HPE Community
M and MSM Series
1752815 Members
5832 Online
108789 Solutions
New Discussion

Re: MSM760 Staff HTML web page AD authentication on iPad

 
michelle79
Advisor

‎02-05-2012 10:20 PM

‎02-05-2012 10:20 PM

MSM760 Staff HTML web page AD authentication on iPad

Hi all, we have an MSM760 running software version 5.5.2.1-01-10012 and I am trying to get HTML authentication to work so that staff login to the network via a webpage that would automatically pop up when they connect to the VSC.

 

I have ticked the HTML based user logins option, both local (for testing) and remote AD, but not getting a login page when I connect to the VSC from my iPad. It just lets me in without authenticating! Is there a trick to this? I am a bit confused about using the LAN port for HTML authentication as most of the doco I've read discusses the internet port and guest access but I only want to use this VSC for private staff access so the guest setup seems irrelevant.

 

On another note, I'm setting this VSC up primarily so that staff can self server and enroll their mobile devices on our new airwatch server. I figure if the connection details are handed to them on a platter then support they require from us is reduced. If anyone has any better suggestions or have ideas on how to fix this then please let me know. I would be most appreciative.

 

Cheers,

 

Michelle

 

 

0 Kudos
11 REPLIES 11
Fredrik Lönnman
Honored Contributor

‎02-06-2012 06:08 AM

‎02-06-2012 06:08 AM

Re: MSM760 Staff HTML web page AD authentication on iPad

Is the VSC configured with Use Controller for: Authentication and Access control

---
CCIE Service Provider
MASE Network Infrastructure [2011]
H3CSE
CCNP R&S

0 Kudos
yuuls_01
New Member

‎02-06-2012 11:49 AM

‎02-06-2012 11:49 AM

Re: MSM760 Staff HTML web page AD authentication on iPad

hi all 

 

I have the same problem when the VCS authenticate in webportal on the LAN,  I enabled the two options but still giving me error

 

plaese, can you guide me?

0 Kudos
michelle79
Advisor

‎02-06-2012 09:12 PM

‎02-06-2012 09:12 PM

Re: MSM760 Staff HTML web page AD authentication on iPad

I wish it were that easy Fredrik. Both those options have to be ticked in order for the HTML authentication options to be visible, so yes, the VSC does have them enabled. I have attached a screen dump of all the settings just to make sure my settings are ok.

 

Any other ideas? Is it supposed to be easy to configure? Some docs seem convoluted but others seem very straight forward. I wish I could see where I was going wrong... very frustrating!

0 Kudos
Fredrik Lönnman
Honored Contributor

‎02-06-2012 10:29 PM

‎02-06-2012 10:29 PM

Re: MSM760 Staff HTML web page AD authentication on iPad

So the VSC settings looks about right, allthough I dont see any DHCP server settings on the bottom of the page. How are you getting an IP address in the VSC? Its not that well documented, but for the HTML auth page to work the controller has to be both DNS and default GW and route all the traffic.

---
CCIE Service Provider
MASE Network Infrastructure [2011]
H3CSE
CCNP R&S

0 Kudos
fernando_
Occasional Visitor

‎02-07-2012 11:49 AM

‎02-07-2012 11:49 AM

Re: MSM760 Staff HTML web page AD authentication on iPad

Hi Fredrik,

 

I have the same problem as michelle79

 

the configuration of the VCS is the same

 

I comment you that the DNS and default GW  are obtained from the network that is designed for guests who shared the network DHCP 

 

The Guest Vlan is different that the Vlan where the MSM760 is connected

 

I hope you can help me because I have several days in this and the manuals are not very clear

0 Kudos
michelle79
Advisor

‎02-07-2012 02:17 PM

‎02-07-2012 02:17 PM

Re: MSM760 Staff HTML web page AD authentication on iPad

Hmmmm ok... So the DNS and GW settings would be applied to all VSCs configured? Not really ideal. But perhaps I can just mimic our corporatte settings... Unless you have a better way to achieve the wifi hotspot scenario I need? I preferred to use HTML authentication because users are forced to change passwords regularly and the current wifi uses 802.1x which stops working on most smartphones after their password changes.

 

Thanks for all your input Fredrik! Much appreciated.

 

Michelle

0 Kudos
Fredrik Lönnman
Honored Contributor

‎02-08-2012 03:59 AM

‎02-08-2012 03:59 AM

Re: MSM760 Staff HTML web page AD authentication on iPad

Hi,

 

For the captive portal redirection to work the controller HAS to function as the DNS server for the clients. Common for all my installations is that the controller is configured as DHCP server, DNS and default gw for the guest VSCs, all guests gets tunneled to the controller, controller is their default gw and they're following the controllers internal routing via its default gateway which points out the Internet port.


Depending how your infrastructure looks 'beyond' the Internet port you could fix the return traffic with either a static route or NAT on the Internet port. The main thing is that the controller has to handle the routing for the whole guest net.

 

Example:

Guest VSC configured as DHCP server in network 10.10.10.0/24, default gw and DNS 10.10.10.1 (the controller will bind whatever IP you configure as the defGW and DNS in the VSC DHCP configurations <- this is not really obvious in the docs). The Internet port is connected via a VLAN directly to a firewall for guest access, the transport ip subnet is say 192.168.1.0/24, the firewall with .1 and the controller has .2. Default GW in the controller sould be set to 192.168.1.1 and the firewall should have a static route pointing out that 10.10.10.0/24 resides at 192.168.1.2 (for the return traffic TO the guest).

 

Since the controller is acting more like a DNS-proxy, it has to have valid DNS settings internaly to be able to serve it to the guests also.

 

Makes sense? :)

---
CCIE Service Provider
MASE Network Infrastructure [2011]
H3CSE
CCNP R&S

0 Kudos
tschaps
Valued Contributor

‎02-08-2012 12:12 PM

‎02-08-2012 12:12 PM

Re: MSM760 Staff HTML web page AD authentication on iPad

"The DHCP server feature is not supported when controller teaming is active."

 

You don't run into that problem, or you ignore the message? Or you never have any teamed installations, perhaps? I'd like to use the built-in DHCP server for the guest network, but that help notice says otherwise.

 

*grumble*

0 Kudos
Fredrik Lönnman
Honored Contributor

‎02-08-2012 12:54 PM

‎02-08-2012 12:54 PM

Re: MSM760 Staff HTML web page AD authentication on iPad

@tschaps wrote:

"The DHCP server feature is not supported when controller teaming is active."

 

You don't run into that problem, or you ignore the message? Or you never have any teamed installations, perhaps? I'd like to use the built-in DHCP server for the guest network, but that help notice says otherwise.

 

*grumble*

 

Yeah right, forgot about that one. When using teaming you have to use a external dhcp server and the built in dhcp-relay function, but you still have to use the controller as defgw, dns etc.

---
CCIE Service Provider
MASE Network Infrastructure [2011]
H3CSE
CCNP R&S

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.