Chapter 12
Captive portal is one of the methods of authentication supported by ArubaOS . A captive portal presents a web page which requires action on the part of the user before network access is granted. The required action can be simply viewing and agreeing to an acceptable use policy, or entering a user ID and password which must be validated against a database of authorized users.
You can also configure captive portal to allow clients to download the ArubaVPN dialer for Microsoft VPN clients if the VPN is to be terminated on the Arubacontroller. For more information about the VPN dialer, see Chapter 14, “Virtual Private Networks”.
This chapter describes the following topics:
You can configure captive portal for guest users, where no authentication is required, or for registered users who must be authenticated against an external server or the controller’s internal database.
|
While you can use captive portal to authenticate users, it does not provide for encryption of user data and should not be used in networks where data security is required. Captive portal is most often used for guest access, access to open systems (such as public hot spots), or as a way to connect to a VPN. |
You can use captive portal for guest and registered users at the same time. The default captive portal web page provided with ArubaOSdisplays login prompts for both registered users and guests. (You can customize the default captive portal page, as described in “Personalizing the Captive Portal Page”)
You can also load up to 16 different customized login pages into the controller. The login page displayed is based on the SSID to which the client associates.
Policy Enforcement Firewall Next Generation (PEFNG) License
You can use captive portal with or without the PEFNG license installed in the controller. The PEFNG license provides identity-based security to wired and wireless clients through user roles and firewall rules. You must purchase and install the PEFNG license on the controller to use identity-based security features.
There are differences in how captive portal functions work and how you configure captive portal, depending on whether the license is installed. Later sections in this chapter describe how to configure captive portal in the base operating system (without the PEFNG license) and with the license installed.
The Arubacontrolleris designed to provide secure services through the use of digital certificates. A server certificate installed in the controllerverifies the authenticity of the controller for captive portal.
Arubacontrollersship with a demonstration digital certificate. Until you install a customer-specific server certificate in the controller, this demonstration certificate is used by default for all secure HTTP connections such as captive portal. This certificate is included primarily for the purposes of feature demonstration and convenience and is not intended for long-term use in production networks. Users in a production environment are urged to obtain and install a certificate issued for their site or domain by a well-known certificate authority (CA). You can generate a Certificate Signing Request (CSR) on the controllerto submit to a CA. For information on how to generate a CSR and how to import the CA-signed certificate into the controller, see “Managing Certificates”in Chapter 29, “Management Access”.
Once you have imported a server certificate into the controller, you can select the certificate to be used with captive portal as described in the following sections.
To select a certificate for captive portal using the WebUI:
1. Navigate to the Configuration >Management > General page.
2. Under Captive Portal Certificate, select the name of the imported certificate from the drop-down list.
3. Click Apply.
To select a certificate for captive portal using the command-line interface, access the CLI in config mode and issue the following commands:
web-server
captive-portal-cert <certificate>
To specify a different server certificate for captive portal with the CLI, use the nocommand to revert back to the default certificate before you specify the new certificate:
web-server
captive-portal-cert ServerCert1
no captive-portal-cert
captive-portal-cert ServerCert2
Captive Portal in the Base ArubaOS
The base operating system (ArubaOSwithout any licenses) allows full network access to all users who connect to an ESSID, both guest and registered users. In the base operating system, you cannot configure or customize user roles; this function is only available by installing the PEFNG license. Captive portal allows you to control or identify who has access to network resources.
When you create a captive portal profile in the base operating system, an implicit user role is automatically created with same name as the captive portal profile. This implicit user role allows only DNS and DHCP traffic between the client and network and directs all HTTP or HTTPS requests to the captive portal. You cannot directly modify the implicit user role or its rules. Upon authentication, captive portal clients are allowed full access to their assigned VLAN.
What follows are the tasks for configuring captive portal in the base ArubaOS. The example server group and profile names appear inside quotation marks.
Create the Server Group name. In this example, the server group name is “cp-srv”.
Create SSID Profile. In this example, the profile name is “ssid_c-portal”.
Create a Virtual AP Profile. In this example, the profile name is “vp_c-portal”.
The following sections present the procedure for configuring the captive portal authentication profile, the AAA profile, and the virtual AP profile using the WebUI or the command line (CLI). Configuring the VLAN and authentication servers and server groups are described elsewhere in this document.
|
In ArubaOS2.5.2 and later 2.5.x releases, captive portal users in the base operating system are placed into the predefined cpbaseinitial user role before authentication. The cpbaserole is not supported in ArubaOS3.x. You need to create new captive portal profiles in the base operating system, as described in this section, which automatically generates the required policies and roles. |
Configuring Captive Portal via the WebUI
1. Navigate to the Configuration >Security >Authentication > L3 Authentication page. Select Captive Portal Authentication Profile.
a. In the Captive Portal Authentication Profile Instance list, enter the name of the profile (for example, c-portal), then click Add.
b. Select the captive portal authentication profile you just created.
c. You can enable user login and/or guest login, and configure other captive portal profile parameters as described in Table 61.
d. Click Apply.
