Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Configuring Wireless Networks for Guest Users on IAPs
The captive portal solution for an IAP cluster consists of the following:
- The captive portal web login page hosted by an internal or external server.
- The RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. authentication or user authentication against internal database of the AP.
- The SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. broadcast by the IAP.
The IAP administrators can create a wired or WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. guest network based on captive portal authentication for guests, visitors, contractors, and any non-employee users who can use the enterprise Wi-Fi network. Administrators can also create guest accounts and customize the captive portal page with organization-specific logo, terms, and usage policy. With captive portal authentication and guest profiles, the devices associating with the guest SSID are assigned an initial role and are assigned IP addresses. When a guest user tries to access a URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. through HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. or HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection., the captive portal webpage prompts the user to authenticate with a user name and password.
Splash Page Profiles
IAPs support the following types of splash page profiles:
- —When is enabled, a guest user who is pre-provisioned in the user database has to provide the authentication details.
- —When is enabled, a guest user has to accept the terms and conditions to access the Internet.
—Select this splash page to use an internal server for hosting the captive portal service. Internal captive portal supports the following types of authentication:- —Select this splash page to use an external portal on the cloud or on a server outside the enterprise network for authentication.
- —Select this splash page to use the cloud guest profile configured through the tab.
Creating a Wireless Network Profile for Guest Users
To create an SSID for guest users, complete the following steps:
- In the WebUI, set the filter to a group containing at least one AP.
The dashboard context for the group is displayed.
- Under
A list of APs is displayed in the
view.
, click > . - Click the
The tabs to configure the APs are displayed.
icon. - Click the
The WLANs details page is displayed. For more information on Wireless Details page, see Viewing the Wireless SSIDs Table.
tab. - In the
The Create a New Network pane is displayed.
page, click . - Under Name (SSID) text-box. , enter a network name in the
- If configuring a wireless guest profile, set the required WLAN configuration parameters described in Table 1.
- Click Next.
- Under , select any of the following options for :
Parameter |
Description |
---|---|
|
When this option is selected, the client obtains the IP address from the virtual controller. The virtual controller creates a private subnet Subnet is the logical division of an IP network. and VLAN on the IAP for the wireless clients. The network address translation for all client traffic that goes out of this interface is carried out at the source. This setup eliminates the need for complex VLAN and IP address management for a multi-site wireless network. For more information on DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. scopes and server configuration, see Configuring DHCP Pools and Client IP Assignment Modes on IAPs. If this option is selected, specify any of the following options in :
|
|
When this option is selected, specify any of the following options in :
For more information, see Configuring VLAN Assignment Rule. |
Configuring an Internal Captive Portal Splash Page Profile
To configure an internal captive portal profile, complete the following steps:
- In the WebUI, set the filter to a group containing at least one AP.
The dashboard context for the group is displayed.
- Under
A list of APs is displayed in the
view.
, click > . - Click the
The tabs to configure the APs are displayed.
icon. - Click the
The WLANs details page is displayed.
tab. - In the table, select a guest SSID, and then click the edit icon.
- Under
Table 2: Internal Captive Portal Configuration Parameters
Parameter
Description
Select
from the drop-down list.Select
or from the drop-down list.Under
, when is clicked, use the editor to specify text and colors for the initial page that is displayed to the users connecting to the network. The initial page asks for user credentials or email, depending on the splash page type ( or ) for which you are customizing the splash page design.Complete the following steps to customize the splash page design.
- Policy text box, and click OK. Ensure that the policy text does not exceed 255 characters. —To change the policy text, click the second square in the splash page, enter the required text in the
- —Enter a title for the banner.
- —Specify a background color for the header.
- Welcome text box, and click OK. Ensure that the welcome text does not exceed 127 characters. —To change the welcome text, click the first square box in the splash page, enter the required text in the
- —To change the color of the splash page, click the Splash page rectangle and select the required color from the color palette.
- —To redirect users to another URL, specify a URL in .
- —To upload a custom logo, click to upload. Ensure that the image file size does not exceed 16 KB. To delete an image, click .
To preview the captive portal page, click
.To configure a captive portal proxy server or global proxy server to match your browser configuration, enter the IP address and port number in the
and fields.Select the required authentication server option from the drop-down list. Select an authentication server from the list if an external servers are already configured or to add a new server, click Configuring External Authentication Servers for IAPs.
