Product and Software: This article applies to all Aruba controllers running ArubaOS 3.x.
You can configure captive portal to allow clients to download the Aruba VPN dialer for Microsoft VPN client if the VPN is to be terminated on Aruba controller. This is convenient if opensystem wireless is required and security is a concern. The VPN dialer allows users to connect to the networks without configuring a static key or using a certificate.
After the user passes the captive portal, a link on the welcome page is displayed so a VPN dialer can be downloaded. After the user has download the dialer setup program, the VPN dialer can be installed and IPSec can be initiated to the controller.
Note:
A VPN license is necessary to enable this feature.
user-role: With ArubaOS 3.x, different user-roles are involved with the VPN dialer.
· AAA initial role: The role that will be assigned to the user after the user associated to the wireless. No Layer2 or Layer3 authentication happens yet. In this article, it will be called role-i.
· Captive portal default role: The role that will be assigned to the user after user passed the captive portal authentication, but before VPN dialer succeeded. In this article, it will be called role-cp.
· VPN default role: The role that will be assigned to the user after VPN dialer succeeds. In this article, it will be called role-vpn.
These roles will have different configurations:
· role-i: Configure captive portal profile under this role to restrict access to a network resource. Typically this role should only have dhs, dhcp, icmp, and http/https (for captive portal to work).
· role-cp: Configure vpn-dialer under this role. Typically it will have same network access as role-i, plus svc-natt. The predefined access "control" should be sufficient.
· role-vpn: Restrict access to the network resource-based security policy. This is the final user role, so the user should have access to all network resources that are permitted by the security policy.
VPN Dialer
· inner protocols: both pptp and l2tp is supported. pptp and l2tp pool need to be configured.
· authentication method: pap/chap/mschap/mschapv2 are supported.
· encryption: ipsec preshare key.
Sample Configuration
The opensystem ssid is used here. After the user is associated, it is assigned to role-I, which allows dhcp, dns, icmp, and http/https.
The user launches a web browser and gets the captive portal page. After authentication, the user is assigned "role-cp". The vpn-dialer "test" is configured under this role, which will have similar access level as "role-i".
The user must click the link on the captive portal welcome page and download/install the VPN dialer if it has not been installed already. Otherwise, the user can launch the VPN and initiate IPSec. After IPSec succeeds, the user is assigned "role-vpn" and has full access.
user-role role-i
captive-portal cp1
session-acl logon-control
session-acl captiveportal
session-acl vpnlogon
user-role role-cp
dialer vpndialer1
pool pptp testpool1 << this is optional. if it's not configured, then default pptp pool will be used.
session-acl control
user-role role-vpn
session-acl allowall-with-srcnat
!
All session ACLs are predefined ACLs except for "allowall-with-srcnat".
ip access-list session allowall-with-srcnat
user any any src-nat
Predefined ACLs are necessary because the pptp/l2tp pool we are going to use is using a private IP address. If the user will be assigned a public IP, then src-nat is not required. The "allowall" ACL, which is predefined, can be used.
This example uses pptp:
pptp ip local pool "testpool1" 1.1.1.1 1.1.1.10
vpdn group pptp
client configuration dns 10.1.1.50
ppp authentication MSCHAPv2
!
vpn-dialer
vpn-dialer vpndialer1
enable pptp
no enable l2tp
no ppp authentication PAP
no ppp authentication CHAP
no ppp authentication MSCHAP
ike lifetime 7200
ike hash MD5
ike authentication PRE-SHARE ******
ipsec pfs GROUP1
ipsec encryption ESP-DES
WLAN related config:
aaa profile "test"
initial-role "role-i"
wlan ssid-profile "test"
essid "test"
wlan virtual-ap "test"
ssid-profile "test"
aaa-profile "test"
ap-group "test"
virtual-ap "test"
Examples of show Command Output
After the client is associated:
show user
Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- -------
10.168.121.170 00:13:ce:45:d9:4d role-i 00:02:44 test Associated test/00:0b:86:e2:d8:f0/a test
User Entries: 1/1
After the user passed captive portal:
show user
Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- -------
10.168.121.170 00:13:ce:45:d9:4d tac role-cp 00:02:46 Web test Associated test/00:0b:86:e2:d8:f0/a test
User Entries: 1/1
After the VPN succeeds:
show user
Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- -------
1.1.1.1 00:13:ce:45:d9:4d vpn role-vpn 00:00:00 VPN 10.168.121.170 test Associated test/00:0b:86:e2:d8:f0/a test
10.168.121.170 00:13:ce:45:d9:4d tac role-cp 00:03:04 Web test Associated test/00:0b:86:e2:d8:f0/a test
User Entries: 2/2