Captive Portal. Captive portal is one of the methods of authentication supported by ArubaOS. A captive portal presents a web page which requires action on the part of the user before network access is granted. The required action can be simply viewing and agreeing to an acceptable use policy, or entering a user ID and password which must be validated against a database of authorized users. Captive Portal Overview.
While you can use captive portal to authenticate users, it does not provide for encryption of user data and should not be used in networks where data security is required.
Captive portal is most often used for guest access, access to open systems such as public hot spotsor as a way to connect to a VPN.
You can use captive portal for guest and registered users at the same time. The default captive portal web page provided with ArubaOSdisplays login prompts for both registered users and guests. You can also load up to 16 different customized login pages into the controller. The login page displayed is based on the SSID to which the client associates. The PEFNG license provides identity-based security to wired and wireless clients through user roles and firewall rules.
You must purchase and install the PEFNG license on the controller to use identity-based security features. There are differences in how captive portal functions work and how you configure captive portal, depending on whether the license is installed.
Later sections in this chapter describe how to configure captive portal in the base operating system without the PEFNG license and with the license installed. The Arubacontrolleris designed to provide secure services through the use of digital certificates.
A server certificate installed in the controllerverifies the authenticity of the controller for captive portal. Arubacontrollersship with a demonstration digital certificate. Until you install a customer-specific server certificate in the controller, this demonstration certificate is used by default for all secure HTTP connections such as captive portal. This certificate is included primarily for the purposes of feature demonstration and convenience and is not intended for long-term use in production networks.
Users in a production environment are urged to obtain and install a certificate issued for their site or domain by a well-known certificate authority CA. Once you have imported a server certificate into the controller, you can select the certificate to be used with captive portal as described in the following sections.
Under Captive Portal Certificate, select the name of the imported certificate from the drop-down list. Click Apply. To lyfe wellness a certificate for captive portal using the command-line interface, access the CLI in config mode and issue the following commands:.
To specify a different server certificate for captive portal with the CLI, use the no command to revert back to the default certificate before you specify the new certificate:.
The base operating system ArubaOSwithout any licenses allows full network access to all users who connect to an ESSID, both guest and registered users.
In the base operating system, you cannot configure or customize user roles; this function is only available by installing the PEFNG license. Captive portal allows you to control or identify who has access to network resources. When you create a captive portal profile in the base operating system, an implicit user role is automatically created with same name as the captive portal profile.In this section, you create an instance of the captive portal authentication profile and the AAA profile.
To configure captive portal authentication via the command-line interface, access the CLI in config mode and issue the following commands:. The captive portal authentication profile specifies the captive portal login page and other configurable parameters.
The initial user role configuration must include the applicable captive portal authentication profile instance. Therefore, you need to modify the guest-logon user role configuration to include the guestnet captive portal authentication profile. To modify the guest-logon role via the command-line interface, access the CLI in config mode and issue the following commands:. In this section, you configure the guestnet AAA profile, which specifies the previously-created guest-logon role as the initial role for clients who associate to the WLAN.
To configure the AAA profile via the command-line interface, access the CLI in config mode and issue the following commands:. Temporary user accounts are created in the internal database on the controller. You can create a user role which will allow a receptionist to create temporary user accounts. Guests can use the accounts to log into a captive portal login page to gain Internet access.
See Creating Guest Accounts for more information about configuring guest provisioning users and administering guest accounts. In the CLI, you configure these options with the aaa authentication captive-portal commands. Name of an existing black list on an IPv4 or IPv6 network destination.
The black list contains websites unauthenticated that a guest cannot access. Role assigned to the Captive Portal user upon login.
When both user and guest logon are enabled, the default role applies to the user logon; users logging in using the guest interface are assigned the guest role. Displays the configured welcome page before the user is redirected to their original URL. If this option is disabled, users are redirected to the web URL immediately after they log in.
CPU utilization percentage above which the Logon wait interval is applied when presenting the user with the logon page.
Minimum time, in seconds, the user will have to wait for the logon page to pop up if the CPU load is high. This works in conjunction with the Logon wait CPU utilization threshold parameter.Welcome Back!
Select your Aruba account from the following: Aruba Central Login to your cloud management instance. Partner Ready for Networking Login to access partner sales tools and resources.
Airheads Community Login to connect, learn, and engage with other peers and experts. All forum topics Previous Topic Next Topic. New Contributor. Is there a Captive Portal Setup Guide. I have tried my darndest to set this thing up to no avail - I cant seem to get the splash screen to load. Any help appreciated. Me too. Alert a Moderator Message 1 of Aruba Employee. You can test directly by typing an IP address in the address bar of the browser. Can you confirm DNS is able to resolve the reason this is required is because the browser doesn't send a port 80 http call until DNS is resolved.
Alert a Moderator Message 2 of That is my problem - there is no DNS access from my current setup. Thanks for the help! Alert a Moderator Message 3 of The documentation has a pretty good section on doing the captive portal stuff.
You have that right? Alert a Moderator Message 4 of Actually I do not have the documentation no. Alert a Moderator Message 5 of It's available from the support site.
I would download it, it's got a decent little section on guest networking and captive portal. Alert a Moderator Message 6 of Would you be able to provide a link - not sure where I should be looking. Much appreciated!
Alert a Moderator Message 7 of Alert a Moderator Message 8 of Click on documentation and the version of ArubaOS you are using, that will take you to the user guides. I would also recommend trying out the reusable wizard in the WebUI.
It will setup the profiles for you. It also has a handy feature in that whatever SSID you specify for the guest network, all related profiles will have the SSID included in the profile name.
This will help you learn what's required to operate the CP if you still want to do it manually. Alert a Moderator Message 9 of Contributor II.In the base operating system, you cannot configure or customize user roles; this function is only available by installing the PEFNG Policy Enforcement Firewall. Captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network.
Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. When you create a captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network.
A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names.
It stores several records for a domain name such as an address 'A' record, name server NSand mail exchanger MX records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element.
A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands.
HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. You cannot directly modify the implicit user role or its rules.
Upon authentication, captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.
WLAN is a Wizard within the ArubaOS WebUI allows for basic captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network.
Follow the steps in the workflow pane within the wizard and refer to the help tab for assistance. Following are the tasks for configuring captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network.
Create the Server Group name. In this example, the server group name is cp-srv. If you are configuring captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network.
For more information about configuring authentication servers and server groups, see Authentication Servers. Create Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network.
Authentication Profile. In this example, the profile name is c-portal. Create and configure an instance of the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Creating the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. ACL is a common way of restricting certain types of traffic on a physical port.
Creating the c-portal profile creates an implicit user role called c-portal. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. For the initial role, enter the implicit user role that was created. Create a Virtual AP Profile.Could i request for a tutorial or guide we could use in cofiguring the captive portal?
The enduser requires us to integrate the existing logon page from their existing controller to the new controller. We have already uploaded the existing html script from the controller but we are unable to view the webpage. Currently we are using the default CP of aruba controller.
I might be wrong but it looks like you're trying to upload an unspecified HP controller captive portal page into an Aruba controller? Welcome Back! Select your Aruba account from the following: Aruba Central Login to your cloud management instance. Partner Ready for Networking Login to access partner sales tools and resources. Airheads Community Login to connect, learn, and engage with other peers and experts.
All forum topics Previous Topic Next Topic. Occasional Contributor II. Captive Portal Configuration. Me too. Alert a Moderator Message 1 of 2. Reply 0 Kudos. Re: Captive Portal Configuration. Alert a Moderator Message 2 of 2. Search Airheads.
Turn on suggestions. Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. Showing results for. Search instead for. Did you mean:. Related Solutions. Wireless Access. Client Match.
Related Discussions. Authentication is the wave of the future? Enterprise Lockdown. Aruba Joins Retail Broadband Alliance.A number of tasks are necessary to configure a fully functional guest WLAN.
Some of this work is simplified through the use of the configuration wizards, and Aruba highly recommends that you use the wizard where possible. The following list outlines the tasks necessary to configure captive portal authentication:. Configure guest provisioning and create guest user accounts required. The guest users must be isolated to a subnet that is hidden from the corporate network. Defining a VLAN subnet that is local to the controller restricts the guests to a subnet that is not routable in the core network.
This VLAN adds an additional layer of security to the design by hiding the IP addressing scheme used in the core network from guests and users who accidentally associate with the guest WLAN. Source-NATing allows the guest users to reach the allowed destinations while they are still isolated from the core network. Test that the DNS services are working properly from the guest subnet. A functional DNS service is an integral part of captive portal authentication process.
Use the public DNS server in your location. If a public DNS server is not available in your region, the guest users should be allowed access to the internal DNS server. In the Aruba user-centric network, every client is associated with a user role.
The user roles that are enforced through the firewall policies determine the network privileges of a user. A policy is a set of rules that applies to the traffic that passes through the Aruba devices. The rules and policies are processed in a top-down fashion, so the position of a rule within a policy and the position of a policy within a role determine the functionality of the user role.
When you construct a role, you must put the rules and policies in the proper order. Usually, guests are assigned two different roles.
ArubaOS and Controllers
The first role is assigned when they associate to the guest SSID, and the other is assigned when they authenticate successfully through the captive portal. Only the guests who successfully authenticate are allowed to use to the services needed to connect to the Internet. Consider the guest-logon role as the initial role and the auth-guest role for authenticated guests.
Before these two roles are configured, the policies that are associated with them must be configured. A policy might have one or more rules that apply to several networks or hosts. Creating a separate rule for each host or network might be laborious and will increase the number of rules in the policy.
The network destination alias feature in the ArubOS can be used to simplify firewall polices that have a set of rules that are common to a group of hosts, domains, or networks. The network destination alias feature in the ArubaOS can be used to group several hosts or networks. Aliases can be used when several rules have protocols and actions common to multiple hosts or networks. The IP addresses can be added by host, network, or range.
When the invert parameter of an alias is enabled, the rules that use that alias are applied to all the IP addresses, domains and hostnames except those specified in the alias.
Table 5 lists the aliases that will be useful in configuration of user roles. These are OpenDNS servers. For more details on OpenDNS see www. Guest roles are made up of a number of polices that can be predefined and reused in the system. The following sections describe the policies that will be used to define the rights of the guest in their various roles.
The guest-logon-access policy is similar to predefined logon-control policy, but it is much more restrictive. The guest-logon-access policy is a part of the guest-logon and auth-guest roles. The rules defined in this policy allow these exchanges:. Remember that the guests should be allowed to access only the local resources that are required for IP connectivity. Table 6 summarizes the rules used by the guest-logon-access policy.
This rule drops responses from a personal DHCP server.Hi guys I just attended the Clearpass Essentials training which I can highly recommend and wrote this tutorial for me because I'm a big fan of step-by-step guides. It's nothing new but I couldn't find such a correct step-by-step guide which fullfilled my needs. And additionally the controller configuration part is missing in the training guides - I added it here in chapter 5.Configuring Aruba Instant Captive gcs.powersaveranjena.pw
I'm sharing this and hope it's useful to you. Any feedbacks are welcomed! This will help you understand, what is being configured in the controller regarding the dependencies of the profiles. These are the values I will use in this tutorial. I summarize them here so you can use this section for preparing, adjusting and "re-finding" your values when you do your own implementation. MAC Authentication Profile: default. Leave the the rest of the fields blank or by default.
Configuring the Aruba Controller. Key: aruba Shared Key between Controller and Clearpass.
Ditto that. I attended the Clearpass Fundamentals and my head exploded. Couldn't wait to get back to the office to get my Guest Register pages up and running. Great doc. But a question. We have something like this in place, however it doesn't consume guest licenses. Thank you for your post. I'm implementing a brand new iAPs environment. Are the steps similar with the exception of controller configurations? You do this tutorial beware, it's slightly outdated due to new features in clearpass and then you create a Guest Selfregistration page menu item above Weblogins and you put a link to it from the Weblogin page you created in the tutorial here.
You skip the Weblogin step in this tutorial and you directly use the Weblogin page which is created in the Guest Selfregistration process.