Chapter 12

Captive Portal

Captive portal is one of the methods of authentication supported by ArubaOS . A captive portal presents a web page which requires action on the part of the user before network access is granted. The required action can be simply viewing and agreeing to an acceptable use policy, or entering a user ID and password which must be validated against a database of authorized users.

You can also configure captive portal to allow clients to download the ArubaVPN dialer for Microsoft VPN clients if the VPN is to be terminated on the Arubacontroller. For more information about the VPN dialer, see Chapter 14, “Virtual Private Networks”.

This chapter describes the following topics:

  • “Captive Portal Overview”

  • “Captive Portal in the Base ArubaOS”

  • “Captive Portal with the PEFNG License”

  • “Example Authentication with Captive Portal”

  • “Configuring Guest VLANs”

  • “Captive Portal Authentication”

  • “Optional Captive Portal Configurations”

  • “Personalizing the Captive Portal Page”

Captive Portal Overview

You can configure captive portal for guest users, where no authentication is required, or for registered users who must be authenticated against an external server or the controller’s internal database.

note

While you can use captive portal to authenticate users, it does not provide for encryption of user data and should not be used in networks where data security is required. Captive portal is most often used for guest access, access to open systems (such as public hot spots), or as a way to connect to a VPN.

You can use captive portal for guest and registered users at the same time. The default captive portal web page provided with ArubaOSdisplays login prompts for both registered users and guests. (You can customize the default captive portal page, as described in “Personalizing the Captive Portal Page”)

You can also load up to 16 different customized login pages into the controller. The login page displayed is based on the SSID to which the client associates.

Policy Enforcement Firewall Next Generation (PEFNG) License

You can use captive portal with or without the PEFNG license installed in the controller. The PEFNG license provides identity-based security to wired and wireless clients through user roles and firewall rules. You must purchase and install the PEFNG license on the controller to use identity-based security features.

There are differences in how captive portal functions work and how you configure captive portal, depending on whether the license is installed. Later sections in this chapter describe how to configure captive portal in the base operating system (without the PEFNG license) and with the license installed.

Controller Server Certificate

The Arubacontrolleris designed to provide secure services through the use of digital certificates. A server certificate installed in the controllerverifies the authenticity of the controller for captive portal.

Arubacontrollersship with a demonstration digital certificate. Until you install a customer-specific server certificate in the controller, this demonstration certificate is used by default for all secure HTTP connections such as captive portal. This certificate is included primarily for the purposes of feature demonstration and convenience and is not intended for long-term use in production networks. Users in a production environment are urged to obtain and install a certificate issued for their site or domain by a well-known certificate authority (CA). You can generate a Certificate Signing Request (CSR) on the controllerto submit to a CA. For information on how to generate a CSR and how to import the CA-signed certificate into the controller, see “Managing Certificates”in Chapter 29, “Management Access”.

Once you have imported a server certificate into the controller, you can select the certificate to be used with captive portal as described in the following sections.

To select a certificate for captive portal using the WebUI:

1.    Navigate to the Configuration >Management > General page.

2.    Under Captive Portal Certificate, select the name of the imported certificate from the drop-down list.

3.    Click Apply.

To select a certificate for captive portal using the command-line interface, access the CLI in config mode and issue the following commands:

web-server

   captive-portal-cert <certificate>

To specify a different server certificate for captive portal with the CLI, use the nocommand to revert back to the default certificate before you specify the new certificate:

web-server

   captive-portal-cert ServerCert1

   no captive-portal-cert

   captive-portal-cert ServerCert2

Captive Portal in the Base ArubaOS

The base operating system (ArubaOSwithout any licenses) allows full network access to all users who connect to an ESSID, both guest and registered users. In the base operating system, you cannot configure or customize user roles; this function is only available by installing the PEFNG license. Captive portal allows you to control or identify who has access to network resources.

When you create a captive portal profile in the base operating system, an implicit user role is automatically created with same name as the captive portal profile. This implicit user role allows only DNS and DHCP traffic between the client and network and directs all HTTP or HTTPS requests to the captive portal. You cannot directly modify the implicit user role or its rules. Upon authentication, captive portal clients are allowed full access to their assigned VLAN.

The WLAN Wizard within the ArubaOSWebUI allows for basic captive portal configuration for WLANs associated with the “default” ap-group: Configuration >Wizards > WLAN Wizard. Follow the steps in the workflow pane within the wizard and refer to the help tab for assistance.

What follows are the tasks for configuring captive portal in the base ArubaOS. The example server group and profile names appear inside quotation marks.

  • Create the Server Group name. In this example, the server group name is “cp-srv”.

If you are configuring captive portal for registered users, configure the server(s) and create the server group. For more information about configuring authentication servers and server groups, see Chapter 8, “Authentication Servers”.

  • Create Captive Portal Authentication Profile. In this example, the profile name is “c-portal”.

Create and configure an instance of the captive portal authentication profile. Creating the captive portal profile automatically creates an implicit user role and ACL with the same name. Creating the profile “c-portal” creates an implicit user role called “c-portal”.That user role allows only DNS and DHCP traffic between the client and network and directs all HTTP or HTTPS requests to the captive portal.

  • Create an AAA Profile. In this example, the profile name is “aaa_c-portal”.

Create and configure an instance of the AAA profile. For the initial role, enter the implicit user role that was created in stepl. The initial role in the profile “aaa_c-portal” must be set to “c-portal”.

  • Create SSID Profile. In this example, the profile name is “ssid_c-portal”.

Create and configure an instance of the virtual AP profile which you apply to an AP group or AP name. Specify the AAA profile you created in stepl.

  • Create a Virtual AP Profile. In this example, the profile name is “vp_c-portal”.

Create and configure an instance of the SSID profile for the virtual AP.

 

The following sections present the procedure for configuring the captive portal authentication profile, the AAA profile, and the virtual AP profile using the WebUI or the command line (CLI). Configuring the VLAN and authentication servers and server groups are described elsewhere in this document.

In ArubaOS2.5.2 and later 2.5.x releases, captive portal users in the base operating system are placed into the predefined cpbaseinitial user role before authentication. The cpbaserole is not supported in ArubaOS3.x. You need to create new captive portal profiles in the base operating system, as described in this section, which automatically generates the required policies and roles.

Configuring Captive Portal via the WebUI

1.    Navigate to the Configuration >Security >Authentication > L3 Authentication page. Select Captive Portal Authentication Profile.

a.    In the Captive Portal Authentication Profile Instance list, enter the name of the profile (for example, c-portal), then click Add.

b.    Select the captive portal authentication profile you just created.

c.    You can enable user login and/or guest login, and configure other captive portal profile parameters as described in Table 61.

d.    Click Apply.

2.    To specify authentication servers, select Server Group under the captive portal authentication profile you just configured.

a.    Select the server group (for example, cp-srv) from the drop-down menu.

b.    Click Apply.

3.    Select the AAA Profiles tab.

a.    In the AAA Profiles Summary, click Addto add a new profile. Enter the name of the profile (for example, aaa_c-portal), then click Add.

b.    Select the AAA profile you just created.

c.    For Initial Role, select the captive portal authentication profile (for example, c-portal) you created previously.

The Initial Role must be exactly the same as the name of the captive portal authentication profile you created.

d.    Click Apply.

4.    Navigate to the Configuration >Wireless > AP Configurationpage. Select either the AP Group or AP Specific tab. Click Edit for the applicable AP group name or AP name.

5.    Under Profiles, select Wireless LAN, then select Virtual AP.

6.    To create a new virtual AP profile, select NEW from the Add a profile drop-down menu. Enter the name for the virtual AP profile (for example, vp_c-portal), then click Add.

a.    In the Profile Details entry for the new virtual AP profile, select the AAA profile you previously created from the AAA Profile drop-down menu. A pop-up window displays the configured AAA profile parameters. Click Apply in the pop-up window.

b.    From the SSID profile drop-down menu, select NEW. A pop-up window allows to you configure the SSID profile.

c.    Enter the name for the SSID profile (for example, ssid_c-portal).

d.    Enter the Network Name for the SSID (for example, c-portal-ap).

e.    Click Apply in the pop-up window.

f.      At the bottom of the Profile Details page, click Apply.

7.    Click on the new virtual AP name in the Profiles list or in Profile Details to display configuration parameters.

a.    Make sure Virtual AP enable is selected.

b.    For VLAN, select the VLAN to which users are assigned (for example, 20).

c.    Click Apply.

Configuring Captive Portal via the CLI

To configure captive portal in the base operating system via the command-line interface, access the CLI in config mode and issue the following commands:

aaa authentication captive-portal c-portal

   server-group cp-srv

aaa profile aaa_c-portal

   initial-role c-portal

wlan ssid-profile ssid_c-portal

   essid c-portal-ap

wlan virtual-ap vp_c-portal

   aaa-profile aaa_c-portal

   ssid-profile ssid_c-portal
   vlan 20

Captive Portal with the PEFNG License

The PEFNG license provides identity-based security for wired and wireless users. There are two user roles that are important for captive portal:

  • Default user role, which you specify in the captive portal authentication profile, is the role granted to clients upon captive portal authentication. This can be the predefined guest system role.

  • Initial user role, which you specify in the AAA profile, directs clients who associate to the SSID to captive portal whenever the user initiates a Web browser connection. This can be the predefined logonsystem role.

The captive portal authentication profile specifies the captive portal login page and other configurable parameters. The initial user role configuration must include the applicable captive portal authentication profile instance.

MAC-based authentication, if enabled on the controller, takes precedence over captive portal authentication.

The following are the basic tasks for configuring captive portal using role-based access provided by the Policy Enforcement Firewall software module. Note that you must install the PEFNG license before proceeding (see Chapter 31, “Software Licenses”).

  • Configure the user role for a default user.

Create and configure user roles and policies for guest or registered captive portal users. (See Chapter 10, “Roles and Policies” for more information about configuring policies and user roles.)

  • Create a server group.

If you are configuring captive portal for registered users, configure the server(s) and create the server group. (See Chapter 8, “Authentication Servers”for more information about configuring authentication servers and server groups.)

If you are using the controller’s internal database for user authentication, use the predefined “Internal” server group. You need to configure entries in the internal database, as described in Chapter 8, “Authentication Servers”.

  • Create the captive portal authentication profile.

Create and configure an instance of the captive portal authentication profile. Specify the default user role for captive portal users.

  • Configure the initial user role.

Create and configure the initial user role for captive portal. You need to include the predefined captiveportal policy, which directs clients to the captive portal, in the initial user role configuration.

You also need to specify the captive portal authentication profile instance in the initial user role configuration. For example, if you are using the predefined logonsystem role for the initial role, you need to edit the role to specify the captive portal authentication profile instance.

  • Create the AAA Profile .

Create and configure an instance of the AAA profile. Specify the initial user role.

  • Create the SSID Profile “ssid_c-portal”.

Create and configure an instance of the virtual AP profile that you apply to an AP group or AP name. Specify the AAA profile you just created.

  • Create the Virtual AP Profile “vp_c-portal”.

Create and configure an instance of the SSID profile for the virtual AP.

The following sections present the WebUI and Command Line (CLI) procedures for configuring the captive portal authentication profile, initial user role, the AAA profile, and the virtual AP profile. Other chapters within this document detail the configuration of the user roles and policies, authentication servers, and server groups.

Configuring Captive Portal via the WebUI

To configure captive portal with PEFNG license via the WebUI:

1.    Navigate to the Configuration >Security >Authentication > L3 Authentication page.

2.    Select Captive Portal Authentication Profile.

a.    In the Captive Portal Authentication Profile Instance list, enter the name of the profile (for example, c-portal), then click Add.

b.    Select the captive portal authentication profile you just created.

c.    Select the default role (for example, employee) for captive portal users.

d.    Enable guest login and/or user login, as well as other parameters (refer to Table 61).

e.    Click Apply.

3.    To specify the authentication servers, select Server Group under the captive portal authentication profile you just configured.

a.    Select the server group (for example, cp-srv) from the drop-down menu.

b.    Click Apply.

4.    Select the AAA Profiles tab.

a.    In the AAA Profiles Summary, click Addto add a new profile. Enter the name of the profile (for example, aaa_c-portal), then click Add.

b.    Set the Initial role to a role that you will configure with the captive portal authentication profile.

c.    Click Apply.

5.    Navigate to the Configuration >Security > Access Controlpage to configure the initial user role to use captive portal authentication.

a.    To edit the predefined logon role, select the System Rolestab, then click Edit for the logon role.

b.    To configure a new role, first configure policy rules in the Policiestab, then select the User Rolestab to add a new user role and assign policies.

c.    To specify the captive portal authentication profile, scroll down to the bottom of the page. Select the profile from the Captive Portal Profile drop-down menu, and click Change.

d.    Click Apply.

6.    Navigate to the Configuration >Wireless > AP Configurationpage to configure the virtual AP profile.

7.    Select either the AP Group or AP Specific tab. Click Edit for the applicable AP group name or AP name.

8.    Under Profiles, select Wireless LAN, then select Virtual AP.

9.    Select NEW from the Add a profile drop-down menu to create a new virtual AP profile. Enter the name for the virtual AP profile (for example, vp_c-portal), then click Add.

a.    In the Profile Details entry for the new virtual AP profile, select the AAA profile you previously configured. A pop-up window displays the configured AAA profile parameters. Click Applyin the pop-up window.

b.    From the SSID profile drop-down menu, select NEW. A pop-up window allows you to configure the SSID profile.

c.    Enter the name for the SSID profile (for example, ssid_c-portal).

d.    Enter the Network Name for the SSID (for example, c-portal-ap).

e.    Click Apply in the pop-up window.

f.      At the bottom of the Profile Details page, click Apply.

10. Click on the new virtual AP name in the Profiles list or in Profile Details to display configuration parameters.

a.    Make sure Virtual AP enable is selected.

b.    For VLAN, select the VLAN to which users are assigned (for example, 20).

c.    Click Apply.

Configuring Captive Portal via the CLI

To configure captive portal with the PEFNG license via the command-line interface, access the CLI in config mode and issue the following commands:

aaa authentication captive-portal c-portal

   default-role employee

   server-group cp-srv

user-role logon

   captive-portal c-portal

aaa profile aaa_c-portal

   initial-role logon

wlan ssid-profile ssid_c-portal

   essid c-portal-ap

   vlan 20

wlan virtual-ap vp_c-portal

   aaa-profile aaa_c-portal

   ssid-profile ssid_c-portal

Example Authentication with Captive Portal

In the following example:

  • Guest clients associate to the guestnetSSID which is an open wireless LAN. Guest clients are placed into VLAN 900 and assigned IP addresses by the controller’s internal DHCP server. The user has no access to network resources beyond DHCP and DNS until they open a web browser and log in with a guest account using captive portal.

  • Guest users are given a login and password from guest accounts created in the controller’s internal database. The temporary guest accounts are created and administered by the site receptionist.

  • Guest users must enter their assigned login and password into the captive portal login before they are given access to use web browsers (HTTP and HTTPS), POP3 email clients, and VPN clients (IPsec, PPTP, and L2TP) on the Internet and only during specified working hours. Guest users are prohibited from accessing internal networks and resources. All traffic to the Internet is source-NATed.

    This example assumes a Policy Enforcement Firewall Next Generation (PEFNG) license is installed in the controller.

In this example, you create two user roles:

  • guest-logonis a user role assigned to any client who associates to the guestnet SSID. Normally, any client that associates to an SSID will be placed into the logonsystem role. The guest-logonuser role is more restrictive than the logon role.

  • auth-guestis a user role granted to clients who successfully authenticate via the captive portal.

Creating a Guest-logon User Role

The guest-logon user role consists of the following ordered policies:

  • captiveportal is a predefined policy that allows captive portal authentication.

  • guest-logon-access is a policy that you create with the following rules:

  • Allows DHCP exchanges between the user and the DHCP server during business hours while blocking other users from responding to DHCP requests.

  • Allows ICMP exchanges between the user and the controller during business hours.

  • block-internal-access is a policy that you create that denies user access to the internal networks.

    The guest-logonuser role configuration needs to include the name of the captive portal authentication profile instance. You can modify the user role configuration after you create the captive portal authentication profile instance.

Creating an Auth-guest User Role

The auth-guest user role consists of the following ordered policies:

  • cplogout is a predefined policy that allows captive portal logout.

  • guest-logon-access is a policy that you create with the following rules:

  • Allows DHCP exchanges between the user and the DHCP server during business hours while blocking other users from responding to DHCP requests.

  • Allows DNS exchanges between the user and the public DNS server during business hours. Traffic is source-NATed using the IP interface of the controller for the VLAN.

  • block-internal-access is a policy that you create that denies user access to the internal networks.

  • auth-guest-access is a policy that you create with the following rules:

  • Allows DHCP exchanges between the user and the DHCP server during business hours while blocking other users from responding to DHCP requests.

  • Allows DNS exchanges between the user and the public DNS server during business hours. Traffic is source-NATed using the IP interface of the controller for the VLAN.

  • Allows HTTP/S traffic from the user during business hours. Traffic is source-NATed using the I interface of the controller for the VLAN.

  • drop-and-log is a policy that you create that denies all traffic and logs the attempted network access.

Configuring Policies and Roles in the WebUI

Time Range

To create a time range via the WebUI:

1.    Navigate to the Configuration >Security >Access Control > Time Rangespage to define the time range “working-hours”.

2.    Click Add.

a.    For Name, enter working-hours.

b.    For Type, select Periodic.

c.    Click Add.

d.    For Start Day, click Weekday.

e.    For Start Time, enter 07:30.

f.      For End Time, enter 17:00.

g.    Click Done.

3.    Click Apply.

To create the guest-logon-access policy via the WebUI:

1.    Navigate to the Configuration >Security >Access Control > Policies page.

2.    Select Add to add the guest-logon-access policy.

3.    For Policy Name, enter guest-logon-access.

4.    For Policy Type, select IPv4 Session.

5.    Under Rules, select Add to add rules for the policy.

a.    Under Source, select user.

b.    Under Destination, select any.

c.    Under Service, select udp. Enter 68.

d.    Under Action, select drop.

e.    Click Add.

6.    Under Rules, click Add.

a.    Under Source, select any.

b.    Under Destination, select any.

c.    Under Service, select service. Select svc-dhcp.

d.    Under Action, select permit.

e.    Under Time Range, select working-hours.

f.      Click Add.

Aliases

The following step defines an alias representing the public DNS server addresses. Once defined, you can use the alias for other rules and policies.

1.    Navigate to the Configuration >Security >Access Control > Policies page.

2.    Select Add to add the guest-logon-access policy.

3.    For Policy Name, enter guest-logon-access.

4.    For Policy Type, select IPv4 Session.

5.    Under Rules, click Add.

a.    Under Source, select user.

b.    Under Destination, select alias.

c.    Under the alias selection, click New. For Destination Name, enter “Public DNS”. Click Addto add a rule. For Rule Type, select host. For IP Address, enter 64.151.103.120. Click Add. For Rule Type, select host. For IP Address, enter 216.87.84.209. Click Add. Click Apply. The alias “Public DNS” appears in the Destination menu

d.    Under Destination, select Public DNS.

e.    Under Service, select svc-dns.

f.      Under Action, select src-nat.

g.    Under Time Range, select working-hours.

h.    Click Add.

6.    Click Apply.

Auth-Guest-Access Policy

To configure the auth-guest-access policy via the WebUI:

1.    Navigate to the Configuration >Security >Access Control > Policies page.

2.    Select Add to add the guest-logon-access policy.

3.    For Policy Name, enter auth-guest-access.

4.    For Policy Type, select IPv4 Session.

5.    Under Rules, select Add to add rules for the policy.

a.    Under Source, select user.

b.    Under Destination, select any.

c.    Under Service, select udp. Enter 68.

d.    Under Action, select drop.

e.    Click Add.

6.    Under Rules, click Add.

a.    Under Source, select any.

b.    Under Destination, select any.

c.    Under Service, select service. Select svc-dhcp.

d.    Under Action, select permit.

e.    Under Time Range, select working-hours.

f.      Click Add.

7.    Under Rules, click Add.

a.    Under Source, select user.

b.    Under Destination, select alias. Select Public DNS from the drop-down menu.

c.    Under Service, select service. Select svc-dns.

d.    Under Action, select src-nat.

e.    Under Time Range, select working-hours.

f.      Click Add.

8.    Under Rules, click Add.

a.    Under Source, select user.

b.    Under Destination, select any.

c.    Under Service, select service. Select svc-http.

d.    Under Action, select src-nat.

e.    Under Time Range, select working-hours.

f.      Click Add.

9.    Under Rules, click Add.

a.    Under Source, select user.

b.    Under Destination, select any.

c.    Under Service, select service. Select svc-https.

d.    Under Action, select src-nat.

e.    Under Time Range, select working-hours.

f.      Click Add.

10. Click Apply.

Block-Internal-Access Policy

To create the block-internal-access policy via the WebUI:

1.    Navigate to the Configuration >Security >Access Control > Policies page.

2.    Select Add to add the block-internal-access policy.

3.    For Policy Name, enter block-internal-access.

4.    For Policy Type, select IPv4 Session.

5.    Under Rules, select Add to add rules for the policy.

a.    Under Source, select user.

b.    Under Destination, select alias.

The following step defines an alias representing all internal network addresses. Once defined, you can use the alias for other rules and policies.

c.    Under the alias selection, click New. For Destination Name, enter “Internal Network”. Click Addto add a rule. For Rule Type, select network. For IP Address, enter 10.0.0.0. For Network Mask/Range, enter 255.0.0.0. Click Addto add the network range. Repeat these steps to add the network ranges 172.16.0.0 255.255.0.0 and 192.168.0.0 255.255.0.0. Click Apply. The alias “Internal Network” appears in the Destination menu

d.    Under Destination, select Internal Network.

e.    Under Service, select any.

f.      Under Action, select drop.

g.    Click Add.

6.    Click Apply.

Drop-and-Log Policy

To create the drop-and-log policy via the WebUI:

1.    Navigate to the Configuration >Security >Access Control > Policies page.

2.    Select Add to add the drop-and-log policy.

3.    For Policy Name, enter drop-and-log.

4.    For Policy Type, select IPv4 Session.

5.    Under Rules, select Add to add rules for the policy.

a.    Under Source, select user.

b.    Under Destination, select any.

c.    Under Service, select any.

d.    Under Action, select drop.

e.    Select Log.

f.      Click Add.

6.    Click Apply.

Guest-logon Role

To create the guest-logon role via the WebUI:

1.    Navigate to the Configuration >Security >Access Control > User Roles page.

2.    Click Add.

3.    For Role Name, enter guest-logon.

4.    Under Firewall Policies, click Add.

5.    For Choose from Configured Policies, select captiveportal from the drop-down menu.

6.    Click Done.

7.    Under Firewall Policies, click Add.

8.    For Choose from Configured Policies, select guest-logon-access from the drop-down menu.

9.    Click Done.

10. Under Firewall Policies, click Add.

11. For Choose from Configured Policies, select block-internal-access from the drop-down menu.

12. Click Done.

13. Click Apply.

Guest-Logon Role

To create the guest-logon role via the WebUI:

1.    Navigate to the Configuration >Security >Access Control > User Roles page.

2.    Click Add.

3.    For Role Name, enter auth-guest.

4.    Under Firewall Policies, click Add.

5.    For Choose from Configured Policies, select cplogout from the drop-down menu.

6.    Click Done.

7.    Under Firewall Policies, click Add.

8.    For Choose from Configured Policies, select guest-logon-access from the drop-down menu.

9.    Click Done.

10. Under Firewall Policies, click Add.

11. For Choose from Configured Policies, select block-internal-access from the drop-down menu.

12. Click Done.

13. Under Firewall Policies, click Add.

14. For Choose from Configured Policies, select auth-guest-access from the drop-down menu.

15. Click Done.

16. Under Firewall Policies, click Add.

17. For Choose from Configured Policies, select drop-and-log from the drop-down menu.

18. Click Done.

19. Click Apply.

Configuring Policies and Roles in the CLI

Time Range

To create a time range via the command-line interface, access the CLI in config mode and issue the following commands:

time-range working-hours periodic

   weekday 07:30 to 17:00

Aliases

To create aliases via the command-line interface, access the CLI in config mode and issue the following commands:

netdestination “Internal Network”
   network 10.0.0.0 255.0.0.0
   network 172.16.0.0 255.255.0.0

   network 192.168.0.0 255.255.0.0

netdestination “Public DNS”

   host 64.151.103.120

   host 216.87.84.209

Guest-Logon-Access Policy

To create a guest-logon-access policy via the command-line interface, access the CLI in config mode and issue the following commands:

ip access-list session guest-logon-access

   user any udp 68 deny

   any any svc-dhcp permit time-range working-hours

   user alias “Public DNS” svc-dns src-nat time-range working-hours

Auth-Guest-Access Policy

To create an auth-guest-access policy via the command-line interface, access the CLI in config mode and issue the following commands:

ip access-list session auth-guest-access

   user any udp 68 deny

   any any svc-dhcp permit time-range working-hours

   user alias “Public DNS” svc-dns src-nat time-range working-hours

   user any svc-http src-nat time-range working-hours

   user any svc-https src-nat time-range working-hours

Block-Internal-Access Policy

To create a block-internal-access policy via the command-line interface, access the CLI in config mode and issue the following commands:

ip access-list session block-internal-access

   user alias “Internal Network” any deny

Drop-and-Log Policy

To create a drop-and-log policy via the command-line interface, access the CLI in config mode and issue the following commands:

ip access-list session drop-and-log

   user any any deny log

Guest-Logon Role

To create a guest-logon-role via the command-line interface, access the CLI in config mode and issue the following commands:

user-role guest-logon
   session-acl captiveportal position 1
   session-acl guest-logon-access position 2

   session-acl block-internal-access position 3

Auth-Guest Role

To create an auth-guest role via the command-line interface, access the CLI in config mode and issue the following commands:

user-role auth-guest
   session-acl cplogout position 1
   session-acl guest-logon-access position 2

   session-acl block-internal-access position 3

   session-acl auth-guest-access position 4

   session-acl drop-and-log position 5

Configuring Guest VLANs

Guests using the WLAN are assigned to VLAN 900 and are given IP addresses via DHCP from the controller.

In the WebUI

1.    Navigate to the Configuration >Network > VLANs page.

a.    Click Add.

b.    For VLAN ID, enter 900.

c.    Click Apply.

2.    Navigate to the Configuration >Network >IP > IP Interfaces page.

a.    Click Edit for VLAN 900.

b.    For IP Address, enter 192.168.200.20.

c.    For Net Mask, enter 255.255.255.0.

d.    Click Apply.

3.    Click the DHCP Server tab.

a.    Select Enable DHCP Server.

b.    Click Add under Pool Configuration.

c.    For Pool Name, enter guestpool.

d.    For Default Router, enter 192.168.200.20.

e.    For DNS Server, enter 64.151.103.120.

f.      For Lease, enter 4 hours.

g.    For Network, enter 192.168.200.0. For Netmask, enter 255.255.255.0.

h.    Click Done.

4.    Click Apply.

In the CLI

vlan 900

interface vlan 900

ip address 192.168.200.20 255.255.255.0

ip dhcp pool "guestpool"

default-router 192.168.200.20

dns-server 64.151.103.120

lease 0 4 0

network 192.168.200.0 255.255.255.0

Captive Portal Authentication

In this section, you create an instance of the captive portal authentication profile and the AAA profile. For the captive portal authentication profile, you specify the previously-created auth-guestuser role as the default user role for authenticated captive portal clients and the authentication server group (“Internal”).

To configure captive portal authentication via the WebUI:

1.    Navigate to the Configuration >Security >Authentication > L3 Authentication page. In the Profiles list, select Captive Portal Authentication Profile.

a.    In the Captive Portal Authentication Profile Instance list, enter guestnetfor the name of the profile, then click Add.

b.    Select the captive portal authentication profile you just created.

c.    For Default Role, select auth-guest.

d.    Select User Login.

e.    Deselect (uncheck) Guest Login.

f.      Click Apply.

2.    Select Server Groupunder the guestnet captive portal authentication profile you just created.

a.    Select internalfrom the Server Group drop-down menu.

b.    Click Apply.

To configure captive portal authentication via the command-line interface, access the CLI in config mode and issue the following commands:

aaa authentication captive-portal guestnet

   default-role auth-guest

   user-logon

   no guest-logon

   server-group internal

Modifying the Initial User Role

The captive portal authentication profile specifies the captive portal login page and other configurable parameters. The initial user role configuration must include the applicable captive portal authentication profile instance. Therefore, you need to modify the guest-logonuser role configuration to include the guestnet captive portal authentication profile.

To modify the guest-logon role via the WebUI:

1.    Navigate to the Configuration >Security >Access Control > User Roles page.

2.    Select Edit for the guest-logon role.

3.    Scroll down to the bottom of the page.

4.    Select the captive portal authentication profile you just created from the Captive Portal Profile drop-down menu, and click Change.

5.    Click Apply.

To modify the guest-logon role via the command-line interface, access the CLI in config mode and issue the following commands:

user-role guest-logon
   captive-portal guestnet

Configuring the AAA Profile

In this section, you configure the guestnetAAA profile, which specifies the previously-created guest-logon role as the initial role for clients who associate to the WLAN.

To configure the AAA profile via the WebUI:

1.    Navigate to the Configuration >Security >Authentication > AAA Profiles page.

2.    In the AAA Profiles Summary, click Addto add a new profile. Enter guestnetfor the name of the profile, then click Add.

3.    For Initial role, select guest-logon.

4.    Click Apply.

To configure the AAA profile via the command-line interface, access the CLI in config mode and issue the following commands:

aaa profile guestnet

   initial-role guest-logon

Configuring the WLAN

In this section, you create the guestnetvirtual AP profile for the WLAN. The guestnetvirtual AP profile contains the SSID profile guestnet(which configures opensystem for the SSID) and the AAA profile guestnet.

To configure the guest WLAN via the WebUI:

1.    Navigate to the Configuration >Wireless > AP Configuration page.

2.    Select either AP Group or AP Specific tab. Click Edit for the AP group or AP name.

3.    To configure the virtual AP profile, navigate to the Configuration >Wireless > AP Configurationpage. Select either the AP Group or AP Specific tab. Click Editfor the applicable AP group name or AP name.

4.    Under Profiles, select Wireless LAN, then select Virtual AP.

5.    To create a new virtual AP profile, select NEW from the Add a profile drop-down menu. Enter the name for the virtual AP profile (for example, guestnet), and click Add.

a.    In the Profile Details entry for the new virtual AP profile, select the AAA profile you previously configured. A pop-up window displays the configured AAA profile parameters. Click Applyin the pop-up window.

b.    From the SSID profile drop-down menu, select NEW. A pop-up window allows you to configure the SSID profile.

c.    Enter the name for the SSID profile (for example, guestnet).

d.    Enter the Network Name for the SSID (for example, guestnet).

e.    For Network Authentication, select None.

f.      For Encryption, select Open.

g.    Click Apply in the pop-up window.

h.    At the bottom of the Profile Details page, click Apply.

6.    Click on the new virtual AP name in the Profiles list or in Profile Details to display configuration parameters.

a.    Make sure Virtual AP enable is selected.

b.    For VLAN, select the ID of the VLAN in which captive portal users are placed (for example, VLAN 900).

c.    Click Apply.

To configure the guest WLAN via the command-line interface, access the CLI in config mode and issue the following commands:

wlan ssid-profile guestnet

   essid guestnet

   opmode opensystem

 

aaa profile guestnet

   initial-role guest-logon

 

wlan virtual-ap guestnet

   vlan 900

   aaa-profile guestnet

   ssid-profile guestnet

User Account Administration

Temporary user accounts are created in the internal database on the controller. You can create a user role which will allow a receptionist to create temporary user accounts. Guests can use the accounts to log into a captive portal login page to gain Internet access.

See “Creating Guest Accounts”for more information about configuring guest provisioning users and administering guest accounts.

Captive Portal Configuration Parameters

Table 61 describes configuration parameters on the WebUI Captive Portal Authentication profile page.

In the CLI, you configure these options with the aaa authentication captive-portal commands.

Table 61 Captive Portal Authentication Profile Parameters(Continued)

Parameter

Description

Default role

Role assigned to the Captive Portal user upon login. When both user and guest logon are enabled, the default role applies to the user logon; users logging in using the guest interface are assigned the guest role.

The Policy Enforcement Firewall Next Generation (PEFNG) license must be installed.

Default: guest

Redirect Pause

Time, in seconds, that the system remains in the initial welcome page before redirecting the user to the final web URL. If set to 0, the welcome page displays until the user clicks on the indicated link.

Default: 10 seconds.

User Login

Enables Captive Portal with authentication of user credentials.

Default: enabled

Guest Login

Enables Captive Portal logon without authentication.

Default: disabled

Logout popup window

Enables a pop-up window with the Logout link for the user to logout after logon. If this is disabled, the user remains logged in until the user timeout period has elapsed or the station reloads.

Default: enabled

Use HTTP for authentication

Use HTTP protocol on redirection to the Captive Portal page. If you use this option, modify the captiveportal policy to allow HTTP traffic.

Default: Disabled (HTTPS is used)

Logon wait minimum wait

Minimum time, in seconds, the user will have to wait for the logon page to pop up if the CPU load is high. This works in conjunction with the Logon wait CPU utilization threshold parameter.

Default: 5 seconds.

Logon wait maximum wait

Maximum time, in seconds, the user will have to wait for the logon page to pop up if the CPU load is high. This works in conjunction with the Logon wait CPU utilization threshold parameter.

Default: 10 seconds.

Logon wait CPU utilization threshold

CPU utilization percentage above which the Logon wait interval is applied when presenting the user with the logon page.

Default: 60%

Max authentication failures

Maximum number of authentication failures before the user is blacklisted.

Default: 0

Show FQDN

Allows the user to see and select the fully-qualified domain name (FQDN) on the login page.

Default: disabled

Use CHAP

Use CHAP protocol. You should not use this option unless instructed to do so by an Arubarepresentative.

Default: PAP

Sygate-on-demand-agent

Enables client remediation with Sygate-on-demand-agent (SODA).

Default: disabled

Login page

URL of the page that appears for the user logon. This can be set to any URL.

Default: /auth/index.html

Welcome page

URL of the page that appears after logon and before redirection to the web URL. This can be set to any URL.

Default: /auth/welcome.html

Show Welcome Page

Enables the display of the welcome page. If this option is disabled, redirection to the web URL happens immediately after logon.

Default: Enabled

Proxy Server Configuration

Configures IP address and port number for proxy server.

NOTE: This option is only available in the base operating system.

Default: N/A

Add a controllerinterface in redirection URL

Enter the IP address of a controllerinterface to add that IP address in the redirection URL when external captive portal servers are used. An external captive portal server can determine the controllerfrom which a request originated by parsing the ‘switchip’ variable in the URL.

Allow only one active user session   

Select this checkbox to allow only one active user session at a time. This feature is disabled by default.

Show the acceptable use policy page      

Select this checkbox to display the acceptable user policy before the login page.

Optional Captive Portal Configurations

The following are optional captive portal configurations:

  • “Per-SSID Captive Portal Page”

  • “Changing the Protocol to HTTP”

  • “Proxy Server Redirect”

  • “Redirecting Clients on Different VLANs”

  • “Web Client Configuration with Proxy Script”

Per-SSID Captive Portal Page

You can upload custom login pages for captive portal into the controllerthrough the WebUI (refer to Appendix E, “Internal Captive Portal”). The SSID to which the client associates determines the captive portal login page displayed.

You specify the captive portal login page in the captive portal authentication profile, along with other configurable parameters. The initial user role configuration must include the applicable captive portal authentication profile instance. (In the case of captive portal in the base operating system, the initial user role is automatically created when you create the captive portal authentication profile instance.) You then specify the initial user role for captive portal in the AAA profile for the WLAN.

When you have multiple captive portal login pages loaded in the controller, you must configure a unique initial user role and user role, and captive portal authentication profile, AAA profile, SSID profile, and virtual AP profile for each WLAN that will use captive portal. For example, if you want to have different captive portal login pages for the engineering, business and faculty departments, you need to create and configure according to Table 62.

Table 62 Captive Portal login Pages

Entity

Engineering

Business

Faculty

Captive portal login page

/auth/eng-login.html

/auth/bus-login.html

/auth/fac-login.html

Captive portal user role

eng-user

bus-user

fac-user

Captive portal authentication profile

eng-cp

(Specify /auth/eng-login.html and eng-user)

bus-cp

(Specify /auth/bus-login.html and bus-user)

fac-cp

(Specify /auth/bus-login.html and fac-user)

Initial user role

eng-logon

(Specify the eng-cp profile)

bus-logon

(Specify the bus-cp profile)

fac-logon

(Specify the fac-logon profile)

AAA profile

eng-aaa

(Specify the eng-logon user role)

bus-aaa

(Specify the bus-logon user role)

fac-aaa

(Specify the fac-logon user role)

SSID profile

eng-ssid

bus-ssid

fac-ssid

Virtual AP profile

eng-vap

bus-vap

fac-vap

Changing the Protocol to HTTP

By default, the HTTPS protocol is used on redirection to the Captive Portal page. If you need to use HTTP instead, you need to do the following:

  • Modify the captive portal authentication profile to enable the HTTP protocol.

  • For captive portal with role-based access only—Modify the captiveportal policy to permit HTTP traffic instead of HTTPS traffic.

In the base operating system, the implicit ACL captive-portal-profile is automatically modified.

To change the protocol to HTTP via the WebUI:

1.    Edit the captive portal authentication profile by navigating to the Configuration >Security > Authentication > L3 Authentication page.

a.    Enable (select) “Use HTTP for authentication”.

b.    Click Apply.

2.    (For captive portal with role-based access only) Edit the captiveportalpolicy by navigating to the Configuration >Security >Access Control > Policiespage.

a.    Delete the rule for “user mswitch svc-https dst-nat”.

b.    Add a new rule with the following values and move this rule to the top of the rules list:

  • source is user

  • destination is the mswitch alias

  • service is svc-http

  • action is dst-nat

c.    Click Apply.

To change the protocol to HTTP via the command-line interface, access the CLI in config mode and issue the following commands:

aaa authentication captive-portal profile

   protocol-http

 

(For captive portal with role-based access only)

ip access-list session captiveportal

   no user alias mswitch svc-https dst-nat
   user alias mswitch svc-http dst-nat

   user any svc-http dst-nat 8080

   user any svc-https dst-nat 8081

Proxy Server Redirect

You can configure captive portal to work with proxy Web servers. When proxy Web servers are used, browser proxy server settings for end users are configured for the proxy server’s IP address and TCP port. When the user opens a Web browser, the HTTP/S connection request must be redirected from the proxy server to the captive portal on the controller.

To configure captive portal to work with a proxy server:

  • (For captive portal with base operating system) Modify the captive portal authentication profile to specify the proxy server’s IP address and TCP port.

  • (For captive portal with role-based access) Modify the captiveportalpolicy to have traffic for the proxy server’s port destination NATed to port 8088 on the controller.

The base operating system automatically modifies the implicit ACL captive-portal-profile.

The following sections describe how use the WebUI and CLI to configure the captive portal with a proxy server.

note

When HTTPS traffic is redirected from a proxy server to the controller, the user’s browser will display a warning that the subject name on the certificate does not match the hostname to which the user is connecting.

To redirect proxy server traffic using the WebUI:

1.    For captive portal with Arubabase operating system, edit the captive portal authentication profile by navigating to the Configuration >Security >Authentication > L3 Authentication page.

a.    For Proxy Server, enter the IP address and port for the proxy server.

b.    Click Apply.

2.    For captive portal with role-based access, edit the captiveportalpolicy by navigating to the Configuration >Security >Access Control > Policiespage.

3.    Add a new rule with the following values:

a.    Source is user

b.    Destination is any

c.    Service is TCP

d.    Port is the TCP port on the proxy server

e.    Action is dst-nat

f.      IP address is the IP address of the proxy port

g.    Port is the port on the proxy server

4.    Click Addto add the rule. Use the up arrows to move this rule just below the rule that allows HTTP(S) traffic.

5.    Click Apply.

 

To redirect proxy server traffic via the command-line interface, access the CLI in config mode and issue the following commands.

For captive portal with Aruba base operating system:

aaa authentication captive-portal profile

   proxy host ipaddrport port

For captive portal with role-based access:

ip access-list session captiveportal

   user alias mswitch svc-https permit
   user any tcp port dst-nat 8088

   user any svc-http dst-nat 8080

   user any svc-https dst-nat 8081

Redirecting Clients on Different VLANs

You can redirect wireless clients that are on different VLANs (from the controller’s IP address) to the captive portal on the controller. To do this:

1.    Specify the redirect address for the captive portal.

2.    For captive portal with the PEFNGlicense only, you need to modify the captiveportal policy that is assigned to the user. To do this:

a.    Create a network destination alias to the controllerinterface.

b.    Modify the rule set to allow HTTPS to the new alias instead of the mswitch alias.

note

In the base operating system, the implicit ACL captive-portal-profile is automatically modified.

This example shows how to use the command-line interface to create a network destination called cp-redirect and use that in the captiveportal policy:

ip cp-redirect-address ipaddr

For captive portal with PEFNG license:

netdestination cp-redirect ipaddr

ip access-list session captiveportal

   user alias cp-redirect svc-https permit
   user any svc-http dst-nat 8080

   user any svc-https dst-nat 8081

Web Client Configuration with Proxy Script

If the web client proxy configuration is distributed through a proxy script (a .pacfile), you need to configure the captiveportalpolicy to allow the client to download the file. Note that in order modify the captiveportal policy, you must have the PEFNG license installed in the controller.

To allow clients to download proxy script via the WebUI:

1.    Edit the captiveportalpolicy by navigating to the Configuration >Security >Access Control > Policiespage.

2.    Add a new rule with the following values:

  • Source is user

  • Destination is host

  • Host IP is the IP address of the proxy server

  • Service is svc-https or svc-http

  • Action is permit

3.    Click Addto add the rule. Use the up arrows to move this rule above the rules that perform destination NAT.

4.    Click Apply.

To allow clients to download proxy script via the command-line interface, access the CLI in config mode and issue the following commands:

ip access-list session captiveportal

   user alias mswitch svc-https permit

   user any tcp port dst-nat 8088

   user host ipaddr svc-https permit

   user any svc-http dst-nat 8080

   user any svc-https dst-nat 8081

Personalizing the Captive Portal Page

The following can be personalized on the default captive portal page:

  • Captive portal background

  • Page text

  • Acceptance Use Policy

The background image and text should be visible to users with a browser window on a 1024 by 768 pixel screen. The background should not clash if viewed on a much larger monitor. A good option is to have the background image at 800 by 600 pixels, and set the background color to be compatible. The maximum image size for the background can be around 960 by 720 pixels, as long as the image can be cropped at the bottom and right edges. Leave space on the left side for the login box.

You can create your own web pages and install them in the controllerfor use with captive portal. See Appendix E, “Internal Captive Portal”

1.    Navigate to the Configuration >Management >Captive Portal > Customize Login Page page.

You can choose one of three page designs. To select an existing design, click the first or the second page design present.

maint_captive_customizelogin-dell.jpg

 

2.    To customize the page background:

a.    Select the YOUR CUSTOM BACKGROUNDpage.

b.    Under Additional options, enter the location of the JPEG image in the Upload your own custom background field.

c.    Set the background color in the Custom page background color field. The color code must a hexadecimal value in the format #hhhhhh.

d.    To view the page background changes, click Submitat the bottom on the page and then click the View CaptivePortallink. The User Agreement Policy page appears and displays the Captive Portal page as it will be seen by users.

captive_portal_dell.jpg

 

 

3.    To customize the captive portal background text:

a.    Enter the text that needs to be displayed in thePage Text (in HTML format)message box.

b.    To view the background text changes, click Submitat the bottom on the page and then click the View CaptivePortallink. The User Agreement Policy page appears.

c.    Click Accept. This displays the Captive Portal page as it will be seen by users.

4.    To customize the text under the Acceptable Use Policy:

a.    Enter the policy information in the Policy Text text box. Use this only in the case of guest logon.

b.    To view the use policy information changes, click Submitat the bottom on the page and then click the View CaptivePortallink. The User Agreement Policy page appears. The text you entered appears in the Acceptable Use Policy text box.

c.    Click Accept. This displays the Captive Portal page as it will be seen by users.

captive_portal_dell-usepolicy.jpg