Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Authentication in Guest Web Login Using OnGuard Native Dissolvable Agent
This section describes how to enable application authentication in Guest Web Login pages while using the OnGuard Native Dissolvable Agent to also identify the username.
|
The Dissolvable Agent, by default, does not perform end-user authentication. |
The OnGuard Dissolvable Agent can be supported with VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. interfaces when:
The same username is used to identify the client in both RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. authentication and application authentication.
The Table 1 for details):
is configured using one of the following values (refer toApp Short form for application. It generally refers to the application that is downloaded and used on mobile devices. Authentication
Local
Single Sign On
Creating a Guest Web Login Page for Native Dissolvable Agent
To create a Guest Web Login page for Native Dissolvable Agent:
1. Log in to Policy Manager Guest, then navigate to > > . The page opens.
2. Click the link. The opens. For details about the fields and settings available through the Web Login Editor, refer to the "Creating and Editing Web Login Pages" section in the Policy Manager Guest Online Help.
Figure 1 Guest Web Login Editor
3. Specify the parameters as described in the following table:
|
For details about all the settings available in the Web Login Editor, see the "Creating and Editing Web Login Page" section in the Policy Manager 6.10 Guest User Guide. |
Field |
Action/Description |
---|---|
|
|
|
(Required) Enter the name for the page. |
|
Enter the Identifier page name that will appear in the URL—for example, "/guest/page_name.php". The Page Name must consist of letters, numbers, underscore ( _ ), or dash ( - ). |
|
Enter additional information or comments about the page. |
|
(Required) Specifies vendor-specific settings for network configuration. This drop-down list includes a list of you can select from and a list of settings. Select . |
|
Specifies how the user's network login should be handled. Select .This option should be selected if you are using OnGuard health checks. |
Address |
(Required) Enter the IP address or hostname of the vendor's product. |
Secure Login |
Specifies the security option to use for the Web login process. Options include: Use vendor default Secure login using HTTPS Send cleartext passwords over HTTP |
Allowed Dynamic |
Enter the IP addresses and networks that will be allowed. |
Denied Dynamic |
Enter the IP addresses and networks that will be denied. |
Dynamic Address |
For multi-controller deployments, if selected, this option enables sending the IP address to submit credentials. When enabled, the Allowed Dynamic and Denied Dynamic fields are added to the form. |
|
|
|
Specifies the level of checking to apply to URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. parameters passed to the Web Login page. Select . |
|
|
Authentication |
Specifies the authentication requirement method to use. Select . |
If selected, this option enables bypassing the Apple Captive Network Assistant (CNA Captive Network Assistant. CNA is a popup page shown when joining a network that has a captive portal.). The CNA Captive Network Assistant. CNA is a popup page shown when joining a network that has a captive portal. is the pop-up browser shown when joining a network that has a captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.. Click this check box to enable the option. |
|
Custom Form |
If selected, indicates you will provide a custom login form. You must supply your own HTML login form for the header and footer HTML areas. |
Custom Labels |
If selected, this option enables altering the default labels and error messages. When enabled, this option adds the field to the form. |
Pre-Auth Error |
Customized label text to display if username and password lookup fails. Leave blank to use the default (Invalid username or password). |
Pre-Auth Check |
Specifies how the username and password should be checked before authentication. Select .When MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address as the user name. is not enabled, Native Dissolvable Agent uses theWhen MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address as the username in the WebAuth Request, Native Dissolvable Agent sends the username specified in the option. is enabled (with also enabled), instead of using theIf has one of the following values, Native Dissolvable Agent sends the username specified in :App Authentication: Check using Aruba Application Authentication. Local: Match a local account. RADIUS: Check using a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. request. Single Sign On: Enable Single Sign-On for this web login. |
Terms |
Select this check box to require the user to mark a check box to accept a Terms and Conditions agreement. |
|
|
(Required) Specify the default URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. for the redirect page. For external domains, this must include the prefix. |
|
Override Destination |
Select this check box to force the default destination for all clients, overriding any default value already set on the client. |
|
|
For descriptions and details about the Policy Manager Guest Online Help > Table 4: Web Login Editor, Login Page Parameters. options, refer to the "Creating and Editing Web Login Pages" section in the |
|
|
|
Advertising |
The check box lets you selectively enable Advertising Services for each Web Login page on which you want to display advertising. |
|
|
Options in the area let you present guests with various cloud identity or social network login options.For descriptions and details about the Policy Manager Guest Online Help> Table 5: Web Login Editor Form, Cloud Identity Area: Enabling Cloud Identity or Social Network Logins and Table 6: Web Login Editor Form, Cloud Identity Area, Authentication Providers. options, refer to the "Creating and Editing Web Login Pages" section in the |
|
|
|
Options in the area let you require a secondary factor when authenticating. When the guest enters their username to log in, they are sent a code which they must successfully retrieve and enter to complete the login.For descriptions and details about the Policy Manager Guest Online Help > Table 7: Web Logins Editor, Multi-Factor Authentication. options, refer to the "Creating and Editing Web Login Pages" section in the |
|
|
|
Allowed Access |
Specify the IP addresses and networks from which logins will be allowed. (IPv4 and IPv6 are both supported.) |
Denied Access |
Specify the IP addresses and networks from which logins will be denied. (IPv4 and IPv6 are both supported.) |
Deny Behavior |
(Required) Specify the response shown to the user if their login request is denied. Options in this drop-down list include: Send HTTP 404 Not Found status Show Access Denied page Show a blank page |
|
|
Health Check |
Select this check box to require the guest to pass a health check before they can access the network. The health check is done automatically through the OnGuard Dissolvable Agent. Header HTML: Enter the HTML content to display above the health check text. The default content is shown, and can be modified. You can also use the drop-down list to add images or other content items. Footer HTML: Enter the HTML content to display below the health check text. The default content is shown, and can be modified. You can also use the drop-down list to add images or other content items. |
Update Endpoint |
To have the endpoint's attributes updated with other details from the user account, enable (select) the check box.Specify the list of name-value pairs to pass as custom attributes. Follow the format . Examples are shown in this text box. |
4. Click . You return to the page, where the name of the new page is now displayed.
Figure 2 New Guest Web Login Page Added
Creating a RADIUS Service in Policy Manager for VPN Authentication
To create a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. service in Policy Manager for VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. Authentication:
1. In Policy Manager, navigate to > .The page opens.
2. Click . The dialog opens.
3. From the drop-down, select . The service configuration dialog opens:
Figure 3 Add RADIUS Enforcement (Generic) Service Configuration Dialog
4. Proceed to configure the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. Enforcement service to match the service settings displayed in Figure 4. For details on configuring RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. Enforcement Services (Generic), refer to RADIUS Enforcement (Generic) Service.
Figure 4 Summary of the RADIUS Enforcement Service
5. Specify the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. Enforcement Service (Generic) service parameters as described in the table below.
Parameter |
Action/Description |
|
|
Name |
Enter the name of the service. |
Description |
Provide additional information that helps to identify the service. |
Type |
Select . |
Status |
Enabled |
Monitor Mode |
Disabled |
More Options |
Not required. |
|
|
Authentication Methods |
Specify the following authentication methods: MSCHAPV2 Add additional authentication methods as needed for this service. |
Authentication Sources |
Select the following authentication sources:
You can also add Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. (AD) as an authentication source. |
Strip Username Rules |
Not required. |
Service Certificate |
Not required. |
|
|
Role Mapping Policy |
Not required. |
|
|
User Cached Results |
Select this check box to use cached roles and posture attributes from previous sessions. |
Enforcement Policy |
Select . |
6. Click .
Configuring the Guest Access - Web Login Service Template
In this web login service, you associate the Guest Web Login page for Native Dissolvable Agent created earlier (see Creating a Guest Web Login Page for Native Dissolvable Agent above) with the service.
To configure the
service:1. Navigate to > . The list of Policy Manager Service Templates and Wizards opens.
2. Select . The service template opens:
Figure 5 Guest Access- Web Login Service Template
3. In the field, enter the prefix. This prefix is appended to services that use the Guest Access - Web Login template.
4. Click Next. The dialog opens.
Figure 6 Guest Access - Web Login Service Rule Configuration
5. Select the tab to specify the days of the week that guest users are allowed network access.
6. Click . You return to the page. The following message is displayed:
Added 1 Enforcement Policies
Added 1 Service(s)
Configuring a Web-Based Health Check Only Service
To create a Web-Based Health Check Only service:
1. Navigate to Configuration > Services, then click the link. The dialog opens.
2. From the drop-down, select . The service configuration dialog opens:
Figure 7 Web-based Check Only Service > Service Tab
3. Proceed to configure the Web-based Health Check Only service to match the service settings displayed in Figure 8.
Figure 8 Summary of Web-based Health Check Only Service
4. Specify the Web-based Health Check Only service parameters as described in the following table.
Parameter |
Action/Description |
|
|
Name |
Enter the name of the service. |
Description |
Provide additional information that helps to identify the service. |
Type |
Select . |
Status |
Enabled |
Monitor Mode |
Disabled |
More Options |
Click the check box for .The tab is added. |
|
|
Type |
Select . |
Name |
Select . |
Operator |
Select . |
Value |
Select Health. |
|
|
Role Mapping Policy |
Not required. |
|
|
Posture Policies |
Select . |
Default Posture Token |
|
Remediate End-Hosts |
Disabled |
Remediation URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. |
N/A |
|
|
User Cached Results |
Disabled |
Enforcement Policy |
Select . |
5. Click Save.
For details on configuring a Web-based Health Only service, refer to Web-based Health Check Only Service.
Enabling the VPN Interface
To enable the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. interface in the set of managed interfaces:
1. Navigate to > > . The page opens.
Figure 9 Enabling the VPN Managed Interface
2. In the > section, check (enable) the check box. (The and interfaces are enabled by default.)
3. Click .
Access Tracker Requests Reflect Credentials
As shown in Figure 10, the Policy Manager Access Tracker shows that the credentials configured in the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. Enforcement service are the same credentials used in the Guest Web Login and the Webauth service.
Figure 10 Access Tracker Information
request is obtained when connected to aThe
authentication is obtained when logged into Guest Web Login.The
request is obtained after health checks have been performed.