Captive Portal Authentication (ArubaOS 3x)
I’ve been figuring out how to configure the ‘Captive Portal’ authentication feature within Aruba’s Wireless Controller. I found out that Aruba’s configuration guide was very outdated about this topic, they’ve a configuration guide available for ArubaOS 2x but not for version 3x.
Within this article I will explain how to configure secure guest access by providing a ‘Captive Portal’ when users log on to the wireless network. This is only a very basic configuration example of the diagram shown below:
Please note: In my example I’ve used an Aruba 3200 Mobility Controller running ArubaOS 3.1 with an AP 65, it’s possible that some configuration steps may differ for your Controller.
Required licenses:
- ArubaOS 3x: Comes standard with all Aruba Mobility Controllers.
- Policy Enforcement Firewall module (PEF): Required to define user roles, firewall ACL policies and rule derivation rules.
Configure base system:
From this point you’ll need to login to the Mobility Controller by using the serial (console) connection, do not use the Graphical User Interface (GUI) to avoid disruptions. All other configurations will be done via the Graphical User Interface.
1. When you first connect to the Aruba Mobility Controller an initial setup dialog will be displayed, I followed the initial setup by configuring the following settings:
- System name: Aruba-master
- VLAN 1 interface IP Address: 192.168.0.1
- VLAN 1 interface subnet mask: 255.255.255.0
- IP Default Gateway: 192.168.0.254
- Switch role: Master
- Country Code: NL
- Time Zone: PST-8:0
2. Next step is to configure the loopback interface which is required for the communication with Access Points (APs) and a VLAN for wireless guest access. First I’ll configure the loopback interface as shown below:
(Aruba-master) #configure terminal
(Aruba-master) (config) #interface loopback
(Aruba-master) (config-loop)# ip address 192.168.0.2
3. Next I’m creating a new VLAN for wireless guest access, in my example VLAN 100 is created for guest usage as shown below:
(Aruba-master) (config) #vlan 100
(Aruba-master) (config) #interface vlan 100
(Aruba-master) (config-subinf) #ip address 192.168.100.1 255.255.255.0
4. In my example I will configure Ethernet port 0 being dedicated to internal network (192.168.0.0/24) and Ethernet port 1 being dedicated to guest network (192.168.100.0/24) as shown below:
(Aruba-master) (config) #interface gigabitethernet 1/0 (Aruba-master) (config) #interface gigabitethernet 1/1
(Aruba-master) (config-if) #description Internal_Network
(Aruba-master) (config-if) #switchport access vlan 1
(Aruba-master) (config-if) #trusted
(Aruba-master) (config-if) #description Guest_Network
(Aruba-master) (config-if) #switchport access vlan 100
5. Next we need to configure the redirection address for the captive portal, In my example this will be the IP-address of VLAN 100 interface (Guest Network) as shown below:
(Aruba-master) (config) #ip cp-redirect-address 192.168.100.1
6. Ok, now the base configuration is completed reboot your Aruba Mobility Controller for the changes to take effect as shown below:
(Aruba-master) (config) #exit Do you really want to reset the system (y/n): y
(Aruba-master) #write memory
(Aruba-master) #reload
System will now restart!
Configuring secure guest access:
Now I’m going to configure secure guest access by configuring a ‘Captive Guest Portal’, I will use the Graphical User Interface (GUI) for the following configuration steps
1. First I’m going to configure the DHCP Pool for the wireless guest users, you can also use a dedicated DHCP server (eg. Microsoft). From the Configuration tab go to ‘Network>IP’ as shown below:
2. You’ll see several tabs regarding the IP configuration of the Mobility Controller, choose ‘DHCP Server’ and then add a new ‘Pool Configuration’ as shown below:
4. Enable the DHCP by clicking on the ‘Enable DHCP Server’ checkbox and apply your configuration.
3. Ok now the IP configuration is completed we need to configure the wireless profiles, from the configuration tab go to ‘Advanced Services>All Profiles’ as shown below:
2. Cascade ‘Wireless LAN’ and choose the ‘SSID Profile’ submenu as shown below:
3. There’s already a default SSID profile present but best practice is to manually add a new SSID profile as shown below:
4. Edit the new SSID profile settings, choose a ‘SSID Network Name’ for your guest network and make sure the 802.11 security settings are set to ‘None’ for authentication and ‘Open’ for encryption as shown below:
5. Ok now we have SSID profile for guest access next step is to create an AAA profile, go to ‘AAA Profile’ submenu as shown below:
6. There are several default AAA profiles available, create a new profile as shown below:
7. Edit the new AAA profile settings, make sure the ‘Initial role’ is set to ‘guest-logon’ as shown below:
8. Next step is to configure a ‘Virtual AP Profile’, it’s available as submenu from the ‘Wireless LAN’ menu as shown below:
9. There’s a default profile available but it’s best to create a new profile manually as shown below:
10. Select the VLAN you’ve created for guest access, in my example VLAN 100 as shown below:
11. Now you need to link your previously created SSID profile and AAA profile to your Virtual AP profile as shown below:
12. Next step is to configure the ‘Captive Portal Authentication Profile’, it’s available as submenu from the ‘Wireless LAN’ menu as shown below:
13. There’s a default profile present but it’s best to make a new profile manually as shown below:
14. Edit the new Captive Portal Profile settings, it’s important to define a ‘default role’. I’ve chosen the default ‘guest’ role which only allows ICMP, DNS, HTTP and HTTPS as shown below:
15. Now you’ll have to define the server group for the Captive Portal Profile, I’ve chosen the internal database for simplicity (RADIUS, LDAP and TACACS+ are supported) as shown below:
16. Next step is to configure a ‘AP Group’ which can be found within the configuration tab ‘Wireless>AP Configuration’ as shown below:
17. There’s a default group available but it’s best to create a new ‘AP Group’ as shown below:
18. You’ll need to link the previously created Virtual AP Profile to the new AP group which can be found at the ‘Wireless LAN’ menu as shown below:
19. Next step is to create a management user which is allowed to generate tickets for guest provisioning, from the configuration tab go to ‘Management>Administration’ as shown below:
20. Create a new administrative user and assign the role ‘guest-provisioning’ as shown below:
21. Now we need to edit the user role ‘guest-logon’ to activate the newly created captive portal, from the configuration tab go to ‘Security>Access Control’ as shown below:
22. Edit the User Role ‘guest-logon’ and assign the guest VLAN and captive portal profile to the user role as shown below:
Ok, this is all what needs to be done for configuring secure guest access with the use of a Captive Portal. If you provision an Access Point (AP) with the right AP Profile, the guest SSID will pop-up and a Captive Portal will be presented when users try to surf the Internet. I recommend to fine tune the user-roles and policies as this is only a very basic setup..
Subscribe to the comments for this postAruba’s Virtual Branch Networking (VBN)
Aruba came with a nice remote access architecture called Virtual Branch Networking (VBN), in the VBN architecture every Remote Access Point (RAP) operates as a remotely managed Access Point which tunnels all traffic through a VPN tunnel to the corporate network. A nice solution IMHO because it’s easy to configure and manage from the administrators perspective offering ‘zero-touch’ provisioning and the enforcement of role-based access policies.
For putting the full VBN features in action like ‘zero-touch’ provisioning is only supported today by 3000 and 6000 controllers running a ‘RN’ ArubaOS 3x image (eg. v3.3.2-rn3.0), in the release of ArubaOS 5x all VBN features will be integrated in one image; Aruba announced for the release of ArubaOS 5x in March this year. Aruba offers the following new RAPs to be implemented using VBN:
- RAP-2WG: Small single-radio (802.11b/g) AP with two 10/100 Ethernet Ports, targeted for use by small branch and home offices up to 5 users.
- RAP-5WN: Desktop/Wall-mount dual-band (802.11a/b/g/n) AP with five 10/100 Ethernet Ports, targeted for use by medium branch offices up to 256 users.
- RAP-5: Wired-only AP to incorporate authentication policies for wired network devices , targeted for use by small/medium branch offices; please note this model does not offer wireless VBN.
Non-VBN APs like the AP-105 or AP-125 can be integrated in to the same network manually, however the ‘zero-touch’ provisioning VBN feature is not supported.
From the end-users perspective the ‘zero-touch’ provisioning feature is just great! Just connect the Ethernet port 0 of the RAP to an Internet connection and Ethernet port 1 to a PC or notebook, wait a few seconds for the RAP to complete it’s boot sequence and open a browser to any URL. The RAP wil automatically re-direct the user to the provisioning webpage, enter the supplied controller IP or FQDN and enjoy the show! The RAP will be automatically provisioned with the firmware and corporate policies supplied by the Aruba controller. When finished the RAP will reboot and your corporate wireless business network is available to the user.
Additionally Aruba offers a wizard to generate a brief instruction manual with the IP or FQDN of the Aruba Controller present, unfortunately the instructions are only provided in English which could be a problem for some users.
I think Aruba’s VBN is a great solution as addition to their portfolio, there are still some small bumps and glitches concerning the ‘zero-touch’ process but nothing serious. I think VBN is a great solution for companies that want to extend their wireless corporate network to branch offices and home users with the same security benefits.
References:
- For more information about design and implementation guidelines for VBN Aruba has a great reference guide available at their website.
- A nice article about how to configure Aruba’s VBN using a 3200 controller and RAP-2WG RAP visit Peter Bazelmans blog.
Juniper EX Switch password recovery
A few weeks ago I’ve passed my JNCIA-EX exam, I’ve used a Juniper EX 4200 Switch acquired as demonstration model from Juniper Networks which was very helpful for the exam preparation and eventually passing the exam. After unpacking the switch and booting up for the first time it was password protected because the switch wasn’t reset to it’s factory defaults..
This article describers the steps need to be taken to reset the Juniper EX Switch root password.
1. Power off the switch by unplugging the power cord.
2. First of all, make sure you’re physically connected to the console port of the switch. Start your terminal emulation application (eg. PuTTY) and configure the port settings as follows:
- Bits per second: 9600
- Data bits: 8
- Parity: None
- Stop bits: 8
- Flow control: None
3. Power on the switch by plugging the power cord, when the following prompt appears press the ‘Space bar’ to access the switch’s bootstrap loader command prompt:
Hit [Enter] to boot immediately, or space bar for command prompt.
Booting [kernel] in 1 second…
4. At the following prompt type ‘boot –s’ to start up the system in single-user mode:
loader> boot –s
5. At the following prompt type ‘recovery’ to start the root password recovery procedure:
Enter full path name of shell or ‘recovery’ for root password recovery or RETURN for /bin/sh: recovery
6. First a series of messages describe consistency checks, mounting of filesystems and initialization and checkout of management services. Then the CLI prompt appears, enter configuration mode at the following prompt:
user@switch> cli
7. At the following prompt set the new root password:
user@switch# set system root-authentication plain-text-password
8. After configuring the new root password commit the configuration:
root@switch# commit
9. Exit the configuration and operational mode and enter ‘y’ to reboot the system: root@switch# exit Reboot the system? [y/n] y
root@switch> exit
That’s all what needs to be done, after the reboot you can use the new root password to gain access.
3COM Auto Voice-VLAN
One of my customers told me today they were not able to make any calls on their Alcatel IP Phones from a remote office location. Their IP Phones were unable to retrieve an IP address from the DHCP server. After several minutes of troubleshooting I’ve pinpointed the problem to their 3Com SuperStack 4500 Switch which just got a software update a few days ago. Comparing the current configuration with the configuration before the update did the trick, the "Voice vlan mac-address" line which is needed to put the IP Phone in the correct VLAN was missing. I’m not an experienced 3Com professional so I had to dig into the technical details to find out why this command is so essential when using VoIP.
There are several ways to configure the correct Voice VLAN for your IP Phones, one of them is to define the VLAN locally on every IP Phone, but I’d prefer to use DHCP options to distribute the correct VLAN information to your IP Phones. 3Com also has a feature to automatically add the correct Voice VLAN when an IP Phone is connected to the switch, this feature is called "Auto Voice-VLAN". How does it actually work and what needs to be configured?
How does it work?
Every Ethernet network device has a MAC-address burned-in at the factory, a 48-bit address space for data-link layer (OSI Layer 2) identification. Every MAC-address is printed in a human-friendly format consisting of 6 groups of 2 hexadecimal digits. The first 12 hexadecimal digits represent the Organizationally Unique Identifier (OUI) which is uniquely assigned to a network device to identify the vendor, for example OUI 00-03-6b identifies a Cisco IP Phone.
3Com’s "Auto Voice-VLAN" feature uses these OUIs to identify IP Phones, it automatically adds or removes the dedicated Voice VLAN from an edge port when the IP phone is connected to a switch port.
What needs to be configured?
1. First of all, define the dedicated Voice VLAN.
[3Com-Switch] vlan 120
2. Enable the Voice VLAN on the switch.
[3Com-Switch] voice vlan 120 enable
3. Define the OUIs for every IP Phone that will be connected to the 3Com switch (Only if they are not already set in the switch’s default configuration).
[3Com-Switch] voice vlan mac-address 0080-9f00-0000 mask ffff-ff00-0000 description Alcatel
4. Enable the Voice feature on every edge port where IP Phones may be connected.
[3Com-Switch] interface Ethernet 1/0/1
[3Com-Switch-Ethernet1/0/1] port-link type hybrid
[3Com-Switch-Ethernet1/0/1] voice vlan enable
That’s all what needs to be done! When an Alcatel IP Phone is connected to Ethernet port 1/0/1, it’s recognized as a Voice enabled device and tagged with Vlan ID 120. Don’t forget to enable Power over Ethernet (PoE) on the interface if needed.
For more information about OUIs and assignments go to the IEEE Standards Association website.