Configuring Captive Portal in the Base Operating System

The base operating system (ArubaOS without any licenses) allows full network access to all users who connect to an ESSID, both guest and registered users. In the base operating system, you cannot configure or customize user roles; this function is only available by installing the PEFNG license. Captive portal allows you to control or identify who has access to network resources.

When you create a captive portal profile in the base operating system, an implicit user role is automatically created in the stand-alone controller and in the Master Controller Mode with same name as the captive portal profile. This implicit user role allows only DNS and DHCP traffic between the client and network and directs all HTTP or HTTPS requests to the captive portal. You cannot directly modify the implicit user role or its rules. Upon authentication, captive portal clients are allowed full access to their assigned VLAN.

In a Mobility Master-managed device topology, Mobility Master does not have the configuration which are related to PEFNG license, therefore the role is not created on the Mobility Master.

 

The WLAN Wizard within the ArubaOS WebUI allows for basic captive portal configuration for WLANs associated with the “default” ap-group: Configuration > WLAN Wizard. Follow the steps in the workflow pane within the wizard and refer to the help tab for assistance.

What follows are the tasks for configuring captive portal in the base ArubaOS. The example server group and profile names appear inside quotation marks.

Create the Server Group name. In this example, the server group name is “cp-srv”.

If you are configuring captive portal for registered users, configure the server(s) and create the server group. For more information about configuring authentication servers and server groups, see Authentication Servers.

Create Captive Portal Authentication Profile. In this example, the profile name is “c-portal”.

Create and configure an instance of the captive portal authentication profile. Creating the captive portal profile automatically creates an implicit user role and ACL with the same name. Creating the profile “c-portal” creates an implicit user role called “c-portal”. That user role allows only DNS and DHCP traffic between the client and network and directs all HTTP or HTTPS requests to the captive portal.

Create an AAA Profile. In this example, the profile name is “aaa_c-portal”.

Create and configure an instance of the AAA profile. For the initial role, enter the implicit user role that was created in step . The initial role in the profile “aaa_c-portal” must be set to “c-portal”.

Create SSID Profile. In this example, the profile name is “ssid_c-portal”.

Create and configure an instance of the virtual AP profile which you apply to an AP group or AP name. Specify the AAA profile you created in step .

Create a Virtual AP Profile. In this example, the profile name is “vp_c-portal”.

Create and configure an instance of the SSID profile for the virtual AP.

The following sections present the procedure for configuring the captive portal authentication profile, the AAA profile, and the virtual AP profile using the WebUI or the CLI. Configuring the VLAN and authentication servers and server groups are described elsewhere in this document.

In the WebUI

1. Login to the Mobility Master.
2. In the Managed Network node hierarchy, navigate to the Configuration > Authentication > L3 Authentication page. Select the Captive Portal Authentication profile.
a. Click + to create a new Captive Portal Authentication Profile, enter the name of the profile (for example, c-portal), then click Submit.
b. Select the captive portal authentication profile you just created.
c. You can enable user login and guest login, and configure other captive portal profile parameters as described in Table 1.
d. Click Submit.
3. To specify authentication servers, select Server Group under the captive portal authentication profile you just configured.
a. Select the server group (for example, cp-srv) from the drop-down list.
b. Click Submit.
4. Select the AAA Profiles tab.
a. In the AAA Profiles, click + to add a new profile. Enter the name of the profile (for example, aaa_c-portal), then click Add.
b. Select the AAA profile you just created.
c. For Initial Role, select the captive portal authentication profile (for example, c-portal) you created previously for stand-alone controller and Master Controller Mode.

 

The Initial Role must be exactly the same as the name of the captive portal authentication profile you created.

d. Click Submit.
5. Under Profiles, select Wireless LAN, then select Virtual AP.
6. To create a new virtual AP profile, Click + from the Virtual AP profile: New Profile pane. Enter the name for the virtual AP profile (for example, vp_c-portal), and click Save.
a. In the Profile Details entry for the new virtual AP profile (guestnet), select the AAA profile you previously configured from the AAA Profile drop-down list and click Save.
b. From the SSID profile drop-down list, select NEW.
c. Enter the name for the SSID profile (for example, ssid_c-portal).
d. Enter the Network Name for the SSID (for example, c-portal-ap).
e. For Network Authentication, select None.
f. For Encryption, select Open.
g. At the bottom of the Profile Details page, click Save.
7. Navigate to the Configuration > AP Groups page.
8. Select an AP Group and Click WLANs tab in the AP group window.
9. Click + under the WLANs tab and select the newly create virtual AP profile (guestnet) from the Virtual-ap drop-down list.
10. Click on the new virtual AP name in the Profiles list.
a. Click General accordion and make sure Virtual AP enable is selected.
b. For VLAN, select the ID of the VLAN in which captive portal users are placed (for example, VLAN 20).
c. Click Submit.
11. Click Pending Changes.
12. In the Pending Changes window, select the check box and click Deploy changes.

In the CLI

To configure captive portal in the base operating system via the command-line interface, access the CLI in config mode and issue the following commands:

(host) [md] (config) #aaa authentication captive-portal c-portal

server-group cp-srv

(host) [md] (config) #aaa profile aaa_c-portal

initial-role c-portal

(host) [md] (config) #wlan ssid-profile ssid_c-portal

essid c-portal-ap

(host) [md] (config) #wlan virtual-ap vp_c-portal

aaa-profile aaa_c-portal

ssid-profile ssid_c-portal
vlan 20