Product and Software: This article applies to all Aruba controllers and ArubaOS 2.x.
The guest users have a separate SSID and they fall into a separate VLAN that does not have access to the external network. The users must do a captive portal authentication to access the network.
In this example, the guest ESSID maps to a VLAN using private addresses that are not routable by the rest of the network, including DNS servers and an upstream router. All outgoing traffic that originates from this VLAN needs to be src-natted to a routable IP address when the guest is both in the "logon" role as well as in the "guest" role (before and after authentication).
Here is a sample of a working configuration:
(Assume that 10.3.22.232 is a routable IP address.)
ip nat pool 1 10.13.22.232 10.13.22.232
ip access-list session captiveportal
user alias mswitch svc-https permit
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
ip access-list session control-NAT
any any svc-icmp src-nat pool 1
any any svc-dns src-nat pool 1
any any svc-papi permit
any any svc-tftp permit
any any svc-dhcp permit
ip access-list session allowall-nat
user any any src-nat pool 1
This example shows the basic configuration. In a real network, you might consider adding these configurations:
- In the authenticated role (for example, "guest") consider blocking "guest" users from accessing the internal network.
- Consider limiting outgoing traffic to a certain type (for example, http, https, and VPN).
- The "logon" role is shared by all uses on the switch, so it applies to captive portal users on other non-guest ESSIDs as well. If you want to limit this behavior for the guest ESSID only, you can define another role:
and user a derivation rule to apply this role to one specific ESSID:
set role condition essid equals guest-essid set-value guest-logon
Note: The "logon" role is also applied automatically to all IP addresses seen on untrusted ports. Special configuration has to be accounted for.