Mod10MBC Captive Portal 6.3 v1.3

8/17/2019 Mod10MBC Captive Portal 6.3 v1.3

http://slidepdf.com/reader/full/mod10mbc-captive-portal-63-v13 1/27

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Aruba Bootcamp – Captive Portal

10-1





10-2





10-3

Aruba allows for a simple collapsed architecture that provides differentiated access based on user anddevice characteristics. This is the basis for a number of guest access features.

Guest access is often configured as a software option: no new hardware is required for basic guest accessbeyond the Aruba Mobility Controller and Access Points used for the internal WLAN.

In contrast to other vendors, where the LAN must be reconfigured to add a VLAN for guest access at everyLAN switch where an AP is to be connected, Aruba’s user-centric networks are added as an overlay on the

existing wired LAN: traffic from Access Points is directed via secure tunnels directly to the MobilityController, where an integral stateful firewall maintains strict segregation between different traffic classes.Internal traffic is permitted to connect to the core LAN and corporate resources, while guest traffic travelsthrough a secure tunnel to a Mobility Controller situated in the DMZ, and from there to the Internet. CaptivePortal login screens and web forms for administration are served directly from the Mobility Controller.

For more sophisticated guest access solutions, Aruba’s user-centric networks accommodate third-partyapplications for credit card processing, access code authorization and property management systems.





10-4

In this design, the Aruba will provide DHCP on a separate network for guests and NAT them out ofthe Aruba into the corporate LAN. You must decide if you wish to allow access to your internal DNSor restrict the guest users to using only external DNS. In this model, as far as addressing goes, it’s

likely that the guest would be allocated an address on a separate IP network than the rest of thecompany. That would be configured per the VLAN and DHCP server that allocates addresses for

the guests. At that point one could NAT the address at the controller or even better use the NATcapability on the Firewall in the picture.

There is more detail on this and how to setup the firewall policies in the Lab exercise.







10-6

The controller is typically the Layer 3 device is when it exists as the default router for a nonroutableguest network. When a guest network is deployed in private IP space and is not routable from thegeneral network, the mobility controller is normally configured to act as both the DHCP server and

NAT device for the guests.





10-7

The initial role in captive portal allows for DHCP. Therefore, the DHCP server has to be in theVirtual APs broadcast domain, (i.e. its VLAN.)

Captive Portal or its web login is begun by capturing an html get or more precisely “redirecting” the

html get such as www.yahoo.com to the controller’s internal web server.

Authentication is usually, but not necessarily; implemented with Aruba Controller’s internal

database.

Once the Guest has been authenticated, the guest role and firewall policies decide the details of

the guest’s access to the network.





10-8

In the figure above the dotted arrows represent where a role or profile has been assigned or referenced to.

Steps to configure captive portal

Create Vlan, assign IP address

Assign a DHCP pool

Create appropriate firewall policies

Create a pre-authentication role, guest-logon and assign firewall policies

Create a post –authentication role and assign firewall policies

Create a server group and assign a server typeCreate an aaa profile and assign the pre-authentication role created in step 4 as initial role

Create a captive portal profile and assign the post-authentication role created in step 5 as default role. Alsoassign the server group created in step 6

Assign this captive portal profile to the pre-auth role created in step 4

Create a new vap profile in the AP group under WLAN ->virtual AP, and assign the vlan created in step 1

Assign the aaa profile creates in step 7

Create a new SSID profile





10-9

You can use the default guest-logon and guest roles or create customized roles as shown above.

You can also modify the default roles to suit your organization requirements.

The policy captive portal has a redirect statement which enables the display of the portal page

Captiveportal

-------------

Priority Source Destination Service Action-------- ------ ----------- ------- ------ ---------

user controller svc-https dst-nat 8081

user any svc-http dst-nat 8080

3 user any svc-https dst-nat 8081





10-10

Here we create a new aaa profile for guest network

The role created in the previous page is then applied in the aaa profile as the Initial role

This is the role a client gets when it connects to the guest ssid





10-11

Captive portal profile options

Redirect Pause: Time, in seconds, that the system remains in the initial welcome page before redirectingthe user to the final web URL.

User Login: Enables Captive Portal with authentication of user credentials.

Guest Login: Enables Captive Portal logon without authentication

Logout popup window: Enables a pop-up window with the Logout link for the user to logout after logon

Max authentication failures: Maximum number of authentication failures before the user is blacklisted.

Login page: URL of the page that appears for the user logon

Welcome page: URL of the page that appears after logon and before redirection to the web URL.

Allow only one active user session: Select this checkbox to allow only one active user session at a time.This feature is disabled by default.

Whitelist/Blacklist: Whitelist and blacklist of domain names

Show the acceptable use policy page: Select this checkbox to display the acceptable user policy before thelogin page.





10-12

The captive portal profile created in previous page is assigned to the pre-auth role created in Userrole





10-13

Customize the captive portal page under

Configuration->Management->Captive Portal

Refer to the captive portal profile created before, here you can add acceptable user policy , changethe page background, add text to the login page

You can also upload your own login pages by clicking on upload tab next to the customize tab







10-15

Create a new guest-vap profile and assign the guest-aaa profile here

The vap needs a VLAN assigned to it, all the users connecting to the guest SSID will be put in this

vlan.

When you have multiple captive portal login pages loaded in the controller, you must configure aunique initial user role and user role, and captive portal authentication profile, AAA profile, SSID

profile, and virtual AP profile for each WLAN that will use captive portal





10-16

Create a new guest-ssid profile where you specify the name of the network and encryption typeused.





10-17

The wizard procedure is similar to creating the Employee WLAN which is explained in chapter 3





10-18





10-19

The Guest Provisioning feature lets you manage guests who need access to your company’s Arubawireless network

The account is used by a receptionist to create guest accounts.

This allows the receptionist to login to the controller interface, create a guest user account and print a badgelabel for the newly created guest user.

All other controller management in the GUI will be hidden from the guest provisioning user.

Configuring the Guest Provisioning user:

1. Navigate to the Configuration > Management > Administration page.

2. In the Management Users section, click Add.

3. In the User Name field, enter the name of the user who you want to configure as a guest provisioning

user.

4. In the Password and Confirm Password fields, enter the user’s password and reconfirm it.

5. From the Role drop-down menu, select guest-provisioning.

6. Click Apply at the bottom of the page.





10-20

In the WebUI, you can customize the pop-up window that displays the guest account information.You may want to do this before the Guest Provisioning user creates guest accounts. Only anadministrator can customize the guest access badge.

Aruba recommends using a logo or banner image that is 600 x 100 pixels (width x height). The

WebUI does not apply the size restrictions when you upload an image file, but the image is resized

to 600 x 100 pixels when it displays or is printed.

An administrator can customize the guest label printed by the receptionist.





10-21

Path: Configuration> Management> Guest Provisioning

Guest field tab is used to specify the fields that a user wanted to appear on the guest provisioning

page. This feature is exclusively designed for the WEB UI.

Depending on the attributes selected the guest access user page will differ:





10-22

The Page Design tab lets the user to specify the company banner, heading, and text andbackground colors that appear on the Guest Provisioning page.

To design the Guest Provisioning page:

Enter the filename which contains the company banner in the Banner field. Or, click Browse to

search for the filename.

Enter the label for the guest listing on the Guest Provisioning page.

Enter the hex value for the color of the text in the Text color field. The text in the header of the

guest listing appears in this color.

Enter the hex value for the color of the background in the Background color field. This determines

the color of the header of the guest listing.







10-24

The receptionist logs into the controller interface using the designated user id and password andthe account is restricted to only creating guest user accounts.

To create the new user click the New button on the left side of the screen.

Enter the details and click Create button.





10-25

show local-userdb-guest

will show the local database user summary

show local-userdb-guest verbose

will show all the user fields

This Is the root administrator’s path to manage the Internal-DB. The “Guest User Page” radial

button brings up the same user administration menu as in “creating a new user”. Also note that theguest user has an expiration time set.





10-26




Documents

Mod10MBC Captive Portal 6.3 v1.3