ACLs for Steller AP1221

Topic

Hello guys,

I am going to tell about our problem. Our client have a Omnivista 2500 with 34 Stellar AP1221. I have configured two SSID, we have AP Groups, and I am seeing the AP in the dashboard. The client have a special requierments, for two SSID we need to join firts with PSK, and then open Captive Portal for browing Internet. However, If I dont login in the captive portal I should can to connect to internal server only.

I have configured it in WLC Aruba, however this is my firts time with AP Alcatel and I have tried but I cant solutions. I create a policy where accept to internal server however always open captive portal.

Any idea ?

Date
10.06.2020
answers
2
views
0
Author
Asked by security-col

Answers

ACL will not work when Captive portal is enabled as built-in ACLs kick in which are not allowed to modify.

Whitelist is the way to move forward. You can reach out to support to see if they can provide any other solution which can help.

 

Date
10.06.2020
Author
Asked by thanjavuru
Add Comment
Vote
Comments
OK. I understand. It will work if the internal servers hace FQDN. However I want too can to access in the network printer. In this case is neccesarry authenticate in the captive portal really? ACL should be work in the access role profile when you authenticate in the captive portal. I open a case with support for this case. Thanks
Normally Captive portal is used for Guest Access. without successful web authentication i do not see a need for printer in any use case for Guest. Why PSK before captive portal is to avoid attacks like exhausting DHCP leases etc.

Hi In SSID configuration , You can whitelist the Internal server FQDN as i did it for www.openrainbow.com as attached.

IP addresses and http/https suffixes are not allowed

 

 

Hope it helps

Date
10.06.2020
Author
Asked by thanjavuru
Add Comment
Vote
Comments
OK. I understand your solution however the client dont have FQDN for internal servers. I will try it but i dont know. I dont understand why ACL dont work? I attach the policy configurate. In this case I try to denegate access to that server. I dont sure if I good configure the ACL, I try of many ways and it dont block and it open captive portal for internal server. The flow of authentication should be: 1. Authentication in SSID with PSK 2. If PSK is correct open captive portal 3. If I want to access to internal servers I dont need to login in the captive portal, but if I access to Internet I need to login in the captive portal with username and password.