Chapter 2: Captive Portal Authentication

Chapter 2: Captive Portal Authentication
Captive portals are the simplest form of authentication for users. This section introduces the concepts behind the authentication and compares and contrasts Amigopod with the ArubaOS portal.
Captive Portal Overview
Captive portal allows a wireless client to authenticate using a web-based portal page. Captive portals are typically used in wireless hotspots or for hotel in-room Internet access. After a user associates to the wireless network, their device is assigned an IP address. The user must start a web browser and pass an authentication check before access to the network is granted. An example page is shown in Figure 1.
Macintosh HD:private:tmp:Login – Amigopod.jpg
Figure 1 Amigopod captive portal page
Captive portal authentication is the simplest form of authentication to use and it requires no software installation or configuration on the client. The guest SSID is typically open and does not use any form of encryption. The portal usually asks for some limited information such as a username and password and the exchange is encrypted using standard SSL encryption.
However, portal authentication does not provide any form of encryption beyond the authentication process. To ensure privacy of client data, some form of link-layer encryption (such as WPA-PSK or WPA2-PSK) or higher-level VPN (such as IPsec or SSL) should be used when sensitive data will be sent over the wireless network.
ArubaOS or Amigopod for Visitor Management
ArubaOS supports two methods of guest access: using just the mobility controller or using the mobility controller plus Amigopod. ArubaOS supports basic guest management and captive portal functionality, with guest access limited to a single master-local cluster. Aruba Amigopod extends the standard ArubaOS captive portal functionality by providing many advanced features, including:
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\255A75QN\icon_exclaim (2).png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\255A75QN\icon_exclaim (2).png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\255A75QN\icon_X (2).png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\255A75QN\icon_X (2).png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\255A75QN\icon_X (2).png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\255A75QN\icon_X (2).png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\255A75QN\icon_X (2).png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\255A75QN\icon_X (2).png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\255A75QN\icon_X (2).png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\255A75QN\icon_X (2).png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\255A75QN\icon_X (2).png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\255A75QN\icon_X (2).png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\255A75QN\icon_X (2).png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\255A75QN\icon_exclaim (2).png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\255A75QN\icon_X (2).png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\255A75QN\icon_X (2).png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\255A75QN\icon_exclaim (2).png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\255A75QN\icon_exclaim (2).png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\255A75QN\icon_X (2).png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\255A75QN\icon_exclaim (2).png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\255A75QN\icon_X (2).png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\255A75QN\icon_X (2).png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\255A75QN\icon_X (2).png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\255A75QN\icon_X (2).png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\255A75QN\icon_X (2).png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\255A75QN\icon_X (2).png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\255A75QN\icon_X (2).png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\255A75QN\icon_X (2).png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\255A75QN\icon_X (2).png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\255A75QN\icon_X (2).png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\255A75QN\icon_X (2).png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\255A75QN\icon_X (2).png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\255A75QN\icon_X (2).png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\255A75QN\icon_exclaim (2).png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\255A75QN\icon_exclaim (2).png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\255A75QN\icon_X (2).png
C:\Users\sathyang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\icon_check.png
Although ArubaOS supports internal and external captive portal functionality, this guide focuses on external captive portal functionality. The internal captive portal dictates the use of the internal login page on the controller itself. The login page is very basic and does not allow for the extensive customization that is possible with the Amigopod Web Logins feature.
Amigopod provides the Skin plugin technology where the presentation of the UI is separated from the mechanics of the underlying application. This separation allows Aruba to supply end users with a branded skin for all Amigopod interaction (both visitor and administrators) for a nominal fee at the time of purchase. Users can also customize the skin themselves with the requisite skills. ArubaOS now allows for fully customized captive portal pages to be uploaded to the controller. However, this process requires a significant amount of web design and JavaScript experience to produce a professional result.
The integration of Amigopod with the mobility controller also leverages the ability of ArubaOS to define and reference external RADIUS servers for the authentication and accounting of visitor accounts. In the standalone Aruba guest-provisioning solution, the local database in each controller stores user credentials, which limits the solution to the scope of the local deployment. With the introduction of Amigopod, all visitor accounts are created, authenticated, and accounted for on the Amigopod internal RADIUS server.
Captive Portal Authentication Workflow
Figure 2 shows the phases that a guest user passes through during a captive portal authentication process. In the Aruba system, the mobility controller acts as the network access server (NAS) and Amigopod acts as the RADIUS server. Figure 2 details the captive portal authentication workflow.
Figure 2 Workflow for captive portal authentication
1.
2.
The guest user opens a browser. Based on the configured home page or requested web page, the initial HTTP traffic is intercepted by the Aruba controller and redirected to the Amigopod web login page defined in the captive portal profile.
3.
The guest user enters their user credentials on the Amigopod web login page. Amigopod performs any preauthorization checks that are required and displays the login message to the guest user.
4.
The login message instructs the guest user’s browser to submit the user credentials directly to the Aruba controller as a HTTPS POST for authentication processing.
5.
When the Aruba controller receives the user credentials, it creates a corresponding RADIUS session and sends an Access-Request message to the defined Amigopod RADIUS server.
6.
The Amigopod processes the Access-Request message by referring to its local database and optionally any configured proxy authentication servers defined. Any defined authorization rules are processed at this point.
7.
Based on the results of the authentication and authorization processing, the Amigopod responds with either an Access-Accept or Access-Reject message. If the authentication is successful, the Access-Accept message contains one or more RADIUS attributes to define the context of the guest user session. These attributes can include but are not limited to the session duration of the guest login and the Aruba controller user role that defines the PEF policies and bandwidth contracts that could be applied to the session. When the Aruba controller receives the Access-Accept message, it changes the role of the guest user session and their device is permitted access to the network.
8.
If RADIUS accounting has been configured correctly on the Aruba controller, an Accounting-Start packet is sent to the Amigopod, which defines the beginning of the session statistics for the guest user.
9.
Based on the default interval of [600 seconds] the Aruba controller will provide updates to these session statistics by sending Interim Accounting update messages to the Amigopod.
10.
Based on the Session-Timeout received in the original Access-Accept packet from Amigopod, the Aruba controller counts down the remaining time that is valid for the current guest user session. When the time has expired, the controller terminates the session.
11.
When the session ends (Session-Timeout, Idle-Timeout, User Logout, Admin Disconnect), the controller sends a RADIUS Accounting-Stop message to close the session within the Amigopod accounting database. This stop message includes the final update of the session statistics.