ArubaOS and Controllers

Reply
Occasional Contributor I
Posts: 7
Registered: ‎12-16-2010

Guest access

I'm fairly new to Aruba and would like to understand if guest access can be setup without using the captive portal and either wep (I know) or pre-shared keys. We have a large facility that's hosts quite a few events and have customer using gaming consoles, etc. that don't supports browsers. This is also something I'd probably only turn-up for the duration of an event.

Thanks...
Aruba Employee
Posts: 455
Registered: ‎04-02-2007

Re: Guest access

Assuming you have PEF you can just create a user role that suits your needs and place those users in that role. Most likely the standard guest role won't do it for you given the user type you've described. Once the associate they are restricted to what the role you defined allows them to do.

-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
MVP
Posts: 287
Registered: ‎11-04-2008

Re: Guest access

Assuming you are using default profile, your guests will get the “guest-logon” role.
Enter “GUEST any any permit” in the access-list “logon-control”
GUEST is an alias include ip addresses of all guest ip addresses.

netdestination GUEST
network 192.168.1.0 255.255.255.0


# show rights guest-logon

Derived Role = 'guest-logon'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 6/0
Max Sessions = 65535

Captive Portal profile = default

access-list List
----------------
Position Name Location
-------- ---- --------
1 logon-control
2 captiveportal

logon-control
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 user any udp 68 deny Low
2 any any svc-icmp permit Low
3 any any svc-dns permit Low
4 any any svc-dhcp permit Low
5 any any svc-natt permit Low
6 GUEST any any permit Low
captiveportal
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 user mswitch svc-https dst-nat 8081 Low
2 user any svc-http dst-nat 8080 Low
3 user any svc-https dst-nat 8081 Low
~Trinh Nguyen~
Boys Town
Aruba Employee
Posts: 455
Registered: ‎04-02-2007

Re: Guest access

This is not a good idea.

With that particular policy you have given guests full access, including to your local network. That will obviously work if that's what is set as your role for the PSK network, but you should make sure that's what you intended.

It would be better to create a new role and assign that instead of modifying the logon role. This role is used to enforce captive portal auth, and the way it's designed here no one has to authenticate. With the order you outlined they will never even get the CP, notice your allow all will be done prior to your CP policy, it's a wide open network now.

-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
MVP
Posts: 287
Registered: ‎11-04-2008

Re: Guest access

Actually the rule is "GUEST any PROXY permit", sending all guests traffic directly to proxy.
These guests have no browser to access the CP, so the rule must be before the cp.
100% agree on the new role instead of using the default role.
~Trinh Nguyen~
Boys Town
Aruba Employee
Posts: 455
Registered: ‎04-02-2007

Re: Guest access

Yes, with Proxy I would agree, the first example was any any permit, and I would not use that. With your revision I agree this could be used if applied within a new user role as opposed to the default role.

-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
Search Airheads
Showing results for 
Search instead for 
Did you mean: