ACLs for Steller AP1221

security-col · June 10, 2020, 11:27pm

Hello guys,

I am going to tell about our problem. Our client have a Omnivista 2500 with 34 Stellar AP1221. I have configured two SSID, we have AP Groups, and I am seeing the AP in the dashboard. The client have a special requierments, for two SSID we need to join firts with PSK, and then open Captive Portal for browing Internet. However, If I dont login in the captive portal I should can to connect to internal server only.

I have configured it in WLC Aruba, however this is my firts time with AP Alcatel and I have tried but I cant solutions. I create a policy where accept to internal server however always open captive portal.

Any idea ?

thanjavuru · June 11, 2020, 2:50am

Hi In SSID configuration , You can whitelist the Internal server FQDN as i did it for www.openrainbow.com as attached.

IP addresses and http/https suffixes are not allowed

Hope it helps

Attachments:

security-col · June 11, 2020, 5:28am

OK. I understand your solution however the client dont have FQDN for internal servers. I will try it but i dont know.

I dont understand why ACL dont work? I attach the policy configurate. In this case I try to denegate access to that server. I dont sure if I good configure the ACL, I try of many ways and it dont block and it open captive portal for internal server.

The flow of authentication should be:

Authentication in SSID with PSK
If PSK is correct open captive portal
If I want to access to internal servers I dont need to login in the captive portal, but if I access to Internet I need to login in the captive portal with username and password.

thanjavuru · June 12, 2020, 3:05am

ACL will not work when Captive portal is enabled as built-in ACLs kick in which are not allowed to modify.

Whitelist is the way to move forward. You can reach out to support to see if they can provide any other solution which can help.

security-col · June 14, 2020, 9:30pm

OK. I understand. It will work if the internal servers hace FQDN. However I want too can to access in the network printer. In this case is neccesarry authenticate in the captive portal really?

ACL should be work in the access role profile when you authenticate in the captive portal. I open a case with support for this case. Thanks

thanjavuru · June 15, 2020, 12:41am

Normally Captive portal is used for Guest Access. without successful web authentication i do not see a need for printer in any use case for Guest.

Why PSK before captive portal is to avoid attacks like exhausting DHCP leases etc.