ArubaOS and Controllers

Reply
Occasional Contributor II

Guest access 50 controllers

looking for some suggestions on doing guest access for up to 50 controllers. We would like to have one authentication server if possible so our help desk can create the user accounts. We could use an external radius server but how do we push an expiration time back to the controller?
Aruba Employee

Re: Guest access 50 controllers

Airwave would be a good solution. You could centrally manage the guest users and any changes are immediately pushed to the appropriate controllers. I say appropriate because Airwave has the ability to use groups to determine permissions. If a help desk user only has permission to create accounts for West coast controllers (for example), when they create a user it is only pushed to West coast controllers. Basically, you would use the Aruba internal user database, but manage it via Airwave.

As far as expiration, you could theoretically set a reauthentication interval on the controller to say 1 hour. Every 1 hour, the users would have to put in their credentials every hour. I know this is not optimal, but if you want to ensure you get the users off the network within an hour of their account expiring, this may be the only way.
Occasional Contributor II

Guest access for 50 Controllers

We are using a system by Avenda that allows you to create accounts and also allows users to set up accounts with out intervention by IT. There is a slef registration portal that you are able to place on your web server that then using an API creates the account in the radius server appliance. We have it set you so users can get a promotional code for free access from a sponsor or pay using a credit card. We have moved to this system being our central authentication servers for all of wireless we are using it as a proxy to our LDAP servers for registered users. Set up and customization are very easy, while the servers are also very reliable. If you would like more information feel free to contact me (ckoehler@sandiego.edu). We were able to pay for the system with the income from paid guest users in 3 months.
Aruba Employee

Re: Guest access 50 controllers

So, this is more of a question than an answer, but how does the RADIUS server tell the controller when the account has expired and the user should be kicked off?

The Avenda solution sounds cool. I'll have to keep that in mind for any customers who want self registration.
Occasional Contributor II

Re: Guest access 50 controllers

You are able to set an expiration time for each user manually or automatically based off of the promocode or type of account they purchase. This is what will not allow the user to authenticate. You are also able to set attributes that get sent to the controller that can be used for role derivations.
Aruba Employee

Re: Guest access 50 controllers

So the portal is in-line? I understand the role derivation, but that would not force a user to disconnect when their allotted time was up. If the portal is in-line, then I can understand how it could stop a user (based on their MAC address and UID pair, I guess) when the time they paid for expired. The controller would have to be told to boot the user off the system if the portal is not in-line.
Occasional Contributor II

Re: Guest access 50 controllers

We have it set up out of band. The way we have it is that there is a link on the captive portal page that sends them to the account creation page (that is white listed) once they complete the account creation we send them back to the captive portal page where they are able to login using the new account they just created. The way that cause users to expire is we disable there account so that they are not able to login after the time that they are granted is up. So if they login and at 3pm and there account expires at 3:01pm they will remain online for that active session but once that session is terminated they will no longer have access with that account.
Aruba Employee

Re: Guest access 50 controllers

OK, so I just did some testing with my lab. If you use Airwave as the guest user manager and put in an expiration for the users, when the account expires, the controller will remove the active user. So, for the original post, you can use Airwave to create and manage the user names, passwords and expirations. When the account is expires, it will get removed from the local-userdb on the controller and any clients using that name will be redirected to the captive portal page (or where ever the inital role for the AAA policy makes them go).

I learned something new today!! :)
Occasional Contributor II

Re: Guest access 50 controllers

olino

IF we use airwave and we created a user under the top folder does that push to all controllers? Does the User account get deleted after expiration or does it stay so we can reenter more time instead of having to contstantly recreate the account
Aruba Employee

Re: Guest access 50 controllers

The account will get pushed to all controllers in the folder that the creator has access to and below. For example, if you have rights at the Top>US>West Coast folder and you create an account, all controllers in the West Coast folder and below will receive the account.

The account is deleted on the controller, but it is not deleted within Airwave. You can update the expiration and it will get re-pushed to the controller(s).
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: