Authentication in Guest Web Login Using OnGuard Native Dissolvable Agent

This section describes how to enable application authentication in Guest Web Login pages while using the OnGuard Native Dissolvable Agent to also identify the username.

 

The Dissolvable Agent, by default, does not perform end-user authentication.

The OnGuard Dissolvable Agent can be supported with VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. interfaces when:

The same username is used to identify the client in both RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. authentication and application authentication.

The Pre-Auth Check is configured using one of the following values (refer to Table 1 for details):

App Short form for application. It generally refers to the application that is downloaded and used on mobile devices. Authentication

Local

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. 

Single Sign On

Creating a Guest Web Login Page for Native Dissolvable Agent

To create a Guest Web Login page for Native Dissolvable Agent:

1. Log in to Policy Manager Guest, then navigate to Configuration > Pages > Web Logins. The Web Logins page opens.

2. Click the Create a new web login page link. The Guest Web Login Editor opens. For details about the fields and settings available through the Web Login Editor, refer to the "Creating and Editing Web Login Pages" section in the Policy Manager Guest Online Help.

Figure 1  Guest Web Login Editor

3. Specify the Web Login Editor parameters as described in the following table:

 

For details about all the settings available in the Web Login Editor, see the "Creating and Editing Web Login Page" section in the Policy Manager 6.10 Guest User Guide.

Table 1: Web Login Editor Properties for Native Dissolvable Agent Page

Field

Action/Description

General Properties

Name

(Required) Enter the name for the page.

Page Name

Enter the Identifier page name that will appear in the URL—for example, "/guest/page_name.php".

The Page Name must consist of letters, numbers, underscore ( _ ), or dash ( - ).

Description

Enter additional information or comments about the page.

Vendor Settings

(Required) Specifies vendor-specific settings for network configuration. This drop-down list includes a list of vendors you can select from and a list of Other settings. Select Aruba.

Login Method

Specifies how the user's network login should be handled. Select Policy Initiated—An enforcement policy will control a change of authorization.

This option should be selected if you are using OnGuard health checks.

Address

(Required) Enter the IP address or hostname of the vendor's product.

Secure Login

Specifies the security option to use for the Web login process. Options include:

Use vendor default

Secure login using HTTPS

Send cleartext passwords over HTTP

Allowed Dynamic

Enter the IP addresses and networks that will be allowed.

Denied Dynamic

Enter the IP addresses and networks that will be denied.

Dynamic Address

For multi-controller deployments, if selected, this option enables sending the IP address to submit credentials. When enabled, the Allowed Dynamic and Denied Dynamic fields are added to the form.

Page Redirect

Security Hash

Specifies the level of checking to apply to URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. parameters passed to the Web Login page.

Select Do not check —login will always be permitted.

Login Form

Authentication

Specifies the authentication requirement method to use.

Select Credentials — Require a username and password.

Prevent CNA Captive Network Assistant. CNA is a popup page shown when joining a network that has a captive portal.

If selected, this option enables bypassing the Apple Captive Network Assistant (CNA Captive Network Assistant. CNA is a popup page shown when joining a network that has a captive portal.). The CNA Captive Network Assistant. CNA is a popup page shown when joining a network that has a captive portal. is the pop-up browser shown when joining a network that has a captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users..

Click this check box to enable the Prevent CNA option.

Custom Form

If selected, indicates you will provide a custom login form. You must supply your own HTML login form for the header and footer HTML areas.

Custom Labels

If selected, this option enables altering the default labels and error messages. When enabled, this option adds the Pre-Auth Error field to the form.

Pre-Auth Error

Customized label text to display if username and password lookup fails. Leave blank to use the default (Invalid username or password).

Pre-Auth Check

Specifies how the username and password should be checked before authentication.

Select App Authentication – check using Aruba Application Authentication.

When App Authentication is not enabled, Native Dissolvable Agent uses the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address as the user name.

When App Authentication is enabled (with Health Check also enabled), instead of using the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address as the username in the WebAuth Request, Native Dissolvable Agent sends the username specified in the App Authentication option.

If Pre-Auth Check has one of the following values, Native Dissolvable Agent sends the username specified in App Authentication:

App Authentication: Check using Aruba Application Authentication.

Local: Match a local account.

RADIUS: Check using a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  request.

Single Sign On: Enable Single Sign-On for this web login.
When this option is selected, guests are redirected to the Identity Provider (IdP) configured in Policy Manager, where they authenticate themselves. They are redirected back to Policy Manager, which verifies the login was successful and uses the same credentials to redirect to the actual Web login flow. (To enable SSO Single Sign-On. SSO is an access-control property that allows the users to log in once to access multiple related, but independent applications or systems to which they have privileges. The process authenticates the user across all allowed resources during their session, eliminating additional login prompts. support, go to Policy Manager > Configuration > Identity > Single Sign-On).

Terms

Select this check box to require the user to mark a check box to accept a Terms and Conditions agreement.

Default Destination

Default Destination

Default URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet.

(Required) Specify the default URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. for the redirect page.

For external domains, this must include the http:// prefix.

Override Destination

Select this check box to force the default destination for all clients, overriding any default value already set on the client.

Login Page

 

For descriptions and details about the Login Page options, refer to the "Creating and Editing Web Login Pages" section in the Policy Manager Guest Online Help > Table 4: Web Login Editor, Login Page Parameters.

Advertising Services

Advertising

The Enable Advertising Services content check box lets you selectively enable Advertising Services for each Web Login page on which you want to display advertising.

Cloud Identity

Options in the Cloud Identity area let you present guests with various cloud identity or social network login options.

For descriptions and details about the Cloud Identity options, refer to the "Creating and Editing Web Login Pages" section in the Policy Manager Guest Online Help> Table 5: Web Login Editor Form, Cloud Identity Area: Enabling Cloud Identity or Social Network Logins and Table 6: Web Login Editor Form, Cloud Identity Area, Authentication Providers.

Multi-Factor Authentication

Options in the Multi-Factor Authentication area let you require a secondary factor when authenticating. When the guest enters their username to log in, they are sent a code which they must successfully retrieve and enter to complete the login.

For descriptions and details about the Multi-Factor Authentication options, refer to the "Creating and Editing Web Login Pages" section in the Policy Manager Guest Online Help > Table 7: Web Logins Editor, Multi-Factor Authentication.

Network Login Access

Allowed Access

Specify the IP addresses and networks from which logins will be allowed. (IPv4 and IPv6 are both supported.)

Denied Access

Specify the IP addresses and networks from which logins will be denied. (IPv4 and IPv6 are both supported.)

Deny Behavior

(Required) Specify the response shown to the user if their login request is denied. Options in this drop-down list include:

Send HTTP 404 Not Found status

Show Access Denied page

Show a blank page

Post-Authentication

Health Check

Select this check box to require the guest to pass a health check before they can access the network. The health check is done automatically through the OnGuard Dissolvable Agent.

Header HTML: Enter the HTML content to display above the health check text. The default content is shown, and can be modified. You can also use the drop-down list to add images or other content items.

Footer HTML: Enter the HTML content to display below the health check text. The default content is shown, and can be modified. You can also use the drop-down list to add images or other content items.

Update Endpoint

To have the endpoint's attributes updated with other details from the user account, enable (select) the Mark the user's MAC address as a known endpoint check box.

Specify the list of name-value pairs to pass as custom attributes. Follow the format user_field | Endpoint Attribute. Examples are shown in this text box.

4. Click Save Changes. You return to the Web Logins page, where the name of the new page is now displayed.

Figure 2  New Guest Web Login Page Added

Creating a RADIUS Service in Policy Manager for VPN Authentication

To create a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  service in Policy Manager for VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. Authentication:

1. In Policy Manager, navigate to Configuration > Services.The Services page opens.

2. Click Add. The Add Services dialog opens.

3. From the Type drop-down, select RADIUS Enforcement (Generic). The RADIUS Enforcement (Generic) service configuration dialog opens:

Figure 3  Add RADIUS Enforcement (Generic) Service Configuration Dialog

4. Proceed to configure the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Enforcement service to match the service settings displayed in Figure 4. For details on configuring RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Enforcement Services (Generic), refer to RADIUS Enforcement (Generic) Service.

Figure 4  Summary of the RADIUS Enforcement Service

5. Specify the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Enforcement Service (Generic) service parameters as described in the table below.

Table 2: Aruba RADIUS Enforcement (Generic) Service Parameters

Parameter

Action/Description

Service

Name

Enter the name of the service.

Description

Provide additional information that helps to identify the service.

Type

Select RADIUS Enforcement (Generic) .

Status

Enabled

Monitor Mode

Disabled

More Options

Not required.

Authentications

Authentication Methods

Specify the following authentication methods:

EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. -MSCHAPV2

MSCHAPV2

EAP-PEAP EAP–Protected EAP. A widely used protocol for securely transporting authentication data across a network (tunneled).

Add additional authentication methods as needed for this service.

Authentication Sources

Select the following authentication sources:

[Local User Repository] [Local SQL DB]

[Guest User Repository] [Local SQL DB]

NOTE: You can also add Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. (AD) as an authentication source.

Strip Username Rules

Not required.

Service Certificate

Not required.

Roles

Role Mapping Policy

Not required.

Enforcement

User Cached Results

Select this check box to use cached roles and posture attributes from previous sessions.

Enforcement Policy

Select [Sample Allow Access Policy].

6. Click Save.

Configuring the Guest Access - Web Login Service Template

In this web login service, you associate the Guest Web Login page for Native Dissolvable Agent created earlier (see Creating a Guest Web Login Page for Native Dissolvable Agent above) with the Guest Access - Web Login service.

To configure the Guest Access - Web Login service:

1. Navigate to Configuration > Service Templates & Wizards. The list of Policy Manager Service Templates and Wizards opens.

2. Select Guest Access - Web Login. The Guest Access Web Login service template opens:

Figure 5  Guest Access- Web Login Service Template

3. In the Name Prefix field, enter the prefix. This prefix is appended to services that use the Guest Access - Web Login template.

4. Click Next. The Service Rule dialog opens.

Figure 6  Guest Access - Web Login Service Rule Configuration

5. Select the Guest Access Restrictions tab to specify the days of the week that guest users are allowed network access.

6. Click Add Service. You return to the Services page. The following message is displayed:

Added 1 Enforcement Policies

Added 1 Service(s)

Configuring a Web-Based Health Check Only Service

To create a Web-Based Health Check Only service:

1. Navigate to Configuration > Services, then click the Add link. The Add Services dialog opens.

2. From the Type drop-down, select Web-based Health Check Only. The Web-based Health Check Only service configuration dialog opens:

Figure 7  Web-based Check Only Service > Service Tab

3. Proceed to configure the Web-based Health Check Only service to match the service settings displayed in Figure 8.

Figure 8  Summary of Web-based Health Check Only Service

4. Specify the Web-based Health Check Only service parameters as described in the following table.

Table 3: Web-based Check Only Service Parameters

Parameter

Action/Description

Service

Name

Enter the name of the service.

Description

Provide additional information that helps to identify the service.

Type

Select Web-based Health Check Only .

Status

Enabled

Monitor Mode

Disabled

More Options

Click the check box for Posture Compliance.

The Posture tab is added.

Service Rule

Type

Select Host.

Name

Select CheckType.

Operator

Select MATCHES_ALL.

Value

Select Health.

Roles

Role Mapping Policy

Not required.

Posture

Posture Policies

Select Posture_Compliance.

Default Posture Token

HEALTHY

Remediate End-Hosts

Disabled

Remediation URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet.

N/A

Enforcement

User Cached Results

Disabled

Enforcement Policy

Select [RADIUS_CoA_Terminate Session].

5. Click Save.

For details on configuring a Web-based Health Only service, refer to Web-based Health Check Only Service.

Enabling the VPN Interface

To enable the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. interface in the set of managed interfaces:

1. Navigate to Administration > Agents and Software Updates > OnGuard Settings. The OnGuard Settings page opens.

Figure 9  Enabling the VPN Managed Interface

2. In the Native Dissolvable Agent Customization > Managed Interfaces section, check (enable) the VPN check box. (The Wired and Wireless interfaces are enabled by default.)

3. Click Save.

Access Tracker Requests Reflect Credentials

As shown in Figure 10, the Policy Manager Access Tracker shows that the credentials configured in the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Enforcement service are the same credentials used in the Guest Web Login and the Webauth service.

Figure 10  Access Tracker Information

The RADIUS request is obtained when connected to a VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two..

The Application authentication is obtained when logged into Guest Web Login.

The Webauth request is obtained after health checks have been performed.