. For information on configuring external servers, seeCreate and manage users in the captive portal network. Only registered users of type Guest will be able to access this network.
By default, this field is disabled. Turn on the toggle switch to enable and configure the following encryption parameters:
- —Specify an encryption and authentication key.
- —Specify a passphrase format.
- —Enter a passphrase.
- —Retype the passphrase to confirm.
Select
or from the drop-down list.Specify the IP address of the Captive Portal proxy server.
Specify the port number of the Captive Portal proxy server.
Configure the following parameters:
- MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address based authentication for and security levels, turn on the toggle switch. —To enable
- —To add another server for authentication, configure another authentication server.
- Configuring DHCP Server for Assigning IP Addresses to IAP Clients. —Turn on the toggle switch to enable, if you are using two RADIUS authentication servers, to balance the load across these servers. For more information on the dynamic load balancing mechanism, see
To use an internal server, select Users to add the users.
and add the clients that are required to authenticate with the internal RADIUS Server. ClickTo add a new server, click Configuring External Authentication Servers for IAPs.
. For information on configuring external servers, seeSpecify a value for Reauth Interval. When set to a value greater than zero, APs periodically re-authenticate all associated and authenticated clients.
Select an accounting mode for posting accounting information at the specified
. When the accounting mode is set to , the accounting starts only after client authentication is successful and stops when the client logs out of the network. If the accounting mode is set to , the accounting starts when the client associates to the network successfully and stops when the client disconnects. This is applicable for WLAN SSIDs only.If you are configuring a wireless network profile, turn on the
toggle switch to denylist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only.Sets a value for the maximum allowed authentication failures. Enforces WLAN SSID on IAP clients. When DHCP is enforced:
- A layer-2 user entry is created when a client associates with an IAP.
- The client DHCP state and IP address are tracked.
- When the client obtains an IP address from DHCP, the DHCP state changes to complete.
- If the DHCP state is complete, a layer-3 user entry is created.
- When a client roams between the IAPs, the DHCP state and the client IP address is synchronized with the new IAP.
Enable this option to allow transition from WPA3 to WPA2 Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES. and vice versa. The WPA3 Transition appears only when WPA3 is selected in the for , , and level.
Appends the SSID name to the called station ID. Select this option to allow the IAP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled.
To exclude uplink(s), expand
, and turn on the toggle switch for the uplink type(s). For example, , , and .Enable the following fast roaming features as per your requirement:
- 802.11k 802.11k is an IEEE standard that enables APs and client devices to discover the best available radio resources for seamless BSS transition in a WLAN. roaming. The 802.11k protocol enables IAPs and clients to dynamically measure the available radio resources. When 802.11k is enabled, IAPs and clients send neighbor reports, beacon reports, and link measurement reports to each other. —Turn on the toggle switch to enable
- 802.11v 802.11v is an IEEE standard that allows client devices to exchange information about the network topology and RF environment. This information is used for assigning best available radio resources for the client devices to provide seamless connectivity. based BSS Basic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. transition. The 802.11v standard defines mechanisms for wireless network management enhancements and BSS transition management. It allows the client devices to exchange information about the network topology and RF Radio Frequency. RF refers to the electromagnetic wave frequencies within a range of 3 kHz to 300 GHz, including the frequencies used for communications or Radar signals. environment. The BSS transition management mechanism enables an AP to request a voice client to transition to a specific AP, or suggest a set of preferred APs to a voice client, due to network load balancing or BSS termination. It also helps the voice client identify the best AP to transition to as they roam. —Turn on the toggle switch to enable
- RRM Quiet IE—Turn off the toggle switch to disable Quiet IE and disable transmission of the 802.11k Quiet IE information elements. When you enable RRM Quiet IE, the AP will advertise in beacon and probe responses the Quiet IE, that is used to silence the channel for measurement purposes. When an AP uses Quiet IE to schedule a quiet interval, stations will not transmit on that channel during the quiet interval.
tab, in the , select and configure the following parameters: - Click .
Configuring an External Captive Portal Splash Page Profile
You can configure external captive portal profiles and associate these profiles to a user role or SSID. You can create a set of captive portal profiles and associate these profiles with an SSID or a wired profile. You can configure up to eight external captive portal profiles.
When the captive portal profile is associated to an SSID, it is used before user authentication. If the profile is associated to a role, it is used only after the user authentication. When a captive portal profile is applied to an SSID or wired profile, the users connecting to the SSID or wired network are assigned a role with the captive portal rule. The guest user role allows only DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. and DHCP traffic between the client and network, and directs all HTTP or HTTPS requests to the captive portal unless explicitly permitted.
To configure an external captive portal profile, complete the following steps:
- In the WebUI, set the filter to a group containing at least one AP.
The dashboard context for the group is displayed.
- Under
A list of APs is displayed in the
view.
, click > . - Click the
The tabs to configure the APs are displayed.
icon. - Click the
The WLANs details page is displayed.
tab. - In the table, select a guest SSID, and then click the edit icon.
- Under tab, in the , select .
- Select the type as .
- Select a Captive Portal Profile. To add a new profile, click and configure the following parameters:
- Click .
- Configure the following External Captive Portal configuration Parameters:
Parameter |
Description |
---|---|
|
—Sets a primary authentication server.
|
|
Create and manage users in the captive portal network. Only registered users of type Guest will be able to access this network. |
|
By default, this field is disabled. Turn on the toggle switch to enable and configure the following encryption parameters:
|
|
Select or from the drop-down list. |
|
|
|
Specify the IP address of the Captive Portal proxy server. |
|
Specify the port number of the Captive Portal proxy server. |
|
Configure the following parameters:
To use an internal server, select Users to add the users. and add the clients that are required to authenticate with the internal RADIUS Server. ClickTo add a new server, click Configuring External Authentication Servers for IAPs. . For information on configuring external servers, see |
|
Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, the IAP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled. |
|
Set the toggle button to enable, to configure client IP address as calling station ID. |
|
Select one of the following options:
The detail can be configured even if the is set to disabled. |
|
Specify a value for Reauth Interval. When set to a value greater than zero, APs periodically re-authenticate all associated and authenticated clients. |
|
Select an accounting mode for posting accounting information at the specified . When the accounting mode is set to , the accounting starts only after client authentication is successful and stops when the client logs out of the network. If the accounting mode is set to , the accounting starts when the client associates to the network successfully and stops when the client disconnects. This is applicable for WLAN SSIDs only. |
|
If you are configuring a wireless network profile, turn on the toggle switch to denylist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only. |
|
If you are configuring a wireless network profile, turn on the toggle switch to denylist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only. |
|
If you are configuring a wireless network profile, turn on the toggle switch to denylist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only. |
|
If you are configuring a wireless network profile, turn on the toggle switch to denylist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only. |
|
If you are configuring a wireless network profile, turn on the toggle switch to denylist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only. |
|
Turn on the toggle switch to enable to allow the IAP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled. |
Walled Garden |
|
Walled Garden > |
To exclude uplink(s), expand , and turn on the toggle switch for the uplink type(s). For example, , , and . |
Walled Garden > |
Enable the following fast roaming features as per your requirement:
|
- Click .
Configuring a Cloud Guest Splash Page Profile
To create a cloud guest network profile, see Configuring a Guest Splash Page Profile
Associating a Cloud Guest Splash Page Profile to a Guest SSID
To use the Cloud Guest splash page profile for the guest SSID, ensure that the Cloud Guest splash Page profile is configured through the
app.To associate a Cloud Guest splash page profile to a guest SSID, complete the following steps:
- In the WebUI, set the filter to a group containing at least one AP.
The dashboard context for the group is displayed.
- Under
A list of APs is displayed in the
view.
, click > . - Click the
The tabs to configure the APs are displayed.
icon. - Click the
The WLANs details page is displayed.
tab. - Under tab, in the table, select a guest SSID and click the edit icon.
- Click the tab.
- Under tab, in the , select .
- Select from the drop-down list.
- Select the splash page profile name from the list.
- Configure the following parameters:
- Click
When you clone an existing group, the unshared splash page profile in the existing group is not cloned to the new group. In the existing group, if an unshared splash page is associated with a guest network, then the splash page value is empty in the guest network of the new group.
.
Configuring ACLs for Guest User Access
To configure access rules for a guest network, complete the following steps:
- In the WebUI, set the filter to a group containing at least one AP.
The dashboard context for the group is displayed.
- Under
A list of APs is displayed in the
view.
, click > . - Click the
The tabs to configure the APs are displayed.
icon. - Click the
The WLANs details page is displayed.
tab. - Under tab, in the table, select a guest SSID and click the edit icon.
- Click the tab.
- Under
- Unrestricted—Select this to set unrestricted access to the network.
- Network Based—Select Network Based to set common rules for all users in a network. By default, Allow any to all destinations access rule is enabled. This rule allows traffic to all destinations. To define an access rule, complete the following steps:
- Click and select appropriate options for , , , , and fields.
- Click Save.
- Role Based—Select Role Based to enable access based on user roles.
, select any of the following types of access control:
For role-based access control, complete the following steps:
- To create a user role:
- Click in pane.
- Enter a name for the new role and click .
- To create access rules for a specific user role:
- Click in , and select appropriate options for , , , , and fields.
- Click Save.
- To create a role assignment rule:
- Under , click . The pane is displayed.
- Select appropriate options in , , , and fields.
- Click .
- To assign pre-authentication role, select the check box and select a pre-authentication role from the drop-down list. Enforce Mac Auth Only Role
-
Turn on the Enforce MAC Auth Only Role toggle switch, when MAC authentication is enabled for captive portal. After successful MAC authentication, the MAC Auth Only role is assigned to the client.
- Click .
Configuring Captive Portal Roles for an SSID
You can configure an access rule to enforce captive portal authentication for SSIDs with 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication enabled. You can configure rules to provide access to an external captive portal, internal captive portal, so that some of the clients using this SSID can derive the captive portal role.
The following conditions apply to the 802.1X and captive portal authentication configuration:
- If captive portal settings are not configured for a user role, the captive portal settings configured for an SSID are applied to the client's profile.
- If captive portal settings are not configured for a SSID, the captive portal settings configured for a user role are applied to the client's profile.
- If captive portal settings are configured for both SSID and user role, the captive portal settings configured for a user role are applied to the profile of the client.
To create a captive portal role for the
and splash page types:- In the WebUI, set the filter to a group containing at least one AP.
The dashboard context for the group is displayed.
- Under
A list of APs is displayed in the
view.
, click > . - Click the
The tabs to configure the APs are displayed.
icon. - Click the
The WLANs details page is displayed.
tab. - Under tab, in the table, select a guest SSID and click the edit icon.
- Click the tab.
- Under Access rules, select Role Based.
- Click in .
- In the
Table 6: Access Rule Configuration Parameters
Data Pane Item
Description
Select
from the drop-down list.Select a splash page type from the drop-down list.
If
is selected as drop-down list, complete the following steps:- —Enter a title for the banner. To preview the page with the new banner title, click splash page.
- —Specify a background color for the header.
- Welcome text box, and click OK. Ensure that the welcome text does not exceed 127 characters. —To change the welcome text, click the first square box in the splash page, enter the required text in the
- Policy text box, and click OK. Ensure that the policy text does not exceed 255 characters. —To change the policy text, click the second square in the splash page, enter the required text in the
- —To change the color of the splash page, click the Splash page rectangle and select the required color from the color palette.
- —To redirect users to another URL, specify a URL in .
- —To upload a custom logo, click to upload. Ensure that the image file size does not exceed 16 KB. To delete an image, click .
To preview the captive portal page, click
.If
is selected as drop-down list, complete the following steps:- —Select a profile from the drop-down list.
To create a profile, click the
icon and enter the following information in the window.- —Enter a name for the profile.
- Authentication Text (to specify the authentication text to returned by the external server after a successful user authentication). —From the drop-down list, select either (to enable user authentication against a RADIUS server) or
- —Enter the IP address or the hostname of the external splash page server.
- —Enter the URL for the external splash page server.
- —Enter the port number for communicating with the external splash page server.
- —This field allows you to configure Internet access for the guest clients when the external captive portal server is not available. From the drop-down list, select to prevent clients from using the network, or to allow the guest clients to access Internet when the external captive portal server is not available.
- —Turn on the toggle switch to offload the server.
- —Turn on the toggle switch to prevent frame overlay.
- —Turn on the toggle switch to use the virtual controller IP address as a redirect URL.
- —Indicates the authentication text returned by the external server after a successful user authentication.
- —Specify a redirect URL to redirect the users to another URL.
To edit a profile, click the edit icon and modify the parameters in the
window.
window, specify the following parameters. - Click . The enforce captive portal rule is created and listed as an access rule.
- Click .
The client can connect to this SSID after authenticating with user name and password. After the user logs in successfully, the captive portal role is assigned to the client.