Upload
ewofkewofk
View
217
Download
0
Embed Size (px)
Citation preview
8/17/2019 Mod10MBC Captive Portal 6.3 v1.3
http://slidepdf.com/reader/full/mod10mbc-captive-portal-63-v13 1/27
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Captive Portal
10-1
8/17/2019 Mod10MBC Captive Portal 6.3 v1.3
http://slidepdf.com/reader/full/mod10mbc-captive-portal-63-v13 2/27
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Captive Portal
10-2
8/17/2019 Mod10MBC Captive Portal 6.3 v1.3
http://slidepdf.com/reader/full/mod10mbc-captive-portal-63-v13 3/27
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Captive Portal
10-3
Aruba allows for a simple collapsed architecture that provides differentiated access based on user anddevice characteristics. This is the basis for a number of guest access features.
Guest access is often configured as a software option: no new hardware is required for basic guest accessbeyond the Aruba Mobility Controller and Access Points used for the internal WLAN.
In contrast to other vendors, where the LAN must be reconfigured to add a VLAN for guest access at everyLAN switch where an AP is to be connected, Aruba’s user-centric networks are added as an overlay on the
existing wired LAN: traffic from Access Points is directed via secure tunnels directly to the MobilityController, where an integral stateful firewall maintains strict segregation between different traffic classes.Internal traffic is permitted to connect to the core LAN and corporate resources, while guest traffic travelsthrough a secure tunnel to a Mobility Controller situated in the DMZ, and from there to the Internet. CaptivePortal login screens and web forms for administration are served directly from the Mobility Controller.
For more sophisticated guest access solutions, Aruba’s user-centric networks accommodate third-partyapplications for credit card processing, access code authorization and property management systems.
8/17/2019 Mod10MBC Captive Portal 6.3 v1.3
http://slidepdf.com/reader/full/mod10mbc-captive-portal-63-v13 4/27
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Captive Portal
10-4
In this design, the Aruba will provide DHCP on a separate network for guests and NAT them out ofthe Aruba into the corporate LAN. You must decide if you wish to allow access to your internal DNSor restrict the guest users to using only external DNS. In this model, as far as addressing goes, it’s
likely that the guest would be allocated an address on a separate IP network than the rest of thecompany. That would be configured per the VLAN and DHCP server that allocates addresses for
the guests. At that point one could NAT the address at the controller or even better use the NATcapability on the Firewall in the picture.
There is more detail on this and how to setup the firewall policies in the Lab exercise.
8/17/2019 Mod10MBC Captive Portal 6.3 v1.3
http://slidepdf.com/reader/full/mod10mbc-captive-portal-63-v13 5/27
8/17/2019 Mod10MBC Captive Portal 6.3 v1.3
http://slidepdf.com/reader/full/mod10mbc-captive-portal-63-v13 6/27
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Captive Portal
10-6
The controller is typically the Layer 3 device is when it exists as the default router for a nonroutableguest network. When a guest network is deployed in private IP space and is not routable from thegeneral network, the mobility controller is normally configured to act as both the DHCP server and
NAT device for the guests.
8/17/2019 Mod10MBC Captive Portal 6.3 v1.3
http://slidepdf.com/reader/full/mod10mbc-captive-portal-63-v13 7/27
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Captive Portal
10-7
The initial role in captive portal allows for DHCP. Therefore, the DHCP server has to be in theVirtual APs broadcast domain, (i.e. its VLAN.)
Captive Portal or its web login is begun by capturing an html get or more precisely “redirecting” the
html get such as www.yahoo.com to the controller’s internal web server.
Authentication is usually, but not necessarily; implemented with Aruba Controller’s internal
database.
Once the Guest has been authenticated, the guest role and firewall policies decide the details of
the guest’s access to the network.
8/17/2019 Mod10MBC Captive Portal 6.3 v1.3
http://slidepdf.com/reader/full/mod10mbc-captive-portal-63-v13 8/27
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Captive Portal
10-8
In the figure above the dotted arrows represent where a role or profile has been assigned or referenced to.
Steps to configure captive portal
Create Vlan, assign IP address
Assign a DHCP pool
Create appropriate firewall policies
Create a pre-authentication role, guest-logon and assign firewall policies
Create a post –authentication role and assign firewall policies
Create a server group and assign a server typeCreate an aaa profile and assign the pre-authentication role created in step 4 as initial role
Create a captive portal profile and assign the post-authentication role created in step 5 as default role. Alsoassign the server group created in step 6
Assign this captive portal profile to the pre-auth role created in step 4
Create a new vap profile in the AP group under WLAN ->virtual AP, and assign the vlan created in step 1
Assign the aaa profile creates in step 7
Create a new SSID profile
8/17/2019 Mod10MBC Captive Portal 6.3 v1.3
http://slidepdf.com/reader/full/mod10mbc-captive-portal-63-v13 9/27
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Captive Portal
10-9
You can use the default guest-logon and guest roles or create customized roles as shown above.
You can also modify the default roles to suit your organization requirements.
The policy captive portal has a redirect statement which enables the display of the portal page
Captiveportal
-------------
Priority Source Destination Service Action-------- ------ ----------- ------- ------ ---------
user controller svc-https dst-nat 8081
user any svc-http dst-nat 8080
3 user any svc-https dst-nat 8081
8/17/2019 Mod10MBC Captive Portal 6.3 v1.3
http://slidepdf.com/reader/full/mod10mbc-captive-portal-63-v13 10/27
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Captive Portal
10-10
Here we create a new aaa profile for guest network
The role created in the previous page is then applied in the aaa profile as the Initial role
This is the role a client gets when it connects to the guest ssid
8/17/2019 Mod10MBC Captive Portal 6.3 v1.3
http://slidepdf.com/reader/full/mod10mbc-captive-portal-63-v13 11/27
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Captive Portal
10-11
Captive portal profile options
Redirect Pause: Time, in seconds, that the system remains in the initial welcome page before redirectingthe user to the final web URL.
User Login: Enables Captive Portal with authentication of user credentials.
Guest Login: Enables Captive Portal logon without authentication
Logout popup window: Enables a pop-up window with the Logout link for the user to logout after logon
Max authentication failures: Maximum number of authentication failures before the user is blacklisted.
Login page: URL of the page that appears for the user logon
Welcome page: URL of the page that appears after logon and before redirection to the web URL.
Allow only one active user session: Select this checkbox to allow only one active user session at a time.This feature is disabled by default.
Whitelist/Blacklist: Whitelist and blacklist of domain names
Show the acceptable use policy page: Select this checkbox to display the acceptable user policy before thelogin page.
8/17/2019 Mod10MBC Captive Portal 6.3 v1.3
http://slidepdf.com/reader/full/mod10mbc-captive-portal-63-v13 12/27
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Captive Portal
10-12
The captive portal profile created in previous page is assigned to the pre-auth role created in Userrole
8/17/2019 Mod10MBC Captive Portal 6.3 v1.3
http://slidepdf.com/reader/full/mod10mbc-captive-portal-63-v13 13/27
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Captive Portal
10-13
Customize the captive portal page under
Configuration->Management->Captive Portal
Refer to the captive portal profile created before, here you can add acceptable user policy , changethe page background, add text to the login page
You can also upload your own login pages by clicking on upload tab next to the customize tab
8/17/2019 Mod10MBC Captive Portal 6.3 v1.3
http://slidepdf.com/reader/full/mod10mbc-captive-portal-63-v13 14/27
8/17/2019 Mod10MBC Captive Portal 6.3 v1.3
http://slidepdf.com/reader/full/mod10mbc-captive-portal-63-v13 15/27
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Captive Portal
10-15
Create a new guest-vap profile and assign the guest-aaa profile here
The vap needs a VLAN assigned to it, all the users connecting to the guest SSID will be put in this
vlan.
When you have multiple captive portal login pages loaded in the controller, you must configure aunique initial user role and user role, and captive portal authentication profile, AAA profile, SSID
profile, and virtual AP profile for each WLAN that will use captive portal
8/17/2019 Mod10MBC Captive Portal 6.3 v1.3
http://slidepdf.com/reader/full/mod10mbc-captive-portal-63-v13 16/27
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Captive Portal
10-16
Create a new guest-ssid profile where you specify the name of the network and encryption typeused.
8/17/2019 Mod10MBC Captive Portal 6.3 v1.3
http://slidepdf.com/reader/full/mod10mbc-captive-portal-63-v13 17/27
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Captive Portal
10-17
The wizard procedure is similar to creating the Employee WLAN which is explained in chapter 3
8/17/2019 Mod10MBC Captive Portal 6.3 v1.3
http://slidepdf.com/reader/full/mod10mbc-captive-portal-63-v13 18/27
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Captive Portal
10-18
8/17/2019 Mod10MBC Captive Portal 6.3 v1.3
http://slidepdf.com/reader/full/mod10mbc-captive-portal-63-v13 19/27
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Captive Portal
10-19
The Guest Provisioning feature lets you manage guests who need access to your company’s Arubawireless network
The account is used by a receptionist to create guest accounts.
This allows the receptionist to login to the controller interface, create a guest user account and print a badgelabel for the newly created guest user.
All other controller management in the GUI will be hidden from the guest provisioning user.
Configuring the Guest Provisioning user:
1. Navigate to the Configuration > Management > Administration page.
2. In the Management Users section, click Add.
3. In the User Name field, enter the name of the user who you want to configure as a guest provisioning
user.
4. In the Password and Confirm Password fields, enter the user’s password and reconfirm it.
5. From the Role drop-down menu, select guest-provisioning.
6. Click Apply at the bottom of the page.
8/17/2019 Mod10MBC Captive Portal 6.3 v1.3
http://slidepdf.com/reader/full/mod10mbc-captive-portal-63-v13 20/27
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Captive Portal
10-20
In the WebUI, you can customize the pop-up window that displays the guest account information.You may want to do this before the Guest Provisioning user creates guest accounts. Only anadministrator can customize the guest access badge.
Aruba recommends using a logo or banner image that is 600 x 100 pixels (width x height). The
WebUI does not apply the size restrictions when you upload an image file, but the image is resized
to 600 x 100 pixels when it displays or is printed.
An administrator can customize the guest label printed by the receptionist.
8/17/2019 Mod10MBC Captive Portal 6.3 v1.3
http://slidepdf.com/reader/full/mod10mbc-captive-portal-63-v13 21/27
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Captive Portal
10-21
Path: Configuration> Management> Guest Provisioning
Guest field tab is used to specify the fields that a user wanted to appear on the guest provisioning
page. This feature is exclusively designed for the WEB UI.
Depending on the attributes selected the guest access user page will differ:
8/17/2019 Mod10MBC Captive Portal 6.3 v1.3
http://slidepdf.com/reader/full/mod10mbc-captive-portal-63-v13 22/27
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Captive Portal
10-22
The Page Design tab lets the user to specify the company banner, heading, and text andbackground colors that appear on the Guest Provisioning page.
To design the Guest Provisioning page:
Enter the filename which contains the company banner in the Banner field. Or, click Browse to
search for the filename.
Enter the label for the guest listing on the Guest Provisioning page.
Enter the hex value for the color of the text in the Text color field. The text in the header of the
guest listing appears in this color.
Enter the hex value for the color of the background in the Background color field. This determines
the color of the header of the guest listing.
8/17/2019 Mod10MBC Captive Portal 6.3 v1.3
http://slidepdf.com/reader/full/mod10mbc-captive-portal-63-v13 23/27
8/17/2019 Mod10MBC Captive Portal 6.3 v1.3
http://slidepdf.com/reader/full/mod10mbc-captive-portal-63-v13 24/27
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Captive Portal
10-24
The receptionist logs into the controller interface using the designated user id and password andthe account is restricted to only creating guest user accounts.
To create the new user click the New button on the left side of the screen.
Enter the details and click Create button.
8/17/2019 Mod10MBC Captive Portal 6.3 v1.3
http://slidepdf.com/reader/full/mod10mbc-captive-portal-63-v13 25/27
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Captive Portal
10-25
show local-userdb-guest
will show the local database user summary
show local-userdb-guest verbose
will show all the user fields
This Is the root administrator’s path to manage the Internal-DB. The “Guest User Page” radial
button brings up the same user administration menu as in “creating a new user”. Also note that theguest user has an expiration time set.
8/17/2019 Mod10MBC Captive Portal 6.3 v1.3
http://slidepdf.com/reader/full/mod10mbc-captive-portal-63-v13 26/27
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Captive Portal
10-26
8/17/2019 Mod10MBC Captive Portal 6.3 v1.3
http://slidepdf.com/reader/full/mod10mbc-captive-portal-63-v13 27/27
Aruba Bootcamp – Captive Portal