Configuring Captive Portal in the Base Operating System

The base operating system (ArubaOS without any licenses) allows full network access to all users who connect to an ESSID Extended Service Set Identifier. ESSID refers to the ID used for identifying an extended service set., both guest and registered users. In the base operating system, you cannot configure or customize user roles; this function is only available by installing the PEFNG Policy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license. Captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. allows you to control or identify who has access to network resources.

When you create a captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile in the base operating system, an implicit user role is automatically created in the stand-alone controller with same name as the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile. This implicit user role allows only DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. and DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  traffic between the client and network and directs all HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. or HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. requests to the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.. You cannot directly modify the implicit user role or its rules. Upon authentication, captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. clients are allowed full access to their assigned VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

In a Mobility Master-managed device topology, Mobility Master does not have the configuration which are related to PEFNG Policy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license, therefore the role is not created on the Mobility Master.

Following are the tasks for configuring captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. in the base ArubaOS:

  1. Create the Server Group name. In this example, the server group name is cp-srv.

    If you are configuring captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. for registered users, configure the server(s) and create the server group. For more information about configuring authentication servers and server groups, see Authentication Servers.

  2. Create Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. Authentication Profile. In this example, the profile name is c-portal.

    Create and configure an instance of the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile. Creating the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile automatically creates an implicit user role and ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. with the same name. Creating the c-portal profile creates an implicit user role called c-portal. That user role allows only DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. and DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  traffic between the client and network and directs all HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. or HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. requests to the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users..

  3. Create a AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. Profile. In this example, the profile name is aaa_c-portal.

    Create and configure an instance of the AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile. For the initial role, enter the implicit user role that was created. The initial role in the profile aaa_c-portal must be set to c-portal.

  4. Create SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. Profile. In this example, the profile name is ssid_c-portal.

    Create and configure an instance of the virtual AP profile which you apply to an AP group or AP name. Specify the AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile created.

  5. Create a Virtual AP Profile. In this example, the profile name is vp_c-portal.

    Create and configure an instance of the SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile for the virtual AP.

The following sections present the procedure for configuring the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile, the AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile, and the virtual AP profile using the WebUI or the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.. Configuring the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. and authentication servers and server groups are described elsewhere in this document.

The following procedure describes how to configure captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. in the base operating system:

  1. Login to the Mobility Master.
  2. In the Managed Networknode hierarchy, navigate to the Configuration > Authentication > L3 Authentication tab. Select Captive Portal Authentication.
    1. Click + in Captive Portal Authentication Profile: New Profile, enter a Profile Name (for example, c-portal).
    2. You can enable user login and guest login, and configure other captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile parameters as described in Configuring Captive Portal Authentication Profiles.
    3. Click Submit.
  3. To specify authentication servers, select Server Group under the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile you just configured.
    1. Select the server group (for example, cp-srv) from the drop-down list.
    2. Click Submit.
  4. Select the AAA Profiles tab.
    1. Expand AAA Profiles, click + in AAA Profile: New Profile to add a new profile. Enter a Profile Name(for example, aaa_c-portal), then click Submit.
    2. Select the AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile you just created.
    3. For Initial Role, select the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile (for example, c-portal) you created previously for stand-alone controller.
    1. Click Submit.
  5. Navigate to the Configuration > System > Profiles tab and under Profiles, select Wireless LAN, then select Virtual AP.
  6. To create a new virtual AP profile, Click + in Virtual AP profile: New Profile.
  7. Enter the name for the virtual AP profile (for example, vp_c-portal). Make sure Virtual AP enable is selected.
  8. For VLAN, enter the ID of the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. in which captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. users are placed (for example, VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. 20). Click Submit.
    1. In the Profile Details entry for the new virtual AP profile (guestnet), select the AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile you previously configured from the AAA Profile drop-down list and click Submit.
    2. In the Profile Details entry for the new virtual AP profile (guestnet), select the SSID profile and select a SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile from the SSID profile drop-down list.
    3. Enter the name for the ESSID profile (for example,essid_c-portal).
    4. For Encryption, select opensystem.
    5. At the bottom of the Profile Details page, click Submit.
  9. Navigate to the Configuration > AP Groups page.
  10. Select an AP Group and Click WLANs tab in the AP group window.
  11. Click + under the WLANs Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. tab and select the newly create virtual AP profile (guestnet) from the Virtual-ap drop-down list.
  12. Click Submit.
  13. Click Pending Changes.
  14. In the Pending Changes window, select the check box and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. in the base operating system:

(host) [md] (config) #aaa authentication captive-portal c-portal

server-group cp-srv

(host) [md] (config) #aaa profile aaa_c-portal

initial-role c-portal

(host) [md] (config) #wlan ssid-profile ssid_c-portal

essid c-portal-ap

(host) [md] (config) #wlan virtual-ap vp_c-portal

aaa-profile aaa_c-portal

ssid-profile ssid_c-portal
vlan 20

Related Topics

Configuring Captive Portal with a PEFNG License

Sample Authentication with Captive Portal

Configuring Captive Portal Authentication Profiles