ArubaOS and Controllers

Reply
Occasional Contributor I
Posts: 5
Registered: ‎04-22-2011

Employee can login into Guest SSID using captive portal for guest

Hi friends,

Firstly, sorry for my bad english.

I am using Aruba Controller 3600 and AP-93 at my office.
Have two SSID :- Employee SSID and Guest SSID using the same vlan.

Employee user must connect to EMPLOYEE SSID and login using captive portal to access. (using username and password for employee)
Employee user can access to all system and internet.

Guest must connect to GUEST SSID and login using captive portal to access. (Using Guest username and password for guest)
Guest can access to internet only.

My question is : If I connect to GUEST SSID, and put employee username and password at guest captive portal, still can connect and access to system?

What is the solution to separate employee or guest username password from access the difference captive portal? (

Thanks for helping.
Sorry my bad english.....
Guru Elite
Posts: 21,561
Registered: ‎03-29-2007

Re: Employee can login into Guest SSID using captive portal for guest

Logins for the Captive Portal is done using a Captive Portal Authentication profile. In that profile, there is a server group configured. You need to look at the Captive Portal Authentication Profile for the guest network and the Captive Portal Authentication Profile for the employee network and make sure they are not using the same server group.

From what you are saying It seems that the server group in use for the guests has both the employee server and the internal database in there, so either employees or guests can authenticate successfully. You might want replace that server group with the "default" server group that only has the internal database. You can find the Captive Portal authentication profile by going to Configuration> Advanced> All Profiles. Expand wireless LAN. Expand Captive Portal authentication profile and you should find the profiles for guests and the profiles for employees. Take a look at the server groups and edit it from there.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 5
Registered: ‎04-22-2011

Re: Employee can login into Guest SSID using captive portal for guest

Thanks Joseph,

YEs, you are right.

How can I separated captive portal login for Guest and Employee?
I just want Guest user id password cannot login into Employee Captive portal.

Thank for your helping.
Occasional Contributor I
Posts: 5
Registered: ‎04-22-2011

Re: Employee can login into Guest SSID using captive portal for guest

Please, someone help me. I need our Aruba expertise to solve my problem.

We use internal database at Aruba Controller.
Dont have AD server or Radius Server.

Having two SSID: Guest and Employee.
Both using captive portal for login.

The problem is Guest username/pwd can connect to Employee SSID and login captive portal.
And Employee username/pwd can connect to Guest SSID and login captive portal.

Can someone tell me how to solve my problem. I am new with ARUBA product.
I want Guest user only can access into Guest SSID and login at Guest captive portal.
And Employee user only can access into Employee SSID and login at Employee captive portal.

Please please.....
Guru Elite
Posts: 21,561
Registered: ‎03-29-2007

Re: Employee can login into Guest SSID using captive portal for guest

If you need to get this resolved quickly, please send an email to support@arubanetworks.com and open a case instead. There is a limit to how much information we can ask you for on this public forum and this means that it will certainly take more time to resolve.

If you do not need these problems resolved immediately, let me ask you these questions:

- You have two SSIDs and employees and guests can login to both?
- What method does the controller use to authenticate employees (LDAP)?
- What method does the controller use to authenticate guest (internal database)?
- How did this work before you discovered this issue?
- How do you want it to work?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 5
Registered: ‎04-22-2011

Re: Employee can login into Guest SSID using captive portal for guest

hi,


- You have two SSIDs and employees and guests can login to both?
Yes, two SSID: 1) Employee 2)Guest
Both SSIDs login using Captive Portal.
Should be employee user connect to EMPLOYEE SSID and login through Employee Captive Portal.
And guest user connect to GUEST SSID and login through Guest captive portal.
Thats mean we have two SSID and two difference captive portal.

- What method does the controller use to authenticate employees (LDAP)?
Employees use Internal DB.

- What method does the controller use to authenticate guest (internal database)?
Guest use Internal DB. (Same like employee)

- How did this work before you discovered this issue?
We never test before, we have identify that guest user can connect to Employee SSID and login succesfull at Captive portal for employee.
And employee user can login at Guest captive portal without any problem.
Maybe the problem is in captive portal configuration for guest and employee.

- How do you want it to work?
Should be Guest user connect to Guest SSID and only login through Guest Captive portal.
And Employee user connect to Employee SSID and login through Employee Captive Portal.

I'm not sure either we can setting at Firewall Policy to restrict the employee access guest captive portal or guest access employee captive portal.

Thanks a lot.
Guru Elite
Posts: 21,561
Registered: ‎03-29-2007

Re: Employee can login into Guest SSID using captive portal for guest

I think I understand now.

You only really need one Captive Portal. Since you already have users created with roles, we just need the server group to assign their proper roles, no matter what Captive Portal they login to. The default server group has a rule that puts users in the proper role that they are assigned in the local database. Do this:

config t
aaa authentication captive-portal JANM-Staff
server-group default
exit
aaa authentication captive-portal JANM-Guest
server-group default
exit


Now when users login, they should get in whatever role that is specified in their user in the local database.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 5
Registered: ‎04-22-2011

Re: Employee can login into Guest SSID using captive portal for guest

Hi Joseph,

Billion thanks a lot!
Contributor I
Posts: 34
Registered: ‎04-27-2009

Re: Employee can login into Guest SSID using captive portal for guest

I have a question that I think is similar along these lines.

We have a guest network with Captive Portal using the Internal DB.
I would like to create a new SSID for use in a conference room.
I still would like to require Captive Portal authentication for this new SSID, and create one account that multiple people use to logon.
However, I want it so that a Guest user CANNOT log on to the NEW SSID and
the account used on the NEW SSID CANNOT be used to logon to the existing Guest network.

Is this possible using the Internal DB for both? My concern is that when any SSID AAA profile is using the Internal DB, any valid account will work, regardless of the SSID...

Thanks!
Search Airheads
Showing results for 
Search instead for 
Did you mean: