Campus Switching and Routing

Reply
MVP
Posts: 3,009
Registered: ‎10-25-2011

captive portal and MAS

It is possible to configure the MAS as a gateway of  guest vlan so everything on that vlan get a captive portal authetnication?

Something like a nomadix in which the nomadix is the gateway of that vlan and everything on that vlan get captive portal auth?

I was looking on the manual but it seems that you apply the initial role but to the physical port... and doesnt look like i can do what i want to but still i could be wrong.

 

Anyone?

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: captive portal and MAS

Since it's tied to user state in the user-table, I think it would work.


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 3,009
Registered: ‎10-25-2011

Re: captive portal and MAS

Any idea of how it would be the config?

I would like to put a vlan which has the captive portal on the MAS and trunk that vlan to an instant AP and bring up the MAS captive portal on my instant with open network, or it could be a linksys or anything.   I would like that everything ont hat vlan gets the captive portal.

 

Like i said i was looking at the config but it looks like you attach the initial role to the physical port so im kind of lost on how you would do this.

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Guru Elite
Posts: 21,272
Registered: ‎03-29-2007

Re: captive portal and MAS

Carlos,

 

Please see the ASE recipe here:  https://ase.arubanetworks.com/solutions/id/28



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 3,009
Registered: ‎10-25-2011

Re: captive portal and MAS

Hello Collin

Thanks for the link

I already saw it before but still, this just attach the initial role which redirects you to the captive portal to a physical port

 

Ill give you an example of what i want to achive.   I want to use MAS captive portal  with aruba instant or any other random AP  brand(which not necesary is connected to the mobility accesss switch) 

Example:

 

Let say i got a small network in which i got 1 MAS and 1 Dlink swtich

I got VLAN 100 which is the corporate Wirelesss network

I got VLAN 50 which is the guest vlan, and the default gateway is on the mobility access switch

For example if i connect this  instant AP to the port 0/0/1 and i would trunk this vlan 100 and vlan 50 to the instant AP i bealive i  would get the captive portal even on my 802.1x ssid. because he will assign this captive portal role to anything that is connecting to that port and i dont want that, i jsut want to assign it to the vlan 50, and not to the vlan 100, not to anything that connect to that 0/0/1 port.  Im connecting it to the same port but i just want the captive portal to one vlan  not to both.

 

i dont know if you getting what im trying to do? maybe my english is not good enough and im confusing you in what im trying to achive.. :( 

 

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Guru Elite
Posts: 21,272
Registered: ‎03-29-2007

Re: captive portal and MAS

You can add a AAA profile to a VLAN, then make the VLAN untrusted.

 

http://www.arubanetworks.com/techdocs/ArubaOS_7_Web_Help/Default.htm?_ga=1.159382458.161686765.1439664329#mas_guides/1command_List/vlan.htm

 

"Note that this profile will only take effect if the VLAN and/or the port on the switch is untrusted. If both the port and the VLAN are trusted, no AAA profile is assigned."  So only make the VLAN untrusted, and trunk that to the switch from the IAP.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 3,009
Registered: ‎10-25-2011

Re: captive portal and MAS

How can i make the vlan untrusted???

doesnt seems that it support that command

I can certainly make the port untrusted but i cannot make the vlan untrusted... or at least i dont see the command 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
MVP
Posts: 3,009
Registered: ‎10-25-2011

Re: captive portal and MAS

I mean you can do it on the controller as it accept on the port trusted vlan port but i dont see that command on the MAS, unless is another???

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Guru Elite
Posts: 21,272
Registered: ‎03-29-2007

Re: captive portal and MAS

Unfortunately, you cannot apply a AAA profile to a VLAN, unless the physical port that the VLAN is on is untrusted:

 

http://www.arubanetworks.com/techdocs/ArubaOS_7_Web_Help/Default.htm?_ga=1.159382458.161686765.1439664329#mas_guides/aaa_authentication/AAA_Authentication_Profi.htm

 

"The AAA profile can be applied on a global or per port or per VLAN basis, but only if the port is marked as un-trusted."

 

Sorry about that.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: captive portal and MAS

Yes you would have to force traffic to flow through that port for this to work. So the switch/port would have to be between the client and its default gateway.


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: