How do I configure VPN dialer in ArubaOS 3.x?

Aruba Employee

Product and Software: This article applies to all Aruba controllers running ArubaOS 3.x.

You can configure captive portal to allow clients to download the Aruba VPN dialer for Microsoft VPN client if the VPN is to be terminated on Aruba controller. This is convenient if opensystem wireless is required and security is a concern. The VPN dialer allows users to connect to the networks without configuring a static key or using a certificate.

 After the user passes the captive portal, a link on the welcome page is displayed so a VPN dialer can be downloaded. After the user has download the dialer setup program, the VPN dialer can be installed and IPSec can be initiated to the controller.

 Note: 
A VPN license is necessary to enable this feature.

 

user-role: With ArubaOS 3.x, different user-roles are involved with the VPN dialer.

·       AAA initial role: The role that will be assigned to the user after the user associated to the wireless. No Layer2 or Layer3 authentication happens yet. In this article, it will be called role-i.

·       Captive portal default role: The role that will be assigned to the user after user passed the captive portal authentication, but before VPN dialer succeeded. In this article, it will be called role-cp.

·       VPN default role: The role that will be assigned to the user after VPN dialer succeeds. In this article, it will be called role-vpn.

 

These roles will have different configurations:

·      role-i: Configure captive portal profile under this role to restrict access to a network resource. Typically this role should only have dhs, dhcp, icmp, and http/https (for captive portal to work).

·      role-cp: Configure vpn-dialer under this role. Typically it will have same network access as role-i, plus svc-natt. The predefined access "control" should be sufficient.

·      role-vpn: Restrict access to the network resource-based security policy. This is the final user role, so the user should have access to all network resources that are permitted by the security policy.


VPN Dialer

·         inner protocols: both pptp and l2tp is supported. pptp and l2tp pool need to be configured.

·        authentication method: pap/chap/mschap/mschapv2 are supported.

·        encryption: ipsec preshare key.

 

 

Sample Configuration

The opensystem ssid is used here. After the user is associated, it is assigned to role-I, which allows dhcp, dns, icmp, and http/https. 

The user launches a web browser and gets the captive portal page. After authentication, the user is assigned "role-cp". The vpn-dialer "test" is configured under this role, which will have similar access level as "role-i". 

The user must click the link on the captive portal welcome page and download/install the VPN dialer if it has not been installed already. Otherwise, the user can launch the VPN and initiate IPSec. After IPSec succeeds, the user is assigned "role-vpn" and has full access.


user-role role-i 
captive-portal cp1 
session-acl logon-control 
session-acl captiveportal 
session-acl vpnlogon

user-role role-cp 
dialer vpndialer1 
pool pptp testpool1 << this is optional. if it's not configured, then default pptp pool will be used. 
session-acl control

user-role role-vpn 
session-acl allowall-with-srcnat 
!

All session ACLs are predefined ACLs except for "allowall-with-srcnat".

ip access-list session allowall-with-srcnat 
user any any src-nat

 

Predefined ACLs are necessary because the pptp/l2tp pool we are going to use is using a private IP address. If the user will be assigned a public IP, then src-nat is not required. The "allowall" ACL, which is predefined, can be used.

 This example uses pptp:

pptp ip local pool "testpool1" 1.1.1.1 1.1.1.10 
vpdn group pptp 
client configuration dns 10.1.1.50 
ppp authentication MSCHAPv2 
!

vpn-dialer 
vpn-dialer vpndialer1 
enable pptp 
no enable l2tp 
no ppp authentication PAP 
no ppp authentication CHAP 
no ppp authentication MSCHAP 
ike lifetime 7200 
ike hash MD5 
ike authentication PRE-SHARE ****** 
ipsec pfs GROUP1 
ipsec encryption ESP-DES


WLAN related config: 
aaa profile "test" 
initial-role "role-i"

wlan ssid-profile "test" 
essid "test"


wlan virtual-ap "test" 
ssid-profile "test" 
aaa-profile "test"

ap-group "test" 
virtual-ap "test"


Examples of show Command Output

 

After the client is associated:

 

show user

Users 
----- 
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile 
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- 
10.168.121.170 00:13:ce:45:d9:4d role-i 00:02:44 test Associated test/00:0b:86:e2:d8:f0/a test

User Entries: 1/1


After the user passed captive portal:


show user

Users 
----- 
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile 
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- 
10.168.121.170 00:13:ce:45:d9:4d tac role-cp 00:02:46 Web test Associated test/00:0b:86:e2:d8:f0/a test

User Entries: 1/1

 

 

After the VPN succeeds:


show user

Users 
----- 
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile 
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- 
1.1.1.1 00:13:ce:45:d9:4d vpn role-vpn 00:00:00 VPN 10.168.121.170 test Associated test/00:0b:86:e2:d8:f0/a test 
10.168.121.170 00:13:ce:45:d9:4d tac role-cp 00:03:04 Web test Associated test/00:0b:86:e2:d8:f0/a test

User Entries: 2/2

Version history
Revision #:
1 of 1
Last update:
‎07-01-2014 01:59 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: