07-19-13 Expert Day

Reply
New Contributor

How to authenticate on IAP using external captive portal and radius server

Hi,

 

I am trying to setup an IAP using an external captive portal and a radius server.

I would highly appreciate any information about how to post the authentication back to the IAP

and how to de-authenticate or obtain the list of authenticated users on the IAP.

 

Any documents, link or knowledge base on the subject would help.

 

Thanks.

Re: How to authenticate on IAP using external captive portal and radius server

hi, :smileyhappy:

take a look here - you got here all the needed info:

http://community.arubanetworks.com/t5/ArubaOS-and-Mobility-Controllers/Aruba-and-Windows-2008-NPS-issue/m-p/34609/highlight/true#M3312

http://www.arubanetworks.com/techdocs/InstantMobile/Advanced/Content/External%20RADIUS%20Server.htm

http://digitalherpes.wordpress.com/2011/11/26/creating-self-signed-certificates-for-aruba-iap-eap-authentication/

 

 

have a lovely day,

 

me

 

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Aruba Employee

Re: How to authenticate on IAP using external captive portal and radius server

Mikehctam,

 

Below links will give you some ideas:
http://www.youtube.com/watch?v=SFPgbUu-y-g

http://www.youtube.com/watch?v=9x5uvhn2pHg

 

Thanks,

MKS
New Contributor

Re: How to authenticate on IAP using external captive portal and radius server

Hi MKS,

 

Thank you for your prompt reply.

 

I found this, which was more related to what I was looking for:

 

http://community.arubanetworks.com/t5/ArubaOS-and-Mobility-Controllers/IAP-and-external-Captive-Portal/td-p/17868

 

The scheme is as follows:

User types his/her credentials and submit a form
Form has to be POST form that contains elements that were mentioned previously in this thread.
IAP process request by querying RADIUS
RADIUS accepts/declines creds
User has been authenticated and redirected to requested/configured page 

 

Form as follows:

 

<html>

<body>

<table border="1">

    <tr>

    <td colspan="2"><h2>HTTP Request Headers </h2></td>

    </tr>

<?php

forEach($_REQUEST as $key => $value) {

?>

    <tr>

    <td><? echo $key; ?></td>

    <td><? echo $value; ?></td>

    </tr>

<?

}

?>

</table>

<form method="POST" action="https://securelogin.arubanetworks.com/cgi-bin/login">

<input type="hidden" name="user" value="iap_user">

<input type="hidden" name="password" value="iap_user">

<input type="hidden" name="cmd" value="authenticate">

<input type="hidden" name="mac" value="<?php echo $_REQUEST['mac']; ?>">

<input type="hidden" name="essid" value="IAP_HOTSPOT">

<input type="hidden" name="ip" value="<?php echo $_REQUEST['ip']; ?>">

<input type="hidden" name="url" value="http://www.datavalet.com">

<input type="submit" value="IAP Login" name="Log In">

</form>

</body>

</html>

 

user / password could be dynamically set in radius.

 

This works.

 

But there doesn't seem to be anythink about the up/down bandwidth which I want to apply on a user basis.

Also there is nothing about de-authentication and authenticated user list.

It also seems that the Re-auth did not work as expected either.

 

 

Aruba Employee

Re: How to authenticate on IAP using external captive portal and radius server


mikehctam wrote:

 

But there doesn't seem to be anythink about the up/down bandwidth which I want to apply on a user basis.


IAP supports bandwidth limits on a per-user basis.  It's under the advanced options of the IAP.

 

Instant.png


mikehctam wrote:

 

Also there is nothing about de-authentication and authenticated user list.


The advanced features you are looking for are not too easy to do with a generic FreeRADIUS server and a custom made captive portal. ClearPass Guest offers these features natively. I'll include some screenshots from ClearPass Guest to give you an idea of how they work.

 

 

Client de-authentication requires RFC-3576 support, which allows the RADIUS server to send Change of Authorization requests (CoA) to the RADIUS cleint.  You can disconnect a user at will by sending a Disconnect Request type of CoA.  I'd suggest reading the RFC to find out how exactly this can be done.  Or, hopefully your RADIUS server can already support this.

 

To get an authenticated user list, your RADIUS server needs to process RADIUS accounting requests sent from the IAP.  The accounting requests will be sent when the user initially authenticates (Accounting Start) and when they disassociate / age out of the IAP (Accounting Stop).  These accounting records allow you to be aware of which users are authenticated.

 

For both the de-authentication feature and a list of authenticated users feature, see below screenshot for an idea of what ClearPass Guest offers.  This is a list of active sessions and is kept track of by using RADIUS accounting records.  Hitting the Disconnect button will send a RFC-3576 Disconnect Request to the IAP.

 

Screen Shot 2013-07-19 at 1.21.49 PM.png


mikehctam wrote:

 

It also seems that the Re-auth did not work as expected either.


Can you clarify on what didn't work?  Re-authentication interval on IAP will force the user to perform captive portal authentication again.  You should see the role changed from the post-auth role to the pre-auth role when the re-auth interval occurs.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: