was displayed previously (in a slightly clumsy pop-up window).
To split the terms of use away from the intro text in the section I used a centered, 80% width div and styled <hr> tag which seem to piece of work together pretty well on both desktop and mobile views.
Custom fault handling
The Aruba transmission lists a modest Javascript that's meant to handle whatever errors returned past the controller (e.chiliad. failed login) and display it on the folio. Unfortunately it didn't seem to work when inserted into the new template whatever style we tried. My colleague Arturas Taleikis noticed that the controller adds a variable to the finish of the login page URL and suggested that we create our ain error handler instead.
We used the script from http://stackoverflow.com/questions/814613/how-to-read-get-data-from-a-url-using-javascript to read the error being returned then a brusk if argument to write a message in our called location above the login grade.
The reward to reading the errors this way was that nosotros're now able to customise and CSS style the message shown to the user. Reverse to the Aruba documentation I've seen 3 possible messages so far (Aruba merely mention one); 2 of them dealing with failed login due to invalid credentials and i for authentication server timeout.
Web server maximum concurrent clients
After enabling the new login folio we noticed that the Aruba controller was struggling to load the page afterward users continued to the SSID. Rebooting the controller didn't assistance, although the first user to load the captive portal after the restart was able to log in at normal speed.
A bit of investigation revealed a setting on the controller that limits the maximum number of concurrent connections to the internal web server used to provide the captive portal and ours was set to the default of 25. It seems that this was sufficient for the standard login grade but soon gets overwhelmed with a more complex page (total size of the page plus supporting files is still under 1MB though).
Ref: http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Captive-Portal-dull-timeout/td-p/73934
Ref: http://customs.arubanetworks.com/t5/tkb/articleprintpage/tkb-id/ControllerBasedWLANs/commodity-id/147
To change the setting follow the information in the links above, or to save you time here's the steps in abbreviated form 😉
- log into your Aruba controller'southward Instant CLI using Putty or similar SSH customer
- enter the panel enable password and enter the commands that follow
- configure terminal
- web-server
- spider web-max-clients 100
The alter applies immediately. Use the commands below to cheque that it's applied as expected and likewise proceed an eye on your CPU and retentiveness stats as the more concurrent sessions you allow the more than resource gets used on the controller.
Annotation the spider web-max-clients setting goes from 25-320 (may vary depending on your controller). In our instance with ~500 agile Wi-Fi users (last fourth dimension nosotros looked) a spider web-max-clients setting of 100 seems to be working well but this will likely vary dependent on your usage patterns.
- evidence web-server
- evidence cpuload
- show memory
Login page screenshots
The screenshots below show the login page on both phone and tablet \ desktop views, the bootstrap responsive element doing a peachy job as the folio resizes 🙂
mobile phone view
desktop view (tablet is similar simply uses the top carte du jour from the phone fashion)
Captiveportal-login Could Not Be Found Aruba Not Authing
DOWNLOAD HERE
Source: https://gshaw0.wordpress.com/tag/captive-portal/
Posted by: batesmurets1992.blogspot.com