How can I enable the captive-portal authentication if I doesn't have PEF license installed on my Aruba controller?

Aruba Employee

Product and Software: This article applies to all Aruba mobility controllers with ArubaOS 3.x.

 

To enable the captive portal authentication on the controller that does not have PEF license installed, follow these steps:

 

1) Create a captive portal profile.

 

From the GUI, navigate to:

Configuration > Security > Authentication > L3 authentication > Captiveportal Authentication profile > Create a new profile (dpak-portal) > Add > Apply > Save configuration.

 

For example:

 

cp-profile.jpg

 

From the CLI, execute the following commands:

(Aruba) #configure t

Enter Configuration commands, one per line. End with CNTL/Z

 

(Aruba) (config) #aaa authentication captive-portal dpak-portal

(Aruba) (Captive Portal Authentication Profile "dpak-portal") #write me

Saving Configuration...

 

Configuration Saved.

 

 

2) View the role that was created under the system role with the same name as captive portal profile.

 

From the GUI, navigate to:

Configuration > Security > Access control > System roles > dpak-portal > view

 

For example:

 

systemrole.jpg

From the CLI, execute the following commands:

 

(Aruba) #show rights dpak-portal

 

Derived Role = 'dpak-portal'

Up BW:No Limit Down BW:No Limit

L2TP Pool = default-l2tp-pool

PPTP Pool = default-pptp-pool

Periodic reauthentication: Disabled

ACL Number = 24/0

Max Sessions = 65535

 

Captive Portal profile = dpak-portal

 

access-list List

----------------

Position Name Location

-------- ---- --------

1 dpak-portal

 

dpak-portal

-----------

Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisSca

n

-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------

-

1 user mswitch svc-https permit Low

2 user any svc-http dst-nat 8080 Low

3 user any svc-https dst-nat 8081 Low

4 any any svc-dns permit Low

5 any any svc-dhcp permit Low

 

Expired Policies (due to time constraints) = 0

 

(Aruba) #

 

 

 

3) Check which AAA profile is mapped to the required ssid.

From the GUI, navigate to:

Configuration > AP configuration > Choose the APgroup > Edit > Wireless LAN > Virtual AP > Select the Virtual AP > Check the name of the AAA profile mapped to the ssid.

 

From the CLI, execute the following commands:

(Aruba) #show wlan virtual-ap

Virtual AP profile List

-----------------------

Name References Profile Status

---- ---------- --------------

default 1

 

Total:1

 

(Aruba) #show wlan virtual-ap default

 

Virtual AP profile "default"

----------------------------

Parameter Value

--------- -----

Virtual AP enable Enabled

Allowed band all

SSID Profile default

VLAN N/A

Forward mode tunnel

Deny time range N/A

Mobile IP Enabled

DoS Prevention Disabled

Station Blacklisting Enabled

Blacklist Time 3600 sec

Authentication Failure Blacklist Time 3600 sec

Fast Roaming Disabled

Strict Compliance Disabled

VLAN Mobility Disabled

AAA Profile default

 

4) Go to the AAA profile and map the new system role as an initial role in the AAA profile for the ssid.

 

From the GUI, navigate to:

Configuration > Security > Authentication > AAA Profiles > Click on the required AAA profile > On RHS from the drop-down menu, select the new system role as the initial role > Apply > Save configuration.

 

From the CLI, execute the following commands:

 

(Aruba) #configure t

Enter Configuration commands, one per line. End with CNTL/Z

(Aruba) (config) #aaa profile default

(Aruba) (AAA Profile "default") #initial-role dpak-portal

(Aruba) (AAA Profile "default") #write me

Saving Configuration...

Configuration Saved.

(Aruba) (AAA Profile "default") #show aaa profile default

AAA Profile "default"

---------------------

Parameter Value

--------- -----

Initial role dpak-portal

MAC Authentication Profile N/A

MAC Authentication Server Group default

802.1X Authentication Profile N/A

802.1X Authentication Server Group N/A

RADIUS Accounting Server Group N/A

User derivation rules N/A

Wired to Wireless Roaming Enabled

(Aruba) (AAA Profile "default") #

 

5) Create a user entry in the internal database of the controller.

 

From the GUI, navigate to:

Configuration > Security > Authentication > Internal DB > Add user > Type username and password > Apply button inside the window > outer Apply button > Save configuration.

 

For example:

 

internal.jpg

 

internaldb.jpg

 

From the CLI, execute the following command:

 

(Aruba) #local-userdb add username deepak password aruba

 

 

 

Version history
Revision #:
1 of 1
Last update:
‎07-10-2014 09:41 AM
Updated by:
 
Labels (1)
Contributors
Tags (1)
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: