Captive Portal Authentication (ArubaOS 3x)
I’ve been figuring out how to configure the ‘Captive Portal’ authentication feature within Aruba’s Wireless Controller. I found out that Aruba’s configuration guide was very outdated about this topic, they’ve a configuration guide available for ArubaOS 2x but not for version 3x.
Within this article I will explain how to configure secure guest access by providing a ‘Captive Portal’ when users log on to the wireless network. This is only a very basic configuration example of the diagram shown below:
Please note: In my example I’ve used an Aruba 3200 Mobility Controller running ArubaOS 3.1 with an AP 65, it’s possible that some configuration steps may differ for your Controller.
Required licenses:
- ArubaOS 3x: Comes standard with all Aruba Mobility Controllers.
- Policy Enforcement Firewall module (PEF): Required to define user roles, firewall ACL policies and rule derivation rules.
Configure base system:
From this point you’ll need to login to the Mobility Controller by using the serial (console) connection, do not use the Graphical User Interface (GUI) to avoid disruptions. All other configurations will be done via the Graphical User Interface.
1. When you first connect to the Aruba Mobility Controller an initial setup dialog will be displayed, I followed the initial setup by configuring the following settings:
- System name: Aruba-master
- VLAN 1 interface IP Address: 192.168.0.1
- VLAN 1 interface subnet mask: 255.255.255.0
- IP Default Gateway: 192.168.0.254
- Switch role: Master
- Country Code: NL
- Time Zone: PST-8:0
2. Next step is to configure the loopback interface which is required for the communication with Access Points (APs) and a VLAN for wireless guest access. First I’ll configure the loopback interface as shown below:
(Aruba-master) #configure terminal
(Aruba-master) (config) #interface loopback
(Aruba-master) (config-loop)# ip address 192.168.0.2
3. Next I’m creating a new VLAN for wireless guest access, in my example VLAN 100 is created for guest usage as shown below:
(Aruba-master) (config) #vlan 100
(Aruba-master) (config) #interface vlan 100
(Aruba-master) (config-subinf) #ip address 192.168.100.1 255.255.255.0
4. In my example I will configure Ethernet port 0 being dedicated to internal network (192.168.0.0/24) and Ethernet port 1 being dedicated to guest network (192.168.100.0/24) as shown below:
(Aruba-master) (config) #interface gigabitethernet 1/0 (Aruba-master) (config) #interface gigabitethernet 1/1
(Aruba-master) (config-if) #description Internal_Network
(Aruba-master) (config-if) #switchport access vlan 1
(Aruba-master) (config-if) #trusted
(Aruba-master) (config-if) #description Guest_Network
(Aruba-master) (config-if) #switchport access vlan 100
5. Next we need to configure the redirection address for the captive portal, In my example this will be the IP-address of VLAN 100 interface (Guest Network) as shown below:
(Aruba-master) (config) #ip cp-redirect-address 192.168.100.1
6. Ok, now the base configuration is completed reboot your Aruba Mobility Controller for the changes to take effect as shown below:
(Aruba-master) (config) #exit Do you really want to reset the system (y/n): y
(Aruba-master) #write memory
(Aruba-master) #reload
System will now restart!
Configuring secure guest access:
Now I’m going to configure secure guest access by configuring a ‘Captive Guest Portal’, I will use the Graphical User Interface (GUI) for the following configuration steps
1. First I’m going to configure the DHCP Pool for the wireless guest users, you can also use a dedicated DHCP server (eg. Microsoft). From the Configuration tab go to ‘Network>IP’ as shown below:
2. You’ll see several tabs regarding the IP configuration of the Mobility Controller, choose ‘DHCP Server’ and then add a new ‘Pool Configuration’ as shown below:
4. Enable the DHCP by clicking on the ‘Enable DHCP Server’ checkbox and apply your configuration.
3. Ok now the IP configuration is completed we need to configure the wireless profiles, from the configuration tab go to ‘Advanced Services>All Profiles’ as shown below:
2. Cascade ‘Wireless LAN’ and choose the ‘SSID Profile’ submenu as shown below:
3. There’s already a default SSID profile present but best practice is to manually add a new SSID profile as shown below:
4. Edit the new SSID profile settings, choose a ‘SSID Network Name’ for your guest network and make sure the 802.11 security settings are set to ‘None’ for authentication and ‘Open’ for encryption as shown below:
5. Ok now we have SSID profile for guest access next step is to create an AAA profile, go to ‘AAA Profile’ submenu as shown below:
6. There are several default AAA profiles available, create a new profile as shown below:
7. Edit the new AAA profile settings, make sure the ‘Initial role’ is set to ‘guest-logon’ as shown below:
8. Next step is to configure a ‘Virtual AP Profile’, it’s available as submenu from the ‘Wireless LAN’ menu as shown below:
9. There’s a default profile available but it’s best to create a new profile manually as shown below:
10. Select the VLAN you’ve created for guest access, in my example VLAN 100 as shown below:
11. Now you need to link your previously created SSID profile and AAA profile to your Virtual AP profile as shown below:
12. Next step is to configure the ‘Captive Portal Authentication Profile’, it’s available as submenu from the ‘Wireless LAN’ menu as shown below:
13. There’s a default profile present but it’s best to make a new profile manually as shown below:
14. Edit the new Captive Portal Profile settings, it’s important to define a ‘default role’. I’ve chosen the default ‘guest’ role which only allows ICMP, DNS, HTTP and HTTPS as shown below:
15. Now you’ll have to define the server group for the Captive Portal Profile, I’ve chosen the internal database for simplicity (RADIUS, LDAP and TACACS+ are supported) as shown below:
16. Next step is to configure a ‘AP Group’ which can be found within the configuration tab ‘Wireless>AP Configuration’ as shown below:
17. There’s a default group available but it’s best to create a new ‘AP Group’ as shown below:
18. You’ll need to link the previously created Virtual AP Profile to the new AP group which can be found at the ‘Wireless LAN’ menu as shown below:
19. Next step is to create a management user which is allowed to generate tickets for guest provisioning, from the configuration tab go to ‘Management>Administration’ as shown below:
20. Create a new administrative user and assign the role ‘guest-provisioning’ as shown below:
21. Now we need to edit the user role ‘guest-logon’ to activate the newly created captive portal, from the configuration tab go to ‘Security>Access Control’ as shown below:
22. Edit the User Role ‘guest-logon’ and assign the guest VLAN and captive portal profile to the user role as shown below:
Ok, this is all what needs to be done for configuring secure guest access with the use of a Captive Portal. If you provision an Access Point (AP) with the right AP Profile, the guest SSID will pop-up and a Captive Portal will be presented when users try to surf the Internet. I recommend to fine tune the user-roles and policies as this is only a very basic setup..
Subscribe to the comments for this post