2. To specify authentication servers, select Server Group under the captive portal authentication profile you just configured.
a. Select the server group (for example, cp-srv) from the drop-down menu.
b. Click Apply.
3. Select the AAA Profiles tab.
a. In the AAA Profiles Summary, click Addto add a new profile. Enter the name of the profile (for example, aaa_c-portal), then click Add.
b. Select the AAA profile you just created.
c. For Initial Role, select the captive portal authentication profile (for example, c-portal) you created previously.
|
The Initial Role must be exactly the same as the name of the captive portal authentication profile you created. |
d. Click Apply.
4. Navigate to the Configuration >Wireless > AP Configurationpage. Select either the AP Group or AP Specific tab. Click Edit for the applicable AP group name or AP name.
5. Under Profiles, select Wireless LAN, then select Virtual AP.
6. To create a new virtual AP profile, select NEW from the Add a profile drop-down menu. Enter the name for the virtual AP profile (for example, vp_c-portal), then click Add.
a. In the Profile Details entry for the new virtual AP profile, select the AAA profile you previously created from the AAA Profile drop-down menu. A pop-up window displays the configured AAA profile parameters. Click Apply in the pop-up window.
b. From the SSID profile drop-down menu, select NEW. A pop-up window allows to you configure the SSID profile.
c. Enter the name for the SSID profile (for example, ssid_c-portal).
d. Enter the Network Name for the SSID (for example, c-portal-ap).
e. Click Apply in the pop-up window.
f. At the bottom of the Profile Details page, click Apply.
7. Click on the new virtual AP name in the Profiles list or in Profile Details to display configuration parameters.
a. Make sure Virtual AP enable is selected.
b. For VLAN, select the VLAN to which users are assigned (for example, 20).
c. Click Apply.
Configuring Captive Portal via the CLI
To configure captive portal in the base operating system via the command-line interface, access the CLI in config mode and issue the following commands:
aaa authentication captive-portal c-portal
server-group cp-srv
aaa profile aaa_c-portal
initial-role c-portal
wlan ssid-profile ssid_c-portal
essid c-portal-ap
wlan virtual-ap vp_c-portal
aaa-profile aaa_c-portal
ssid-profile ssid_c-portal
vlan 20
Captive Portal with the PEFNG License
The PEFNG license provides identity-based security for wired and wireless users. There are two user roles that are important for captive portal:
Default user role, which you specify in the captive portal authentication profile, is the role granted to clients upon captive portal authentication. This can be the predefined guest system role.
Initial user role, which you specify in the AAA profile, directs clients who associate to the SSID to captive portal whenever the user initiates a Web browser connection. This can be the predefined logonsystem role.
|
MAC-based authentication, if enabled on the controller, takes precedence over captive portal authentication. |
The following are the basic tasks for configuring captive portal using role-based access provided by the Policy Enforcement Firewall software module. Note that you must install the PEFNG license before proceeding (see Chapter 31, “Software Licenses”).
Configure the user role for a default user.
Create a server group.
|
If you are using the controller’s internal database for user authentication, use the predefined “Internal” server group. You need to configure entries in the internal database, as described in Chapter 8, “Authentication Servers”. |
Create the captive portal authentication profile.
Configure the initial user role.
Create the AAA Profile .
Create the SSID Profile “ssid_c-portal”.
Create the Virtual AP Profile “vp_c-portal”.
The following sections present the WebUI and Command Line (CLI) procedures for configuring the captive portal authentication profile, initial user role, the AAA profile, and the virtual AP profile. Other chapters within this document detail the configuration of the user roles and policies, authentication servers, and server groups.
Configuring Captive Portal via the WebUI
To configure captive portal with PEFNG license via the WebUI:
1. Navigate to the Configuration >Security >Authentication > L3 Authentication page.
2. Select Captive Portal Authentication Profile.
a. In the Captive Portal Authentication Profile Instance list, enter the name of the profile (for example, c-portal), then click Add.
b. Select the captive portal authentication profile you just created.
c. Select the default role (for example, employee) for captive portal users.
d. Enable guest login and/or user login, as well as other parameters (refer to Table 61).
e. Click Apply.
3. To specify the authentication servers, select Server Group under the captive portal authentication profile you just configured.
a. Select the server group (for example, cp-srv) from the drop-down menu.
b. Click Apply.
4. Select the AAA Profiles tab.
a. In the AAA Profiles Summary, click Addto add a new profile. Enter the name of the profile (for example, aaa_c-portal), then click Add.
b. Set the Initial role to a role that you will configure with the captive portal authentication profile.
c. Click Apply.
5. Navigate to the Configuration >Security > Access Controlpage to configure the initial user role to use captive portal authentication.
a. To edit the predefined logon role, select the System Rolestab, then click Edit for the logon role.
b. To configure a new role, first configure policy rules in the Policiestab, then select the User Rolestab to add a new user role and assign policies.
c. To specify the captive portal authentication profile, scroll down to the bottom of the page. Select the profile from the Captive Portal Profile drop-down menu, and click Change.
d. Click Apply.
6. Navigate to the Configuration >Wireless > AP Configurationpage to configure the virtual AP profile.
7. Select either the AP Group or AP Specific tab. Click Edit for the applicable AP group name or AP name.
8. Under Profiles, select Wireless LAN, then select Virtual AP.
9. Select NEW from the Add a profile drop-down menu to create a new virtual AP profile. Enter the name for the virtual AP profile (for example, vp_c-portal), then click Add.
a. In the Profile Details entry for the new virtual AP profile, select the AAA profile you previously configured. A pop-up window displays the configured AAA profile parameters. Click Applyin the pop-up window.
b. From the SSID profile drop-down menu, select NEW. A pop-up window allows you to configure the SSID profile.
c. Enter the name for the SSID profile (for example, ssid_c-portal).
d. Enter the Network Name for the SSID (for example, c-portal-ap).
e. Click Apply in the pop-up window.
f. At the bottom of the Profile Details page, click Apply.
10. Click on the new virtual AP name in the Profiles list or in Profile Details to display configuration parameters.
a. Make sure Virtual AP enable is selected.
b. For VLAN, select the VLAN to which users are assigned (for example, 20).
c. Click Apply.
Configuring Captive Portal via the CLI
To configure captive portal with the PEFNG license via the command-line interface, access the CLI in config mode and issue the following commands:
aaa authentication captive-portal c-portal
default-role employee
server-group cp-srv
user-role logon
captive-portal c-portal
aaa profile aaa_c-portal
initial-role logon
wlan ssid-profile ssid_c-portal
essid c-portal-ap
vlan 20
wlan virtual-ap vp_c-portal
aaa-profile aaa_c-portal
ssid-profile ssid_c-portal
Example Authentication with Captive Portal
Guest clients associate to the guestnetSSID which is an open wireless LAN. Guest clients are placed into VLAN 900 and assigned IP addresses by the controller’s internal DHCP server. The user has no access to network resources beyond DHCP and DNS until they open a web browser and log in with a guest account using captive portal.
Guest users are given a login and password from guest accounts created in the controller’s internal database. The temporary guest accounts are created and administered by the site receptionist.
Guest users must enter their assigned login and password into the captive portal login before they are given access to use web browsers (HTTP and HTTPS), POP3 email clients, and VPN clients (IPsec, PPTP, and L2TP) on the Internet and only during specified working hours. Guest users are prohibited from accessing internal networks and resources. All traffic to the Internet is source-NATed.
|
This example assumes a Policy Enforcement Firewall Next Generation (PEFNG) license is installed in the controller. |
In this example, you create two user roles:
guest-logonis a user role assigned to any client who associates to the guestnet SSID. Normally, any client that associates to an SSID will be placed into the logonsystem role. The guest-logonuser role is more restrictive than the logon role.
auth-guestis a user role granted to clients who successfully authenticate via the captive portal.
Creating a Guest-logon User Role
The guest-logon user role consists of the following ordered policies:
captiveportal is a predefined policy that allows captive portal authentication.
guest-logon-access is a policy that you create with the following rules:
Allows DHCP exchanges between the user and the DHCP server during business hours while blocking other users from responding to DHCP requests.
Allows ICMP exchanges between the user and the controller during business hours.
block-internal-access is a policy that you create that denies user access to the internal networks.
|
The guest-logonuser role configuration needs to include the name of the captive portal authentication profile instance. You can modify the user role configuration after you create the captive portal authentication profile instance. |
Creating an Auth-guest User Role
The auth-guest user role consists of the following ordered policies:
cplogout is a predefined policy that allows captive portal logout.
guest-logon-access is a policy that you create with the following rules:
Allows DHCP exchanges between the user and the DHCP server during business hours while blocking other users from responding to DHCP requests.
Allows DNS exchanges between the user and the public DNS server during business hours. Traffic is source-NATed using the IP interface of the controller for the VLAN.
block-internal-access is a policy that you create that denies user access to the internal networks.
auth-guest-access is a policy that you create with the following rules:
Allows DHCP exchanges between the user and the DHCP server during business hours while blocking other users from responding to DHCP requests.
Allows DNS exchanges between the user and the public DNS server during business hours. Traffic is source-NATed using the IP interface of the controller for the VLAN.
Allows HTTP/S traffic from the user during business hours. Traffic is source-NATed using the I interface of the controller for the VLAN.
drop-and-log is a policy that you create that denies all traffic and logs the attempted network access.
Configuring Policies and Roles in the WebUI
To create a time range via the WebUI:
1. Navigate to the Configuration >Security >Access Control > Time Rangespage to define the time range “working-hours”.
2. Click Add.
a. For Name, enter working-hours.
b. For Type, select Periodic.
c. Click Add.
d. For Start Day, click Weekday.
e. For Start Time, enter 07:30.
f. For End Time, enter 17:00.
g. Click Done.
3. Click Apply.
To create the guest-logon-access policy via the WebUI:
1. Navigate to the Configuration >Security >Access Control > Policies page.
2. Select Add to add the guest-logon-access policy.
3. For Policy Name, enter guest-logon-access.
4. For Policy Type, select IPv4 Session.
5. Under Rules, select Add to add rules for the policy.
a. Under Source, select user.
b. Under Destination, select any.
c. Under Service, select udp. Enter 68.
d. Under Action, select drop.
e. Click Add.
6. Under Rules, click Add.
a. Under Source, select any.
b. Under Destination, select any.
c. Under Service, select service. Select svc-dhcp.
d. Under Action, select permit.
e. Under Time Range, select working-hours.
f. Click Add.
The following step defines an alias representing the public DNS server addresses. Once defined, you can use the alias for other rules and policies.
1. Navigate to the Configuration >Security >Access Control > Policies page.
2. Select Add to add the guest-logon-access policy.
3. For Policy Name, enter guest-logon-access.
4. For Policy Type, select IPv4 Session.
5. Under Rules, click Add.
a. Under Source, select user.
b. Under Destination, select alias.
c. Under the alias selection, click New. For Destination Name, enter “Public DNS”. Click Addto add a rule. For Rule Type, select host. For IP Address, enter 64.151.103.120. Click Add. For Rule Type, select host. For IP Address, enter 216.87.84.209. Click Add. Click Apply. The alias “Public DNS” appears in the Destination menu
d. Under Destination, select Public DNS.
e. Under Service, select svc-dns.
f. Under Action, select src-nat.
g. Under Time Range, select working-hours.
h. Click Add.
6. Click Apply.
To configure the auth-guest-access policy via the WebUI:
1. Navigate to the Configuration >Security >Access Control > Policies page.
2. Select Add to add the guest-logon-access policy.
3. For Policy Name, enter auth-guest-access.
4. For Policy Type, select IPv4 Session.
5. Under Rules, select Add to add rules for the policy.
a. Under Source, select user.
b. Under Destination, select any.
c. Under Service, select udp. Enter 68.
d. Under Action, select drop.
e. Click Add.
6. Under Rules, click Add.
a. Under Source, select any.
b. Under Destination, select any.
c. Under Service, select service. Select svc-dhcp.
d. Under Action, select permit.
e. Under Time Range, select working-hours.
f. Click Add.
7. Under Rules, click Add.
a. Under Source, select user.
b. Under Destination, select alias. Select Public DNS from the drop-down menu.
c. Under Service, select service. Select svc-dns.
d. Under Action, select src-nat.
e. Under Time Range, select working-hours.
f. Click Add.
8. Under Rules, click Add.
a. Under Source, select user.
b. Under Destination, select any.
c. Under Service, select service. Select svc-http.
d. Under Action, select src-nat.
e. Under Time Range, select working-hours.
f. Click Add.
9. Under Rules, click Add.
a. Under Source, select user.
b. Under Destination, select any.
c. Under Service, select service. Select svc-https.
d. Under Action, select src-nat.
e. Under Time Range, select working-hours.
f. Click Add.
10. Click Apply.
To create the block-internal-access policy via the WebUI:
1. Navigate to the Configuration >Security >Access Control > Policies page.
2. Select Add to add the block-internal-access policy.
3. For Policy Name, enter block-internal-access.
4. For Policy Type, select IPv4 Session.
5. Under Rules, select Add to add rules for the policy.
a. Under Source, select user.
b. Under Destination, select alias.
|
The following step defines an alias representing all internal network addresses. Once defined, you can use the alias for other rules and policies. |
c. Under the alias selection, click New. For Destination Name, enter “Internal Network”. Click Addto add a rule. For Rule Type, select network. For IP Address, enter 10.0.0.0. For Network Mask/Range, enter 255.0.0.0. Click Addto add the network range. Repeat these steps to add the network ranges 172.16.0.0 255.255.0.0 and 192.168.0.0 255.255.0.0. Click Apply. The alias “Internal Network” appears in the Destination menu
d. Under Destination, select Internal Network.
e. Under Service, select any.
f. Under Action, select drop.
g. Click Add.
6. Click Apply.
To create the drop-and-log policy via the WebUI:
1. Navigate to the Configuration >Security >Access Control > Policies page.
2. Select Add to add the drop-and-log policy.
3. For Policy Name, enter drop-and-log.
4. For Policy Type, select IPv4 Session.
5. Under Rules, select Add to add rules for the policy.
a. Under Source, select user.
b. Under Destination, select any.
c. Under Service, select any.
d. Under Action, select drop.
e. Select Log.
f. Click Add.
6. Click Apply.
To create the guest-logon role via the WebUI:
1. Navigate to the Configuration >Security >Access Control > User Roles page.
2. Click Add.
3. For Role Name, enter guest-logon.
4. Under Firewall Policies, click Add.
5. For Choose from Configured Policies, select captiveportal from the drop-down menu.
6. Click Done.
7. Under Firewall Policies, click Add.
8. For Choose from Configured Policies, select guest-logon-access from the drop-down menu.
9. Click Done.
10. Under Firewall Policies, click Add.
11. For Choose from Configured Policies, select block-internal-access from the drop-down menu.
12. Click Done.
13. Click Apply.
To create the guest-logon role via the WebUI:
1. Navigate to the Configuration >Security >Access Control > User Roles page.
2. Click Add.
3. For Role Name, enter auth-guest.
4. Under Firewall Policies, click Add.
5. For Choose from Configured Policies, select cplogout from the drop-down menu.
6. Click Done.
7. Under Firewall Policies, click Add.
8. For Choose from Configured Policies, select guest-logon-access from the drop-down menu.
9. Click Done.
10. Under Firewall Policies, click Add.
11. For Choose from Configured Policies, select block-internal-access from the drop-down menu.
12. Click Done.
13. Under Firewall Policies, click Add.
14. For Choose from Configured Policies, select auth-guest-access from the drop-down menu.
15. Click Done.
16. Under Firewall Policies, click Add.
17. For Choose from Configured Policies, select drop-and-log from the drop-down menu.
18. Click Done.
19. Click Apply.
Configuring Policies and Roles in the CLI
To create a time range via the command-line interface, access the CLI in config mode and issue the following commands:
time-range working-hours periodic
weekday 07:30 to 17:00
To create aliases via the command-line interface, access the CLI in config mode and issue the following commands:
netdestination “Internal Network”
network 10.0.0.0 255.0.0.0
network 172.16.0.0 255.255.0.0
network 192.168.0.0 255.255.0.0
netdestination “Public DNS”
host 64.151.103.120
host 216.87.84.209
To create a guest-logon-access policy via the command-line interface, access the CLI in config mode and issue the following commands:
ip access-list session guest-logon-access
user any udp 68 deny
any any svc-dhcp permit time-range working-hours
user alias “Public DNS” svc-dns src-nat time-range working-hours
To create an auth-guest-access policy via the command-line interface, access the CLI in config mode and issue the following commands:
ip access-list session auth-guest-access
user any udp 68 deny
any any svc-dhcp permit time-range working-hours
user alias “Public DNS” svc-dns src-nat time-range working-hours
user any svc-http src-nat time-range working-hours
user any svc-https src-nat time-range working-hours
To create a block-internal-access policy via the command-line interface, access the CLI in config mode and issue the following commands:
ip access-list session block-internal-access
user alias “Internal Network” any deny
To create a drop-and-log policy via the command-line interface, access the CLI in config mode and issue the following commands:
ip access-list session drop-and-log
user any any deny log
To create a guest-logon-role via the command-line interface, access the CLI in config mode and issue the following commands:
user-role guest-logon
session-acl captiveportal position 1
session-acl guest-logon-access position 2
session-acl block-internal-access position 3
To create an auth-guest role via the command-line interface, access the CLI in config mode and issue the following commands:
user-role auth-guest
session-acl cplogout position 1
session-acl guest-logon-access position 2
session-acl block-internal-access position 3
session-acl auth-guest-access position 4
session-acl drop-and-log position 5
Guests using the WLAN are assigned to VLAN 900 and are given IP addresses via DHCP from the controller.
1. Navigate to the Configuration >Network > VLANs page.
a. Click Add.
b. For VLAN ID, enter 900.
c. Click Apply.
2. Navigate to the Configuration >Network >IP > IP Interfaces page.
a. Click Edit for VLAN 900.
b. For IP Address, enter 192.168.200.20.
c. For Net Mask, enter 255.255.255.0.
d. Click Apply.
3. Click the DHCP Server tab.
a. Select Enable DHCP Server.
b. Click Add under Pool Configuration.
c. For Pool Name, enter guestpool.
d. For Default Router, enter 192.168.200.20.
e. For DNS Server, enter 64.151.103.120.
f. For Lease, enter 4 hours.
g. For Network, enter 192.168.200.0. For Netmask, enter 255.255.255.0.
h. Click Done.
4. Click Apply.
vlan 900
interface vlan 900
ip address 192.168.200.20 255.255.255.0
ip dhcp pool "guestpool"
default-router 192.168.200.20
dns-server 64.151.103.120
lease 0 4 0
network 192.168.200.0 255.255.255.0
In this section, you create an instance of the captive portal authentication profile and the AAA profile. For the captive portal authentication profile, you specify the previously-created auth-guestuser role as the default user role for authenticated captive portal clients and the authentication server group (“Internal”).
To configure captive portal authentication via the WebUI:
1. Navigate to the Configuration >Security >Authentication > L3 Authentication page. In the Profiles list, select Captive Portal Authentication Profile.
a. In the Captive Portal Authentication Profile Instance list, enter guestnetfor the name of the profile, then click Add.
b. Select the captive portal authentication profile you just created.
c. For Default Role, select auth-guest.
d. Select User Login.
e. Deselect (uncheck) Guest Login.
f. Click Apply.
2. Select Server Groupunder the guestnet captive portal authentication profile you just created.
a. Select internalfrom the Server Group drop-down menu.
b. Click Apply.
To configure captive portal authentication via the command-line interface, access the CLI in config mode and issue the following commands:
aaa authentication captive-portal guestnet
default-role auth-guest
user-logon
no guest-logon
server-group internal
Modifying the Initial User Role
The captive portal authentication profile specifies the captive portal login page and other configurable parameters. The initial user role configuration must include the applicable captive portal authentication profile instance. Therefore, you need to modify the guest-logonuser role configuration to include the guestnet captive portal authentication profile.
To modify the guest-logon role via the WebUI:
1. Navigate to the Configuration >Security >Access Control > User Roles page.
2. Select Edit for the guest-logon role.
3. Scroll down to the bottom of the page.
4. Select the captive portal authentication profile you just created from the Captive Portal Profile drop-down menu, and click Change.
5. Click Apply.
To modify the guest-logon role via the command-line interface, access the CLI in config mode and issue the following commands:
user-role guest-logon
captive-portal guestnet
In this section, you configure the guestnetAAA profile, which specifies the previously-created guest-logon role as the initial role for clients who associate to the WLAN.
To configure the AAA profile via the WebUI:
1. Navigate to the Configuration >Security >Authentication > AAA Profiles page.
2. In the AAA Profiles Summary, click Addto add a new profile. Enter guestnetfor the name of the profile, then click Add.
3. For Initial role, select guest-logon.
4. Click Apply.
To configure the AAA profile via the command-line interface, access the CLI in config mode and issue the following commands:
aaa profile guestnet
initial-role guest-logon
In this section, you create the guestnetvirtual AP profile for the WLAN. The guestnetvirtual AP profile contains the SSID profile guestnet(which configures opensystem for the SSID) and the AAA profile guestnet.
To configure the guest WLAN via the WebUI:
1. Navigate to the Configuration >Wireless > AP Configuration page.
2. Select either AP Group or AP Specific tab. Click Edit for the AP group or AP name.
3. To configure the virtual AP profile, navigate to the Configuration >Wireless > AP Configurationpage. Select either the AP Group or AP Specific tab. Click Editfor the applicable AP group name or AP name.
4. Under Profiles, select Wireless LAN, then select Virtual AP.
5. To create a new virtual AP profile, select NEW from the Add a profile drop-down menu. Enter the name for the virtual AP profile (for example, guestnet), and click Add.
a. In the Profile Details entry for the new virtual AP profile, select the AAA profile you previously configured. A pop-up window displays the configured AAA profile parameters. Click Applyin the pop-up window.
b. From the SSID profile drop-down menu, select NEW. A pop-up window allows you to configure the SSID profile.
c. Enter the name for the SSID profile (for example, guestnet).
d. Enter the Network Name for the SSID (for example, guestnet).
e. For Network Authentication, select None.
f. For Encryption, select Open.
g. Click Apply in the pop-up window.
h. At the bottom of the Profile Details page, click Apply.
6. Click on the new virtual AP name in the Profiles list or in Profile Details to display configuration parameters.
a. Make sure Virtual AP enable is selected.
b. For VLAN, select the ID of the VLAN in which captive portal users are placed (for example, VLAN 900).
c. Click Apply.
To configure the guest WLAN via the command-line interface, access the CLI in config mode and issue the following commands:
wlan ssid-profile guestnet
essid guestnet
opmode opensystem
aaa profile guestnet
initial-role guest-logon
wlan virtual-ap guestnet
vlan 900
aaa-profile guestnet
ssid-profile guestnet
Temporary user accounts are created in the internal database on the controller. You can create a user role which will allow a receptionist to create temporary user accounts. Guests can use the accounts to log into a captive portal login page to gain Internet access.
See “Creating Guest Accounts”for more information about configuring guest provisioning users and administering guest accounts.
Captive Portal Configuration Parameters
Table 61 describes configuration parameters on the WebUI Captive Portal Authentication profile page.
|
In the CLI, you configure these options with the aaa authentication captive-portal commands. |
Optional Captive Portal Configurations
The following are optional captive portal configurations:
You can upload custom login pages for captive portal into the controllerthrough the WebUI (refer to Appendix E, “Internal Captive Portal”). The SSID to which the client associates determines the captive portal login page displayed.
You specify the captive portal login page in the captive portal authentication profile, along with other configurable parameters. The initial user role configuration must include the applicable captive portal authentication profile instance. (In the case of captive portal in the base operating system, the initial user role is automatically created when you create the captive portal authentication profile instance.) You then specify the initial user role for captive portal in the AAA profile for the WLAN.
When you have multiple captive portal login pages loaded in the controller, you must configure a unique initial user role and user role, and captive portal authentication profile, AAA profile, SSID profile, and virtual AP profile for each WLAN that will use captive portal. For example, if you want to have different captive portal login pages for the engineering, business and faculty departments, you need to create and configure according to Table 62.
By default, the HTTPS protocol is used on redirection to the Captive Portal page. If you need to use HTTP instead, you need to do the following:
Modify the captive portal authentication profile to enable the HTTP protocol.
For captive portal with role-based access only—Modify the captiveportal policy to permit HTTP traffic instead of HTTPS traffic.
In the base operating system, the implicit ACL captive-portal-profile is automatically modified.
To change the protocol to HTTP via the WebUI:
1. Edit the captive portal authentication profile by navigating to the Configuration >Security > Authentication > L3 Authentication page.
a. Enable (select) “Use HTTP for authentication”.
b. Click Apply.
2. (For captive portal with role-based access only) Edit the captiveportalpolicy by navigating to the Configuration >Security >Access Control > Policiespage.
a. Delete the rule for “user mswitch svc-https dst-nat”.
b. Add a new rule with the following values and move this rule to the top of the rules list:
source is user
destination is the mswitch alias
service is svc-http
action is dst-nat
c. Click Apply.
To change the protocol to HTTP via the command-line interface, access the CLI in config mode and issue the following commands:
aaa authentication captive-portal profile
protocol-http
(For captive portal with role-based access only)
ip access-list session captiveportal
no user alias mswitch svc-https dst-nat
user alias mswitch svc-http dst-nat
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
You can configure captive portal to work with proxy Web servers. When proxy Web servers are used, browser proxy server settings for end users are configured for the proxy server’s IP address and TCP port. When the user opens a Web browser, the HTTP/S connection request must be redirected from the proxy server to the captive portal on the controller.
To configure captive portal to work with a proxy server:
(For captive portal with base operating system) Modify the captive portal authentication profile to specify the proxy server’s IP address and TCP port.
(For captive portal with role-based access) Modify the captiveportalpolicy to have traffic for the proxy server’s port destination NATed to port 8088 on the controller.
The base operating system automatically modifies the implicit ACL captive-portal-profile.
The following sections describe how use the WebUI and CLI to configure the captive portal with a proxy server.
|
When HTTPS traffic is redirected from a proxy server to the controller, the user’s browser will display a warning that the subject name on the certificate does not match the hostname to which the user is connecting. |
To redirect proxy server traffic using the WebUI:
1. For captive portal with Arubabase operating system, edit the captive portal authentication profile by navigating to the Configuration >Security >Authentication > L3 Authentication page.
a. For Proxy Server, enter the IP address and port for the proxy server.
b. Click Apply.
2. For captive portal with role-based access, edit the captiveportalpolicy by navigating to the Configuration >Security >Access Control > Policiespage.
3. Add a new rule with the following values:
a. Source is user
b. Destination is any
c. Service is TCP
d. Port is the TCP port on the proxy server
e. Action is dst-nat
f. IP address is the IP address of the proxy port
g. Port is the port on the proxy server
4. Click Addto add the rule. Use the up arrows to move this rule just below the rule that allows HTTP(S) traffic.
5. Click Apply.
To redirect proxy server traffic via the command-line interface, access the CLI in config mode and issue the following commands.
For captive portal with Aruba base operating system:
aaa authentication captive-portal profile
proxy host ipaddrport port
For captive portal with role-based access:
ip access-list session captiveportal
user alias mswitch svc-https permit
user any tcp port dst-nat 8088
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
Redirecting Clients on Different VLANs
You can redirect wireless clients that are on different VLANs (from the controller’s IP address) to the captive portal on the controller. To do this:
1. Specify the redirect address for the captive portal.
2. For captive portal with the PEFNGlicense only, you need to modify the captiveportal policy that is assigned to the user. To do this:
a. Create a network destination alias to the controllerinterface.
b. Modify the rule set to allow HTTPS to the new alias instead of the mswitch alias.
|
In the base operating system, the implicit ACL captive-portal-profile is automatically modified. |
This example shows how to use the command-line interface to create a network destination called cp-redirect and use that in the captiveportal policy:
ip cp-redirect-address ipaddr
For captive portal with PEFNG license:
netdestination cp-redirect ipaddr
ip access-list session captiveportal
user alias cp-redirect svc-https permit
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
Web Client Configuration with Proxy Script
If the web client proxy configuration is distributed through a proxy script (a .pacfile), you need to configure the captiveportalpolicy to allow the client to download the file. Note that in order modify the captiveportal policy, you must have the PEFNG license installed in the controller.
To allow clients to download proxy script via the WebUI:
1. Edit the captiveportalpolicy by navigating to the Configuration >Security >Access Control > Policiespage.
2. Add a new rule with the following values:
Source is user
Destination is host
Host IP is the IP address of the proxy server
Service is svc-https or svc-http
Action is permit
3. Click Addto add the rule. Use the up arrows to move this rule above the rules that perform destination NAT.
4. Click Apply.
To allow clients to download proxy script via the command-line interface, access the CLI in config mode and issue the following commands:
ip access-list session captiveportal
user alias mswitch svc-https permit
user any tcp port dst-nat 8088
user host ipaddr svc-https permit
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
Personalizing the Captive Portal Page
The following can be personalized on the default captive portal page:
Captive portal background
Page text
Acceptance Use Policy
The background image and text should be visible to users with a browser window on a 1024 by 768 pixel screen. The background should not clash if viewed on a much larger monitor. A good option is to have the background image at 800 by 600 pixels, and set the background color to be compatible. The maximum image size for the background can be around 960 by 720 pixels, as long as the image can be cropped at the bottom and right edges. Leave space on the left side for the login box.
You can create your own web pages and install them in the controllerfor use with captive portal. See Appendix E, “Internal Captive Portal”
1. Navigate to the Configuration >Management >Captive Portal > Customize Login Page page.
2. To customize the page background:
a. Select the YOUR CUSTOM BACKGROUNDpage.
b. Under Additional options, enter the location of the JPEG image in the Upload your own custom background field.
c. Set the background color in the Custom page background color field. The color code must a hexadecimal value in the format #hhhhhh.
d. To view the page background changes, click Submitat the bottom on the page and then click the View CaptivePortallink. The User Agreement Policy page appears and displays the Captive Portal page as it will be seen by users.
3. To customize the captive portal background text:
a. Enter the text that needs to be displayed in thePage Text (in HTML format)message box.
b. To view the background text changes, click Submitat the bottom on the page and then click the View CaptivePortallink. The User Agreement Policy page appears.
c. Click Accept. This displays the Captive Portal page as it will be seen by users.
4. To customize the text under the Acceptable Use Policy:
a. Enter the policy information in the Policy Text text box. Use this only in the case of guest logon.
b. To view the use policy information changes, click Submitat the bottom on the page and then click the View CaptivePortallink. The User Agreement Policy page appears. The text you entered appears in the Acceptable Use Policy text box.
c. Click Accept. This displays the Captive Portal page as it will be seen by users.