Configuration of AP 561 for captive portal.

Similar Messages

• How can I change the re-direct URL on the WebKit for Captive Portals?

  Hi,
  I have a guest network at the office that is configured with a captive portal for authentication. My MBP detects that it is behind a Captive Portal when the HTTP WISPr request fails and launches the WebKit (ie. the CNA) as designed and displays the login page. When the login is successful, the Captive Portal displays a success and the WebKit then proceeds to re-direct the browser to http://www.apple.com
  Of late, Apple's homepage has become graphic rich and more often than not, loading the page without caching (since the webkit does not cache the webpage loaded) loading Apple's homepage on the guest network takes over 30-90 seconds depending on the traffic on the network. The OS does not allow me to use the network till the page on the webkit has successfully loaded and the "Done" button appears on the webkit and this often becomes irritating.
  Is there a method to change the redirect URL to something less resource hungry like http://www.google.com or a less graphic rich Apple page (like http://www.apple.com/library/test/success.html)?
  I understand that there is a method to disable Captive Portal Handling, ie.
  sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -boolean false
  However, I don't want to disable Captive Portal Handling in the OS as I don't believe Apps that require internet access will handle the lack of the internet well.
  Any hints would be appreciated.
  Cheers!

  Hey again,
  I did have a look at it and the Settings.plist file isn't very helpful for the issue I have.
  The file defines the probes and exceptions. So you have the default probe WISPr URL in there (http://www.apple.com/library/test/success.html) and the exceptions for specific SSIDs, as an example, attwifi is in the exception list and uses an alternate probe WISPr URL (http://attwifi.apple.com/library/test/success.html). The configuration does not have parameters that would be used by the CNA for the redirect to http://www.apple.com after a succesful Captive Portal login.
  Give it a shot on your laptop, get to a random public wifi like ATT Wifi/Starbucks/Guest Wifi's at office spaces/Boingo etc. and after the successful login, your CNA Webkit will re-direct to http://www.apple.com and the "Done" button won't appear till the page has completely loaded and stays as "Cancel" till the page is loaded.

• How to permit Google play store access for captive portal guest users?

  Introduction : There could be occasions when we need to permit Google play store access for guest users, A common example could be a hotel environment where unauthenticated users are allowed to access the hotel website and directed to Google play store to download their Apps.
  Environment : This article applies to all controller models and AOS versions 6.1.3.x and higher.
  Configuration Steps :
  The Google Play app store (play.google.com) is a cloud service, and the addresses it uses may change regularly. This presents a challenge to permit access to those ranges. The current solution is to permit these addresses that are known to be used by the Android Marketplace, as shown here:
  .ggpht.com
  android.clients.google.com
  play.google.com
  The configuration is about creating an alias with the above URL’s and a firewall policy where you can permit traffic to the alias.
  Step 1: Create an Alias
  (Aruba3200XM) #configure t
  (Aruba3200XM) (config) #netdestination Google-Play
  (Aruba3200XM) (config-dest) #name android.clients.google.com
  (Aruba3200XM) (config-dest) #name *.ggpht.com
  (Aruba3200XM) (config-dest) #name play.google.com  
   Step 2: Create the session-based access list.
  (Aruba3200XM) (config) #ip access-list session google-play
  (Aruba3200XM) (config-sess-google-play)#user alias Google-Play any permit
  Step 3: Assign the session-based access list to the guest captive portal pre-auth user role.
  (Aruba3200XM) (config) #user-role guest-logon
  (Aruba3200XM) (config-role) #session-acl google-play position 3
  Verification :
  (Aruba3200XM) #show netdestination
  Name: Google-Play
  Position  Type  IP addr   Mask-Len/Range
  1         name  0.0.0.1   android.clients.google.com
  2         name  0.0.0.2   *.ggpht.com
  3         name  0.0.0.3   play.google.com
  (Aruba3200) #show rights guest-logon
  Derived Role = 'guest-logon'
   Up BW:No Limit   Down BW:No Limit
   L2TP Pool = default-l2tp-pool
   PPTP Pool = default-pptp-pool
   Periodic reauthentication: Disabled
   ACL Number = 6/0
   Max Sessions = 65535
   Captive Portal profile = default
  access-list List
  Position  Name              Type     Location
  1         ra-guard          session
  2         logon-control     session
  3         google-play       session
  4         captiveportal     session
  5         v6-logon-control  session
  6         captiveportal6    session
  google-play
  Priority  Source  Destination  Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
  1         user    Google-Play  any      permit                           Low                                                           4
  Troubleshooting :
  Make sure ip name-server, ip domain-name and ip domain lookup are configured on the controller.
  Also you must have a PEFNG license to configure or view a destination.

  Thanks so much getting these names listed out. I have been working on this very issue for a few weeks and was basing my firewall rules on IP's. It was not going well. Now access is working and testing can commence!  Thanks,Chris

• Captive Portal with two or more WAP321

  Hello,
  I plan to use the WAP321 as a WLAN Hotspot. But I need more than one AP. What is the Design for this?
  Do I need to configure every WAP321 with the captive portal and the user need to re-login every time they roam to another WAP321?
  Or can I redirect all WAP321 AP to one captive portal?
  Thank for your support.
  Christian

  Nicola,
  It may be too late, but with the new version1.0.2.3 software you can create a cluster of up to 8 WAP321's in order to share one configuration.  The feature is called Single Point.   Here is a paper on the feature
  http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps12237/ps12249/brochure_c02-717568.pdf

• Allowing Airwatch MDM access to the Captive-Portal guest users in pre-auth role for android and BB?

  Requirement:
  How to allow Airwatch MDM access to the Captive-Portal guest users in pre-authentication role for Android and Blackberry devices?
  What is Airwatch MDM?
  Airwatch MDM is Mobile Device Management. The Airwatch is an enterprise which helps to manage and secure data traveling through the mobile devices like Laptops, Tablets, Android, iPhones, iPads etc.
  Solution:
  Why we need to allow access to Airwatch MDM?
  The network administrator can force the guest users to register to Airwatch MDM before they get authenticated and access the internet. So that the network administrator could manage the guest devices through Airwatch Management tool. This can be achieved by CPPM server. To download the Airwatch MDM app and register with the Airwatch MDM server certain domains should be permitted in the captive portal pre-authentication role. This KB provides the configuration steps to allow the guest users to download the Airwatch MDM app and register with the Airwatch MDM server.
  Configuration:
  Below is the configuration
  Configuration steps:
  1. Create the following netdestinations
  netdestination Airwatch
    name *.awagent.com
    name *.awmdm.com
    name air-watch.com
  netdestination Google-Play
    name android.clients.google.com
    name .ggpht.com
    name gstatic.com
    name accounts.google.com
    name clients1.google.com
    name clients2.google.com
    name clients3.google.com
    name clients4.google.com
    name i.ytimg.com
    name google-analytics.com
    name .1e100.net
    name android.l.google.com
    name mtalk.google.com
    name clients.l.google.com
    name googleapis.com
    name gvt1.com
  netdestination BlackBerry
    name *.blackberry.com
  2. Now define the rules in the session acl and map it to the pre-authentication Role of the captive portal.
  ip access-list session Airwatch_Access
    any   alias Airwatch svc-http  permit
    any   alias Airwatch svc-https  permit
  ip access-list session Google-Play-Store
                 any   alias Google-Play any permit
  ip access-list session BlackBerry-Access
                 any   alias BlackBerry any permit
  3. Now map the session ACLs to captive-portal pre-authentication Role as follows
  user-role Guest-Pre-Auth-Role
   access-list session Airwatch_Access
   access-list session Google-Play-Store
   access-list session BlackBerry-Access
   access-list session logon-control
   access-list session captiveportal
  4. Now whitelist the list of domain names in the Captive Portal profle
  aaa authentication captive-portal Airwatch-Captive-Portal-Profile
  white-list Airwatch
  white-list Google-Play                                                                                ------------>Netdestinations where you defined the Domains.
  white-list BlackBerry
  Verification
  Now the user will be placed under the "Guest-Pre-Auth-Role" before the authentication. The user can now go the Google Play-Store or BlackBerry Appworld to download the Airwatch MDM and register to Airwatch Management Server.

  Thanks so much getting these names listed out. I have been working on this very issue for a few weeks and was basing my firewall rules on IP's. It was not going well. Now access is working and testing can commence!  Thanks,Chris

• Auto pop-up for wispr in any captive portal won't work anymore

  Hi all,
  I really like the captive portal function. I am often at Starbucks, and I like the easy way to accept the user agreement.
  But, since some weeks, the auto pop-up to see the captive portal won't show ... neither Starbucks nor somewhere else!
  At Starbucks ....
  1. I tried to delete the btopenzone WiFi (the provider for Starbucks free WiFi) but nothing changed.
  2. I tried to set up another networking zone, won't help either.
  3. I searched the web, but all I could see is, that there is not really a way to disable it (but changing the website in plist somewhere).... 
  4. I  tried to find a way to just disable or enable it... but was not lucky
  Hope anyone can help me, cause I really like the feature.
  Thanks...
  Michael.

  Hi DelBaero,
  So, it sounds like push notifications are working intermittently. Take a look at the article linked below, not only does it give insight into how notifications work, it also provides some troubleshooting tips that should help.
  iOS: Understanding notifications
  http://support.apple.com/kb/ht3576
  Troubleshooting notifications
  Push notifications require an active Wi-Fi or cellular connection.
  Note: Notifications use Wi-Fi only when a cellular connection is unavailable. Firewalls and proxy servers may affect your ability to receive notifications. For more information, see Unable to use Apple Push Notification service (APNs).
  If you're not receiving notifications for a specific app, try these steps:
  Verify that the app supports notifications.
  After installing an app or restoring a backup to a different iOS device, open the app to begin receiving notifications. If the app requires entering or logging in to an account, you will need to do this before receiving notifications.
  Check Settings > Notification Center to ensure that the app is configured for notifications. If notifications do not appear in the Notification Center, verify that the Notification Center setting for the app is enabled.
  -Jason

• Want to delete all the mails in the mail box configured for BPM Portal

  Hi All,
  Do you have idea to perform this activity.
  I want to delete all the mails in the Dev mail box configured for BPM Portal.
  Server and mailbox details as given below :
  Mail a/c = Y00123
  Mail server = sap.mail.com
  Thanks, Sanjay

  http://java.sun.com/developer/onlineTraining/JavaMail/contents.html
  http://www.jguru.com/faq/view.jsp?EID=17035
  if you know the password of the account, i think you can also access the mail using mail client, like you use outlook to deal with your company mail daily.

• Configuration of ESS and MSS in Portal for HCM

  Hello Friend's,
          This is suresh calling for clarifications and doubts in HCM...   see i'm new to portal, but my requirement is to configure ESS and MSS for HCM... i dont know actually wat needs to be done and the way of approach... these are the doubts,
  1. Basic steps for Portal Configuration
  2.  I need some docs for configuring ESS and MSS...
  3.   a) After configuring ESS and MSS, wat needs to be done.. suppose my client is asking for Leave Request in ESS, whether    i  need to create that application in webdynpro java or webdynpro abap in backend and i've to call that application in portal throgh iview...
       b) or by doing the configuration of ESS, by default i will get all the aplications(e,g, Leave Request, Travel Managemetn ....) from that package and it will display in iview...
  I dont know basic steps .... plz help me ... Thanks i advance...........!

  Ok. Here are the answers:
  1. Basic steps for Portal Configuration
     > Download ESS/MSS Business Package, it has two parts Business Package for ERP 2005 (Contains iviews, Roles etc) and XSS 5.0 or 6.0 depending upon the version of the ECC.
    > Make sure that you have SAP_HR and EA_HR component installed on your ECC box.
    > Also make sure that there is no compatibility mismatch between version of SAP_HR, EA_HR and XSS.
    > Configure the JCo Destinations, create required system definition and establish SSO between ECC and Portal.
    > Assign the role to the users
  > After doing these steps you can see the SAP provided iviews etc working PROVIDED configuration on HR side are already done.  (This is just to get initial configuration work)
  2. I need some docs for configuring ESS and MSS...
  > Provided by Bala above
  3. a) After configuring ESS and MSS, wat needs to be done.. suppose my client is asking for Leave Request in ESS, whether i need to create that application in webdynpro java or webdynpro abap in backend and i've to call that application in portal throgh iview...
  > Look for that application in WebDynpro (identify the component from iView properties) and show it to the client.
  If they are Ok with the basic things then fine else they need to specify the kind of customisation they want in this component
  Options available if we need to modify the components
  >>Copy the component in your namespace and do the modification using NWDINWDS
  >>If some field need to be disabled, you can do the same using Self service administration.
  b) or by doing the configuration of ESS, by default i will get all the aplications(e,g, Leave Request, Travel Managemetn ....) from that package and it will display in iview...
  Hope this helps. ...

• LDAP configuration for HR Portal in dual stack EHP4 - Best Practice

  Hi Experts,
             Hello Experts,
  We are trying to use the JAVA Stack of ECC server for HR Portal i.e Dual Stack and have applied EHP4 package for ESS/MSS Appraisal. When we are trying to configure the LDAP ADS datasource through portal , we are not able to do it since ABAP datasorce file is available by default.This we are doing for HR(ESS/MSS) Portal.This is for access to the object data stored in the Active Directory.
  We have already checked note 718383.
  Also, for the scenatrio ,LDAP <-> ABAP <-> J2EE
  We have already checked sap help doc.here:
  http://help.sap.com/erp2005_ehp_04/helpdata/EN/e6/0bfa3823e5d841e10000000a11402f/frameset.htm
  What should now be the best practice to follow for configuration ? Should we go for separate Portal server or is it possible to use Java Stack of ECC server for configuration ?
  Also, LDAP <-> ABAP <-> J2EE scenario please suggest if it a best practice and we can follow the same .What are the limitations , risks and issues ? Please suggest if this has been implemented and running well in any live project .
  Are the suggestions applicable for load balanced production servers as well?
  Thanks,
  Rakesh

  Hi,
  the UME datasource must remain ABAP but you can sync the users between ABAP and LDAP using the LDAP connector:
  http://help.sap.com/saphelp_nw70ehp2/helpdata/en/48/74040175bb501ae10000000a42189b/frameset.htm
  Regards,
  Jozsef

• Captive Portal for Guest wireless using a Cisco ASA 5510 or just 1231 Autonomous AP's

  Our environment consists of about 7 Cisco 1231 Access Points.  We have multiple SSID's including a Guest SSID for internet only access.  All Ap's are in autonomous mode.  We have a Cisco ASA5510 at the internet perimeter.  I would like to use what we have in house to setup a way in which all Guest Wirelsss users will be re-directed to a Captive Portal (Splash Page where there are given a custom warning page that instructs them about our Internet Accepted Usage Policy.  Can I do anything with the ASA to dish out a page like this.  I know that I can turn on an AAA rule on the ASA and force those users to have to authenticate when going to the internet but the Prompt page can't be customized too much.  I can add some text but it gets mixed in with all the other default text.
  I am not seeing a way to do URL redirection inside of the 1231 AP's themselves.  I know that a controller environment would help me out but looking to find a solution with what equipment the I already have in place.
  Any ideas??

  Hi,
  AFAIK.  using Autonomous.. there is no way we can do that..
  Regards
  Surendra

• Anyconnect 3.1 Captive Portal False Alert Stops Users Connecting.

  Hi All,
  I am having problems with a customer's ASA 5505 with Anyconnect 3.1 - it is generating captive portal false-alerts which are stopping users from connecting.
  This issue began when I upgraded from Anyconnect 2.4 to 3.1, and it appears like this: A user downloads and installs the Anyconnect client and is able to connect fine, to begin with. However, once they reboot their computer and try to reconnect, the VPN session will not come up and they receive the error message below.
  "The service provider in your current location is restricting access to the internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser."
  Reading other posts, it seems this message appears when a captive portal is restricting internet access. It must be a false alert in this case as there is nothing of the sort here. Apparently, Anyconnect 3.1 can generate a false alert like so if the name of the firewall's SSL certificate doesn't match the CName listed on the Client Profile. I've set this up to match, to no avail.
  Although users can connect by reauthenticating through the SSL VPN login web page, I am stumped as to how to get rid of this captive portal error that pops up when they try to use the Anyconnect client.
  Any advice would be appreciated, just let me know what extra details to post if needed.
  Many thanks,
  Josh Campbell

  Hi Joshua,
  The below information could be located at
  www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac03vpn.html
  False Captive Portal Detection
  AnyConnect can falsely assume it is in a captive portal in the following situations.
  •If AnyConnect attempts to contact an ASA with a certificate containing an incorrect server name (CN), then the AnyConnect client will think it is in a "captive portal" environment.
  To prevent this, make sure the ASA certificate is properly configured. The CN value in the certificate must match the name of the ASA server in the VPN client profile.
  •If there is another device on the network before the ASA, and that device responds to the client's attempt to contact an ASA by blocking HTTPS access to the ASA, then the AnyConnect client will think it is in a "captive portal" environment. This situation can occur when a user is on an internal network, and connects through a firewall to connect to the ASA.
  If you need to restrict access to the ASA from inside the corporation, configure your firewall such that HTTP and HTTPS traffic  to the ASA's address does not return an HTTP status. HTTP/HTTPS access to the ASA should either be allowed or completely  blocked (also known as black-holed) to ensure that HTTP/HTTPS requests sent
  There is also a bug filed for this. Just for your reference,
  CSCud17825 - Anyconnect captive portal
  Regards,
  Srikanth K S.

• WAP321 - Captive portal in 2 different VLAN

  Hi,
  I have a Wap321 installed in my network.  IP: 192.168.0.36 - VLAN 1
  If I'm in the local area network, I do not have any problem to use the wireless.
  I just added a guest VLAN for people who need Internet connection without LAN access. So I setup a second SSID and tag it with vlan 50. I can access to Internet.  But If I want active the captive portal, I'm unable to access to it because the adress is in the VLAN 1 (or 192.168.0.36).
  How I can setup my Wap321 to have the captive portal in the VLAN 50, not in the VLAN 1?
  Thank you               
  Alex

  Hello Alexandre,
  If you have a router upstream, please make sure that you have enabled inter-vlan routing in there. Also, on the WAP321, please configure the router's VLAN 1 IP address as the default gateway. With these settings, you should be able to use Captive Portal for both VLAN 1 and VLAN 50.
  Hope this helps.
  Regards,
  Nagaraja

• Setting UP Captive Portal ON 5508 WLC

  Dear All,
  I do know that captive portal could be setup on cisco 5508, such that internet users could login as follows:
  Username, password , login duration  etc.
  however i would like to know whether the above configuration would work with just 5508 and MS Active directory.or do we need any other device to achieve this.
  secondly can we upload a customised login web page from which users can login and gain access to the internet ?
  Jude.

  1. i would like to know whether the above configuration would work with just 5508 and MS Active directory
  Yes, you would need to configure an LDAP server on the WLC pointed to your MS AD, binding properly.  Then, make sure your L3 authentication priority is configured to query LDAP first.  This works pretty well in a L3 web-auth scenario, but is limited when using LOCAL EAP
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a03e09.shtml
  2. can we upload a customised login web page from which users can login and gain access to the internet ?
  Yes; start by downloading the webauth_bundle.zip for your respective release/platform. 
  http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_user_accts.html#wp1049404

• ISE Wired captive portal

  I've a new ISE Integration, I've implemented captive portal for wireless and wired guests, for Wireless all is working perfect
  For Wired I can see that ISE put the url captive on the interface of the switch but from the laptop of windows machine, I'm unable to see the link on browser, please advice

  In the same document you have
  Wired NAD Interaction for Central WebAuth
  If your client's machine is hard wired to a NAD, the guest service interaction takes the form of a failed MAB request that leads to a guest portal Central WebAuth login.
  The Central WebAuth triggered by a MAB failure flow follows these steps:
  1. The client connects to the NAD through a hard-wired connection. There is no 802.1X supplicant on the client.
  2. An authentication policy with a service type for MAB allows a MAB failure to continue and return a restricted network profile containing a URL-redirect for Central WebAuth user interface.
  3. The NAD is configured to post MAB requests to the Cisco ISE RADIUS server.
  4. The client machine connects and the NAD initiates a MAB request.
  5. The Cisco ISE server processes the MAB request and does not find an end point for the client machine. This MAB failure resolves to the restricted network profile and returns the URL-redirect value in the profile to the NAD in an access-accept. To support this function, ensure that an Authorization Policy exists featuring the appropriate "NetworkAccess:UseCase=Hostlookup" and "Session:Posture Status=Unknown" conditions.
  The NAD uses this value to redirect all client HTTP/HTTPS traffic on ports 8080 or 8443 to the URL-redirect value. The standard URL value in this case is:
  https://ip:port/guestportal/gateway?sessionId=NetworkSessionId&action=cwa.
  6. The client initiates an HTTP or HTTPS request to any URL using the client browser.
  7. The NAD redirects the request to the URL-redirect value returned from the initial access-accept.
  8. The gateway URL value with action CWA redirects to the guest portal login page.
  9. The client enters the username and password and submits the login form.
  10. The guest action server authenticates the user credentials provided.
  11. If the credentials are valid, the username and password are stored in the local session cache by the guest action server.
  12. If the guest portal is configured to perform Client Provisioning, the guest action redirects the client browser to the Client Provisioning URL. (You can also optionally configure the Client Provisioning Resource Policy to feature a "NetworkAccess:UseCase=GuestFlow" condition.)
  Since there is no Client Provisioning or Posture Agent for Linux, guest portal redirects to Client Provisioning, which in turn redirects back to a guest authentication servlet to perform optional IP release/renew and then CoA.
  13. If the guest portal is not configured to perform Client Provisioning, the guest action server sends a CoA to the NAD through an API call. This CoA will cause the NAD to reauthenticate the client using the RADIUS server. This reauthentication makes use of the user credentials stored in the session cache. A new access-accept is returned to the NAD with the configured network access. If Client Provisioning is not configured and the VLAN is in use, the guest portal performs VLAN IP renew.
  14. With redirection to the Client Provisioning URL, the Client Provisioning subsystem downloads a non-persistent web-agent to the client machine and perform posture check of the client machine. (You can optionally configure the Posture Policy with a "NetworkAccess:UseCase=GuestFlow" condition.)
  15. If the client machine is non-complaint, ensure you have configured an Authorization Policy that features "NetworkAccess:UseCase=GuestFlow" and "Session:Posture Status=NonCompliant" conditions.
  16. Once the client machine is compliant, ensure you have an Authorization policy configured with conditions "NetworkAccess:UseCase=GuestFlow" and "Session:Posture Status=Compliant" conditions), From here, the Client Provisioning issues a CoA to the NAD. This CoA will cause the NAD to reauthenticate the client using the RADIUS server. This reauthentication makes use of the user credentials stored in the session cache. A new access-accept is returned to the NAD with the configured network access.

• Captive Portal Help

  Hello All,
  working with the RV180W and a Ubuntu server I have established a FreeRADIUS server and have it setup for PEAP authentication based on a users file with NTLM encrypted passwords.  This is working pretty well, however I have one problem.  My certificates are self-signed and windows freaks out over it (all mobile OS's, OSX, and Linux work fine).  I'm trying to investigate other options and right now I'm curious, is there any way for the RV180W to use a captive portal setup that isn't the one built in? or is there any way to have the users be authenticated against the radius server I already have rather than setting them up on the router?  I'm open to other suggestions, but I'm trying to avoid paying for certs (I know they aren't incredibly expensive but this is mostly for home use/development/learning) so paying for certs aren't worth it and wanted to see if this was an option.  I will also accept the option of hosting a wireless network that is open but only goes to a page to download an XML & batch file which can be run to add the wireless network to the system (I have this working from USB atm, but trying to develop self-serve options)
  Thanks in advance... P.S. very happy with this router so far! its great!

  Hi Lucas,
  I was looking for a solution with my colleagues from the Support Center, but I am afraid the answer of what you ask is no - you can only use the internal database of the router, when using the Captive portal.
  Can you use a Captive portal that isnt' the build in? Theoretically yes, if the users in the LAN has as gateway a machine with a captive portal, which will make the radius authentication and only after that will forward the trafic to RV180 and inet.. Unfortunately I cant offer you a practical configuration on this.
  If meanwhile you find another solution, please chare it with us
  Regards,
  Kremena