Skip to main content
Start a Conversation

This post is more than 5 years old

Solved!

Go to Solution

Raptorz2

8 Posts

53073

March 6th, 2012 07:00

Captive Portal and Vlans

Hi, I've been in trying to figure this out for ages and I fix one part then more problems are added.

I'm trying to create a guest network on the switch that is separated from the main network, I did this with vlans, and ACLS no problem. The guests and the lan were routed through the same internet connection. Vlan 10.

Then i added captive portal to the switch port,...captive portal doesnt support vlans. It works half the time. redirects some but fails because of the vlan most likely.

So I removed the guest vlan and put captive portal on the switch port, no vlan.. cant get this to work at all.

What is the best way to do this if there is any way to do it?

Raptorz2

8 Posts

March 14th, 2012 09:00

That is where newly authenticated clients are taken. say you wanted to take all guests to your companies homepage. These clients are not being authenticated at all. Don't worry about it I've given up and we will use a different switch for the guests

DELL-Willy M

802 Posts

March 6th, 2012 09:00

Is the issue with using Captive Portal and Vlan?  Or are you not able to get Captive Portal to work at all?

Have you looked thru the User Guide for instructions on setting up Captive Portal?  Can you provide what switch you are using for the set up?  Here is a 62xx User Guide that has the set up information for Captive Portal starting on page 195.

support.dell.com/.../ucg_en.pdf

Are you setting up a Remote RADIUS server for authentication or just the internal switch?

Raptorz2

8 Posts

March 6th, 2012 10:00

The issue is using captive portal and vlans. I setup captive portal and it is working however none of the clients get redirected, they can just access the internet no problem. However i know its working because when i navigate to the ip address of the switch on the vlan i get the web portal. Im using a powerconnect 6248.

Raptorz2

8 Posts

March 6th, 2012 10:00

also it is setup for local authentication

Raptorz2

8 Posts

March 6th, 2012 11:00

Yes he was having the same problem I am having, because captive portal is supposed to redirect you to the ip address of the switch so that you can authenticate. However if you are using vlans then the switch has no ip address, or if it does then it cannot be accessed by the users because it is not in a vlan. I'm more looking for a way to use captive portal without vlans then expecting this to work now. the problem i have is that my internet connection is in a vlan because it is used by the lan clients.

DELL-Willy M

802 Posts

March 6th, 2012 11:00

In order to communicate between the different Vlans you will need to enable routing on the switch.  Changing the functional level of the switch from Layer 2 to Layer 3.  Here is another Post that you might find helpful.

http://en.community.dell.com/support-forums/network-switches/f/866/t/19439444.aspx

VLAN-based Routing 

VLAN Routing - If routing is to be enabled for the VLAN, IP addresses are assigned to VLAN interfaces. VLAN routing interfaces are used to populate the routing table (at least one interface has to be up and active). This IP address usually serves as the hosts’ default gateway and all ports in the VLAN use the VLAN routing interface to “get out”. Also, the MAC Destination Address of an inbound unicast packet is that of the internal bridge-router interface.

 Sample config:

 console(config)# ip routing

console(config)# interface vlan 100

console(config-if-vlan100)# ip address 172.16.100.1 /24

console(config-if-vlan100)# routing

console(config-if-vlan100)# exit

 

console# show ip interface

Management Interface:

IP Address..................................... 192.168.2.1

Subnet Mask.................................... 255.255.255.0

Default Gateway................................ 0.0.0.0

Burned In MAC Address.......................... 00FC.E390.0000

Network Configuration Protocol Current......... None

Management VLAN ID............................. 1

 

Routing Interfaces:    

                                                 Netdir   Multi

Interface    IP Address               IP Mask                      Bcast                CastFwd

----------   ---------------              ---------------                 --------              --------

vlan 100     172.16.100.1      255.255.255.0                Disable             Disable

DELL-Willy M

802 Posts

March 6th, 2012 11:00

I pulled up this Post from last year on the same subject.  He is saying that Captive Portal is using the subnet of the switch and is not able to customize the IP.  Is this the same behavior that you are seeing on your switch?  

I do not see any documentation on how or if that is possible.  I will reach out and see what further information I can find.

en.community.dell.com/.../19965012.aspx

Raptorz2

8 Posts

March 6th, 2012 12:00

Yes i know, i set those up and the vlans work correctly . Its captive portal that fails to redirect the http traffic to the vlan ip where the client is connected.

Raptorz2

8 Posts

March 6th, 2012 12:00

!Current Configuration:

!System Description "PowerConnect 6248, 3.3.2.3, VxWorks 6.5"

!System Software Version 3.3.2.3

!Cut-through mode is configured as disabled

!

configure

vlan database

vlan 10,20,30,40,100,200

vlan routing 10 1

vlan routing 20 2

vlan routing 30 3

vlan routing 40 4

vlan routing 100 5

vlan routing 200 6

exit

ip telnet server disable

hostname "demoname"

stack

member 1 2

member 2 2

member 3 2

exit

ip address none

ip domain-name demoname

ip name-server 192.168.100.2

access-list Guest permit tcp 192.168.30.0 0.0.0.255 eq 67 192.168.100.2 0.0.0.255

access-list Guest deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list Guest deny ip 192.168.30.0 0.0.0.255 192.168.40.0 0.0.0.255

access-list Guest deny ip 192.168.30.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list Guest deny ip 192.168.30.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list Guest permit ip any any

access-list Servers permit ip 192.168.100.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list Servers permit ip 192.168.100.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list Servers permit ip 192.168.100.0 0.0.0.255 192.168.30.0 0.0.0.255

access-list Servers permit ip 192.168.100.0 0.0.0.255 192.168.40.0 0.0.0.255

access-list Servers permit ip 192.168.100.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list Servers permit ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list Servers deny ip 192.168.100.0 0.0.0.255 192.168.30.0 0.0.0.255

access-list Servers permit ip any any

access-list InternalAccessPoints permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list InternalAccessPoints permit ip 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list InternalAccessPoints permit ip 192.168.20.0 0.0.0.255 192.168.40.0 0.0.0.255

access-list InternalAccessPoints permit ip 192.168.20.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list InternalAccessPoints permit ip 192.168.20.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list InternalAccessPoints deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255

access-list InternalAccessPoints permit ip any any

access-list Miscellaneous permit ip 192.168.40.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list Miscellaneous permit ip 192.168.40.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list Miscellaneous permit ip 192.168.40.0 0.0.0.255 192.168.40.0 0.0.0.255

access-list Miscellaneous permit ip 192.168.40.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list Miscellaneous permit ip 192.168.40.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list Miscellaneous deny ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255

access-list Miscellaneous permit ip any any

access-list Clients permit ip 192.168.200.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list Clients permit ip 192.168.200.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list Clients permit ip 192.168.200.0 0.0.0.255 192.168.40.0 0.0.0.255

access-list Clients permit ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list Clients permit ip 192.168.200.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list Clients deny ip 192.168.200.0 0.0.0.255 192.168.30.0 0.0.0.255

access-list Clients permit ip any any

ip routing

ip route 0.0.0.0 0.0.0.0 192.168.10.2

ip helper-address 192.168.100.2 dhcp

interface vlan 10

name "InternetGateway"

routing

ip address 192.168.10.1 255.255.255.0

exit

interface vlan 20

name "AccessPointsInternal"

routing

ip address 192.168.20.1 255.255.255.0

ip access-group InternalAccessPoints in 1

exit

interface vlan 30

name "GuestNetwork"

routing

ip address 192.168.30.1 255.255.255.0

ip access-group Guest in 1

exit

interface vlan 40

name "Miscellaneous"

routing

ip address 192.168.40.1 255.255.255.0

ip access-group Miscellaneous in 1

exit

interface vlan 100

name "Servers"

routing

ip address 192.168.100.1 255.255.255.0

ip access-group Servers in 1

exit

interface vlan 200

name "Client"

routing

ip address 192.168.200.1 255.255.255.0

ip access-group Clients in 1

exit

username "demoname" password demopassword level 15 encrypted

ip ssh server

captive-portal

enable

configuration 1

verification local

session-timeout 28800

interface 1/g6

separator-color "#CC0000"

background-color "#FFFFFF"

foreground-color "#FFFFFF"

exit

user 1 name "Guest"

user 1 password encrypted 0a51d780be1a0240b8cc7c69fe0479dbf07644e1094b25fb43ebe2fa72f649e42ad9711bf5c33f9a7eb88efd8b9945347b264e0c52b3a47db05f886caae9f42b

user 1 group 1

exit

dhcp l2relay

dhcp l2relay vlan 20,30,40,100,200

!

interface ethernet 1/g1

description 'InternetGateway'

spanning-tree portfast

switchport access vlan 10

exit

!

interface ethernet 1/g2

description 'InternetGateway'

spanning-tree portfast

switchport access vlan 10

exit

!

interface ethernet 1/g3

description 'AccessPointsInternal'

spanning-tree portfast

switchport access vlan 20

exit

!

interface ethernet 1/g4

description 'AccessPointsInternal'

spanning-tree portfast

switchport access vlan 20

exit

!

interface ethernet 1/g5

description 'GuestNetwork'

spanning-tree portfast

switchport access vlan 30

exit

!

interface ethernet 1/g6

description 'GuestNetwork'

spanning-tree portfast

switchport access vlan 30

exit

!

interface ethernet 1/g7

description 'Miscellaneous'

spanning-tree portfast

switchport access vlan 40

exit

!

interface ethernet 1/g8

description 'Miscellaneous'

spanning-tree portfast

switchport access vlan 40

exit

!

DELL-Willy M

802 Posts

March 6th, 2012 18:00

Are you having the same response with the access lists removed from the switch?  You may not be able to test the config that way.  Is it the acl that is blocking or is it an issue with captive portal and the vlan.

Raptorz2

8 Posts

March 7th, 2012 04:00

captive portal and vlan. it works the same with our without the acls

DELL-Willy M

802 Posts

March 13th, 2012 10:00

Spent some time researching.  Couple things we need to address for solution.

 

1.  Want to make you aware that only 1/g6 of the 2 interfaces on the guestnetwork Vlan 30 are configured for captive portal.  If this is intended that is fine.  Just wanting to make sure we are not testing on interface 1/g5 and expecting it to respond.

 

2.  We need to get the redirect enabled for Captive Configuration 1.

 

Captive-portal

Enable

Configuration 1

Redirect

Redirect-url xxxxxxxx

Interface xxx

 

Or

 

 

 

 

The CP Configuration page contains the following fields:

• Configuration Name — If multiple CP configurations exist on the system, select the CP configuration

to view or configure. Use the Add button to add a new CP configuration to the switch.

• Captive Portal — Use this field to enable or disable the selected CP configuration.

• Protocol Mode — Choose whether to use HTTP or HTTPS as the protocol for the portal to use during

the verification process.

– HTTP — Does not use encryption during verification

– HTTPS — Uses the Secure Sockets Layer (SSL), which requires a certificate to provide

encryption. The certificate is presented to the user at connection time.

• Verification Mode — Select the mode for the CP to use to verify clients:

– Guest — The user does not need to be authenticated by a database.

– Local — The switch uses a local database to authenticated users.

– RADIUS — The switch uses a database on a remote RADIUS server to authenticate users.

NOTE: To configure authorized users on the local or remote RADIUS database, see "Local User" on page 203.

• Enable Redirect Mode — Select this option to specify that the CP should redirect the newly

authenticated client to the configured URL. If this option is clear, the user sees the welcome page after

a successful verification.

• Redirect URL — Specify the URL to which the newly authenticated client is redirected if the URL

Redirect Mode is enabled.

 

Once you have made the changes please run the commands below and post them for proper verification.

 

Show captive-portal

Show captive-portal configuration (client/status/ for config id>

Show captive-portal status

Show captive-portal user

 

 

Thanks,

 

Let us know how this responds

Was this post helpful?

View All

No Events found!

Top