Campus Switching and Routing

Reply
Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

Captive Portal Configuration vs Access Port Connectivity

Hello All,

 

I configured a Captive Portal Profile within the MAS 2500 of which is associated to the Captive Portal AAA Profile.

Part of my configuration requires me to apply the AAA Profile to all Physical Interfaces and configure the Ports to "Untrusted".

 

Now, when I plug in my laptop and physically assign a static IP Address to it to match the VLAN ID Interface subnet, it fails to achieve connectivity to my Core Switch. I confirmed that the Trunk between the 2500 and my Core is working fine.

 

To be able to get my laptop to establish connectivity, I had to change the configuration of the Ports from "Untrusted" to "Trusted".

 

Now, I assume the purpose for setting my Ports to be in state of "Untrusted" is for the purpose of allowing for an authentication process to take place. However, this seems to be impacting connectivity to my Core.

 

Is this working as designed, whereby, the Ports need to be in an "Untrusted" state and will eventually allow traffic when the User connecting on that Port has been successfully authenticated?

 

Thanks!

Aruba
Posts: 429
Registered: ‎05-30-2012

Re: Captive Portal Configuration vs Access Port Connectivity

Can you attach a copy of your configuration to review?

 

Best regards,

 

Madani

Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

Re: Captive Portal Configuration vs Access Port Connectivity

I have attached a Template of what I built.

Aruba
Posts: 429
Registered: ‎05-30-2012

Re: Captive Portal Configuration vs Access Port Connectivity

Can you attach the actual running config, the output of "show station-table" and "show user-table"? Thanks!

Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

Re: Captive Portal Configuration vs Access Port Connectivity


madjali wrote:

Can you attach the actual running config, the output of "show station-table" and "show user-table"? Thanks!


Hi Madjali,

 

It seems that when I apply a AAA Profile to a Physical Port, I need to set the Port to be "Untrusted" in order for the ACLs associated to a User-Role to be applied. And if the authentication is successful, traffic will be allowed over that Port.

 

Is this an accurate assumption? If that is the case, then I believe I'm comfortable with the configuration I have in place.

 

 

Aruba
Posts: 429
Registered: ‎05-30-2012

Re: Captive Portal Configuration vs Access Port Connectivity

Yes, for the AAA Profile to take effect, you must have the ports set to untrusted. I mis-understood your original post indicating you were un-expectedly loosing connectivity to your core.

 

Best regards,

 

Madani

Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

Re: Captive Portal Configuration vs Access Port Connectivity

Perfect! And is it true that one can apply only one AAA Profile to one Physical Port?

 

You can't have multiple AAA Profiles applied to one Physical Port?

 

Aruba
Posts: 429
Registered: ‎05-30-2012

Re: Captive Portal Configuration vs Access Port Connectivity

Correct, however you can enable multiple authentication methods per profile (e.g. dot1x, mac-auth, UDR). Captive portal settings are linked to the user-role so depening on how a device is assigned a user-role (dot1x, mac-auth, initial role, udr), you could also have different captive portals but they are not governed by the AAA profile setting per say.

Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

Re: Captive Portal Configuration vs Access Port Connectivity


madjali wrote:

Correct, however you can enable multiple authentication methods per profile (e.g. dot1x, mac-auth, UDR). Captive portal settings are linked to the user-role so depening on how a device is assigned a user-role (dot1x, mac-auth, initial role, udr), you could also have different captive portals but they are not governed by the AAA profile setting per say.


Thx Madjali!

 

But at the end of the day, whatever way this is done and whatever AAA Profile that is created, only one can be applied per Port.

 

Correct?

Aruba
Posts: 429
Registered: ‎05-30-2012

Re: Captive Portal Configuration vs Access Port Connectivity

Yes, that is correct, only one AAA profile can be applied to an interface or group of interfaces. What is the use case where you would want multple AAA profiles on a given port?

 

Best regards,

 

Madani

Search Airheads
Showing results for 
Search instead for 
Did you mean: