ArubaOS and Controllers

Reply
Occasional Contributor I

802.1x with Internal Captive Portal

Hi all,

I have a requirement of doing multifactor authentication when connecting to our Wireless LAN. Basically, the layer 2 authentication will be EAP-TLS (machine certificate only). Once authenticated, the user will be forced to an internal Captive Portal that will authenticate the user to Active Directory (thus, machine and user authentication).

I believe I setup everything as required, but I'm looking some clarification and confirmation of best practices.

The AAA profile specifies that the default role should be a guest-logon type user role. From the guest-logon user role, it is assigned a captive portal profile. After successfully authenticating with the captive portal, the user role is assigned authenticated. Correct?

Question - For AAA profiles, what is the difference between the Initial Role and 802.1x Authentication Default Role? If you're using 802.1x, does the initial role even matter or does one take precedence over another? Also, would it better suit my objectives to use the "Enforce Machine Authentication" with "Default Machine Role" and "Default User Role" in the 802.1x profile instead?

Thanks in advance.
Tim
Guru Elite

Re: 802.1x with Internal Captive Portal


Hi all,

I have a requirement of doing multifactor authentication when connecting to our Wireless LAN. Basically, the layer 2 authentication will be EAP-TLS (machine certificate only). Once authenticated, the user will be forced to an internal Captive Portal that will authenticate the user to Active Directory (thus, machine and user authentication).

I believe I setup everything as required, but I'm looking some clarification and confirmation of best practices.

The AAA profile specifies that the default role should be a guest-logon type user role. From the guest-logon user role, it is assigned a captive portal profile. After successfully authenticating with the captive portal, the user role is assigned authenticated. Correct?

Question - For AAA profiles, what is the difference between the Initial Role and 802.1x Authentication Default Role? If you're using 802.1x, does the initial role even matter or does one take precedence over another? Also, would it better suit my objectives to use the "Enforce Machine Authentication" with "Default Machine Role" and "Default User Role" in the 802.1x profile instead?

Thanks in advance.
Tim




After successfully authenticating with the Captive Portal, the user role is then the "Default Role" specified in the Captive Portal authentication profile; the AAA profile is not in play when Captive Portal authentication is being done.

When you are doing 802.1x in the AAA profile, the 802.1x profile is what a user gets, UNLESS you have a server derivation rule in the server group that overrides this (like if your radius server returned an attribute). You are doing the right thing; you do not need enforce machine authentication.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: