Configuring Captive Portal Authentication Profiles

In this section, you create an instance of the captive portal authentication profile and the AAA profile. For the captive portal authentication profile, you specify the previously-created auth-guest user role as the default user role for authenticated captive portal clients and the authentication server group (“Internal”).

To configure captive portal authentication via the WebUI:

1. Navigate to the Configuration > Security > Authentication > L3 Authentication page. In the Profiles list, select Captive Portal Authentication Profile.
a. In the Captive Portal Authentication Profile Instance list, enter guestnet for the name of the profile, then click Add.
b. Select the captive portal authentication profile you just created.
c. For Default Role, select auth-guest.
d. Select User Login.
e. Deselect (uncheck) Guest Login.
f. Click Apply.
2. Select Server Group under the guestnet captive portal authentication profile you just created.
a. Select internal from the Server Group drop-down menu.
b. Click Apply.

To configure captive portal authentication via the command-line interface, access the CLI in config mode and issue the following commands:

(host)(config) #aaa authentication captive-portal guestnet

d>efault-role auth-guest

user-logon

no guest-logon

server-group internal

Modifying the Initial User Role

The captive portal authentication profile specifies the captive portal login page and other configurable parameters. The initial user role configuration must include the applicable captive portal authentication profile instance. Therefore, you need to modify the guest-logon user role configuration to include the guestnet captive portal authentication profile.

To modify the guest-logon role via the WebUI:

1. Navigate to the Configuration > Security > Access Control > User Roles page.
2. Select Edit for the guest-logon role.
3. Scroll down to the bottom of the page.
4. Select the captive portal authentication profile you just created from the Captive Portal Profile drop-down menu, and click Change.
5. Click Apply.

To modify the guest-logon role via the command-line interface, access the CLI in config mode and issue the following commands:

(host)(config) #user-role guest-logon

captive-portal guestnet

Configuring the AAA Profile

In this section, you configure the guestnet AAA profile, which specifies the previously-created guest-logon role as the initial role for clients who associate to the WLAN.

To configure the AAA profile via the WebUI:

1. Navigate to the Configuration > Security > Authentication > AAA Profiles page.
2. In the AAA Profiles Summary, click Add to add a new profile. Enter guestnet for the name of the profile, then click Add.
3. For Initial role, select guest-logon.
4. Click Apply.

To configure the AAA profile via the command-line interface, access the CLI in config mode and issue the following commands:

(host)(config) #aaa profile guestnet

initial-role guest-logon

Configuring the WLAN

In this section, you create the guestnet virtual AP profile for the WLAN. The guestnet virtual AP profile contains the SSID profile guestnet (which configures opensystem for the SSID) and the AAA profile guestnet.

To configure the guest WLAN via the WebUI:

1. Navigate to the Configuration > Wireless > AP Configuration page.
2. Select either AP Group or AP Specific tab. Click Edit for the AP group or AP name.
3. To configure the virtual AP profile, navigate to the Configuration > Wireless > AP Configuration page. Select either the AP Group or AP Specific tab. Click Edit for the applicable AP group name or AP name.
4. Under Profiles, select Wireless LAN, then select Virtual AP.
5. To create a new virtual AP profile, select NEW from the Add a profile drop-down menu. Enter the name for the virtual AP profile (for example, guestnet), and click Add.
a. In the Profile Details entry for the new virtual AP profile, select the AAA profile you previously configured. A pop-up window displays the configured AAA profile parameters. Click Apply in the pop-up window.
b. From the SSID profile drop-down menu, select NEW. A pop-up window allows you to configure the SSID profile.
c. Enter the name for the SSID profile (for example, guestnet).
d. Enter the Network Name for the SSID (for example, guestnet).
e. For Network Authentication, select None.
f. For Encryption, select Open.
g. Click Apply in the pop-up window.
h. At the bottom of the Profile Details page, click Apply.
6. Click on the new virtual AP name in the Profiles list or in Profile Details to display configuration parameters.
a. Make sure Virtual AP enable is selected.
b. For VLAN, select the ID of the VLAN in which captive portal users are placed (for example, VLAN 900).
c. Click Apply.

To configure the guest WLAN via the command-line interface, access the CLI in config mode and issue the following commands:

(host)(config) #wlan ssid-profile guestnet

essid guestnet

opmode opensystem

 

(host)(config) #aaa profile guestnet

initial-role guest-logon

 

(host)(config) #wlan virtual-ap guestnet

vlan 900

aaa-profile guestnet

ssid-profile guestnet

Managing User Accounts

Temporary user accounts are created in the internal database on the controller. You can create a user role which will allow a receptionist to create temporary user accounts. Guests can use the accounts to log into a captive portal login page to gain Internet access.

See Creating Guest Accounts for more information about configuring guest provisioning users and administering guest accounts.

Configuring Captive Portal Configuration Parameters

Table 1 describes configuration parameters on the WebUI Captive Portal Authentication profile page.

 

In the CLI, you configure these options with the aaa authentication captive-portal commands.

Table 1: Captive Portal Authentication Profile Parameters

Parameter

Description

Black List

Name of an existing black list on an IPv4 or IPv6 network destination. The black list contains websites (unauthenticated) that a guest cannot access.

Default Guest Role

Role assigned to guest.

Default: guest

Default Role

Role assigned to the Captive Portal user upon login. When both user and guest logon are enabled, the default role applies to the user logon; users logging in using the guest interface are assigned the guest role.

Default: guest

Show Welcome Page

Displays the configured welcome page before the user is redirected to their original URL. If this option is disabled, users are redirected to the web URL immediately after they log in.

Default: Enabled

Guest Login

Enables Captive Portal logon without authentication.

Default: Disabled

Login Page

URL of the page that appears for the user logon. This can be set to any URL.

Default: /auth/index.html

Logon wait maximum wait

Configure parameters for the logon wait interval

Default: 10 seconds

Logon wait CPU utilization threshold

CPU utilization percentage above which the Logon wait interval is applied when presenting the user with the logon page.

Default: 60%

Logon wait minimum wait

Minimum time, in seconds, the user will have to wait for the logon page to pop up if the CPU load is high. This works in conjunction with the Logon wait CPU utilization threshold parameter.

Default: 5 seconds

Logout popout window

Enables a pop-up window with the Logout link for the user to logout after logon. If this is disabled, the user remains logged in until the user timeout period has elapsed or the station reloads.

Default: Enabled

Max Authentication failures

Maximum number of authentication failures before the user is blacklisted.

Default: 0

Use HTTP for authentication

Use HTTP protocol on redirection to the Captive Portal page. If you use this option, modify the captive portal policy to allow HTTP traffic.

Default: disabled (HTTPS is used)

Redirect Pause

Time, in seconds, that the system remains in the initial welcome page before redirecting the user to the final web URL. If set to 0, the welcome page displays until the user clicks on the indicated link.

Default: 10 seconds

server group

Name of the group of servers used to authenticate Captive Portal users.

Show FDQN

Allows the user to see and select the fully-qualified domain name (FQDN) on the login page. The FQDNs shown are specified when configuring individual servers for the server group used with captive portal authentication.

Default: Disabled

Show Acceptable Use Policy Page

Show the acceptable use policy page before the logon page.

Default: Disabled

Allow only one active user session

Allows only one active user session at a time.

Default: Disabled

Add switch IP address in redirection URL

Sends the controller’s IP address in the redirection URL when external captive portal servers are used. An external captive portal server can determine the controller from which a request originated by parsing the ‘switchip’ variable in the URL.

Default: Disabled

Use CHAP (non-standard)

Use CHAP protocol. You should not use this option unless instructed to do so by an Aruba representative.

Default: Disabled

User Logon

Enables Captive Portal with authentication of user credentials.

Default: Enabled

User VLAN Redirection-url

Sends the user’s VLAN ID in the redirection URL when external captive portal servers are used.

Welcome Page

URL of the page that appears after logon and before redirection to the web URL. This can be set to any URL.

Default: /auth/welcome.html

White List

Name of an existing white list on an IPv4 or IPv6 network destination. The white list contains authenticated websites that a guest can access.

White List

To add a netdestination to the captive portal whitelist, enter the destination host or subnet, then click Add. The netdestination will be added to the whitelist. To remove a netdestination from the whitelist, select it in the whitelist field, then click Delete.

If you have not yet defined a netdestination, use the CLI command netdestination to define a destination host or subnet before you add it to the whitelist.

This parameter requires the Public Access license.

Black List

To add a netdestination to the captive portal blacklist, enter the destination host or subnet, then click Add. The netdestination will be added to the blacklist. To remove a netdestination from the blacklist, select it in the blacklist field, then click Delete.

If you have not yet defined a netdestination, use the CLI command netdestinationto define a destination host or subnet before you add it to the blacklist.

User idle timeout

The user idle timeout value for this profile. Specify the idle timeout value for the client in seconds. Valid range is 30-15300 in multiples of 30 seconds. Enabling this option overrides the global settings configured in the AAA timers. If this is disabled, the global settings are used.