Aruba Bootcamp – Captive Portal
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
10-1
Aruba Bootcamp – Captive Portal
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
10-2
Aruba Bootcamp – Captive Portal
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
Aruba allows for a simple collapsed architecture that provides differentiated access based on user and device characteristics. This is the basis for a number of guest access features. Guest access is often configured as a software option: no new hardware is required for basic guest access beyond the Aruba Mobility Controller and Access Points used for the internal WLAN. In contrast to other vendors, where the LAN must be reconfigured to add a VLAN for guest access at every LAN switch where an AP is to be connected, Aruba’s user-centric networks are added as an overlay on the existing wired LAN: traffic from Access Points is directed via secure tunnels directly to the Mobility Controller, where an integral stateful firewall maintains strict segregation between different traffic classes. Internal traffic is permitted to connect to the core LAN and corporate resources, while guest traffic travels through a secure tunnel to a Mobility Controller situated in the DMZ, and from there to the Internet. Captive Portal login screens and web forms for administration are served directly from the Mobility Controller. For more sophisticated guest access solutions, Aruba’s user-centric networks accommodate third-party applications for credit card processing, access code authorization and property management systems.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
10-3
Aruba Bootcamp – Captive Portal
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
In this design, the Aruba will provide DHCP on a separate network for guests and NAT them out of the Aruba into the corporate LAN. You must decide if you wish to allow access to your internal DNS or restrict the guest users to using only external DNS. In this model, as far as addressing goes, it’s likely that the guest would be allocated an address on a separate IP network than the rest of the company. That would be configured per the VLAN and DHCP server that allocates addresses for the guests. At that point one could NAT the address at the controller or even better use the NAT capability on the Firewall in the picture. There is more detail on this and how to setup the firewall policies in the Lab exercise.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
10-4
Aruba Bootcamp – Captive Portal
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
In this example, security is more obvious and understood. It also necessitates a separate link for guests. Using a dedicated WAN connection provides more security in that it’s physically isolated from other network users. It also affords easier support and troubleshooting.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
10-5
Aruba Bootcamp – Captive Portal
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
The controller is typically the Layer 3 device is when it exists as the default router for a nonroutable guest network. When a guest network is deployed in private IP space and is not routable from the general network, the mobility controller is normally configured to act as both the DHCP server and NAT device for the guests.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
10-6
Aruba Bootcamp – Captive Portal
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
The initial role in captive portal allows for DHCP. Therefore, the DHCP server has to be in the Virtual APs broadcast domain, (i.e. its VLAN.) Captive Portal or its web login is begun by capturing an html get or more precisely “redirecting” the html get such as www.yahoo.com to the controller’s internal web server. Authentication is usually, but not necessarily; implemented with Aruba Controller’s internal database. Once the Guest has been authenticated, the guest role and firewall policies decide the details of the guest’s access to the network.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
10-7
Aruba Bootcamp – Captive Portal
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
In the figure above the dotted arrows represent where a role or profile has been assigned or referenced to. Steps to configure captive portal Create Vlan, assign IP address Assign a DHCP pool Create appropriate firewall policies Create a pre-authentication role, guest-logon and assign firewall policies Create a post –authentication role and assign firewall policies Create a server group and assign a server type Create an aaa profile and assign the pre-authentication role created in step 4 as initial role Create a captive portal profile and assign the post-authentication role created in step 5 as default role. Also assign the server group created in step 6 Assign this captive portal profile to the pre-auth role created in step 4 Create a new vap profile in the AP group under WLAN ->virtual AP, and assign the vlan created in step 1 Assign the aaa profile creates in step 7 Create a new SSID profile
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
10-8
Aruba Bootcamp – Captive Portal
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
You can use the default guest-logon and guest roles or create customized roles as shown above. You can also modify the default roles to suit your organization requirements.
The policy captive portal has a redirect statement which enables the display of the portal page Captiveportal ------------Priority Source Destination Service -------- ------ ----------- -----------user 3
controller
user any user any
svc-https
Action --------dst-nat 8081
svc-http dst-nat 8080 svc-https dst-nat 8081
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
10-9
Aruba Bootcamp – Captive Portal
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
Here we create a new aaa profile for guest network
The role created in the previous page is then applied in the aaa profile as the Initial role This is the role a client gets when it connects to the guest ssid
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
10-10
Aruba Bootcamp – Captive Portal
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
Captive portal profile options
Redirect Pause: Time, in seconds, that the system remains in the initial welcome page before redirecting the user to the final web URL. User Login: Enables Captive Portal with authentication of user credentials. Guest Login: Enables Captive Portal logon without authentication
Logout popup window: Enables a pop-up window with the Logout link for the user to logout after logon Max authentication failures: Maximum number of authentication failures before the user is blacklisted. Login page: URL of the page that appears for the user logon Welcome page: URL of the page that appears after logon and before redirection to the web URL. Allow only one active user session: Select this checkbox to allow only one active user session at a time. This feature is disabled by default. Whitelist/Blacklist: Whitelist and blacklist of domain names Show the acceptable use policy page: Select this checkbox to display the acceptable user policy before the login page.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
10-11
Aruba Bootcamp – Captive Portal
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
The captive portal profile created in previous page is assigned to the pre-auth role created in User role
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
10-12
Aruba Bootcamp – Captive Portal
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
Customize the captive portal page under
Configuration->Management->Captive Portal
Refer to the captive portal profile created before, here you can add acceptable user policy , change the page background, add text to the login page You can also upload your own login pages by clicking on upload tab next to the customize tab
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
10-13
Aruba Bootcamp – Captive Portal
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
10-14
Aruba Bootcamp – Captive Portal
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
Create a new guest-vap profile and assign the guest-aaa profile here
The vap needs a VLAN assigned to it, all the users connecting to the guest SSID will be put in this vlan. When you have multiple captive portal login pages loaded in the controller, you must configure a unique initial user role and user role, and captive portal authentication profile, AAA profile, SSID profile, and virtual AP profile for each WLAN that will use captive portal
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
10-15
Aruba Bootcamp – Captive Portal
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
Create a new guest-ssid profile where you specify the name of the network and encryption type used.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
10-16
Aruba Bootcamp – Captive Portal
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
The wizard procedure is similar to creating the Employee WLAN which is explained in chapter 3
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
10-17
Aruba Bootcamp – Captive Portal
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
10-18
Aruba Bootcamp – Captive Portal
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
The Guest Provisioning feature lets you manage guests who need access to your company’s Aruba wireless network The account is used by a receptionist to create guest accounts. This allows the receptionist to login to the controller interface, create a guest user account and print a badge label for the newly created guest user. All other controller management in the GUI will be hidden from the guest provisioning user. Configuring the Guest Provisioning user:
1. Navigate to the Configuration > Management > Administration page. 2. In the Management Users section, click Add. 3. In the User Name field, enter the name of the user who you want to configure as a guest provisioning user. 4. In the Password and Confirm Password fields, enter the user’s password and reconfirm it. 5. From the Role drop-down menu, select guest-provisioning. 6. Click Apply at the bottom of the page.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
10-19
Aruba Bootcamp – Captive Portal
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
In the WebUI, you can customize the pop-up window that displays the guest account information. You may want to do this before the Guest Provisioning user creates guest accounts. Only an administrator can customize the guest access badge. Aruba recommends using a logo or banner image that is 600 x 100 pixels (width x height). The WebUI does not apply the size restrictions when you upload an image file, but the image is resized to 600 x 100 pixels when it displays or is printed. An administrator can customize the guest label printed by the receptionist.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
10-20
Aruba Bootcamp – Captive Portal
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
Path: Configuration> Management> Guest Provisioning
Guest field tab is used to specify the fields that a user wanted to appear on the guest provisioning page. This feature is exclusively designed for the WEB UI. Depending on the attributes selected the guest access user page will differ:
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
10-21
Aruba Bootcamp – Captive Portal
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
The Page Design tab lets the user to specify the company banner, heading, and text and background colors that appear on the Guest Provisioning page. To design the Guest Provisioning page:
Enter the filename which contains the company banner in the Banner field. Or, click Browse to search for the filename. Enter the label for the guest listing on the Guest Provisioning page.
Enter the hex value for the color of the text in the Text color field. The text in the header of the guest listing appears in this color. Enter the hex value for the color of the background in the Background color field. This determines the color of the header of the guest listing.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
10-22
Aruba Bootcamp – Captive Portal
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
When a guest user is created an email can be sent to the Guest and the Sponsor about the account details. During Account Creation the email can be sent to both guest & sponsor by configuring the Send Email Automatically option. Once the Guest is already created the Email can be sent by clicking Send Email button or CLI command. Require the following configuration: Configuration specifying SMTP server IP-address and port Email template generated by the WebUI Configuration of SMTP server done by navigating to Configuration -> Management -> SMTP
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
10-23
Aruba Bootcamp – Captive Portal
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
The receptionist logs into the controller interface using the designated user id and password and the account is restricted to only creating guest user accounts. To create the new user click the New button on the left side of the screen. Enter the details and click Create button.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
10-24
Aruba Bootcamp – Captive Portal
y l n O l Use
a n r e t In
show local-userdb-guest
y l n O e s U l a n r e t In
will show the local database user summary show local-userdb-guest verbose will show all the user fields
This Is the root administrator’s path to manage the Internal-DB. The “Guest User Page” radial button brings up the same user administration menu as in “creating a new user”. Also note that the guest user has an expiration time set.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
10-25
Aruba Bootcamp – Captive Portal
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
10-26
Aruba Bootcamp – Captive Portal
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
10-27