I will add 2 ways of doing the access using the same SSID:
- Using a Captive Portal (this tutorial is done using internal Radius but Aruba support advised that they are not supporting this type of Captive Portal setup even if through the WEB GUI of the AP we are able to do such configuration and they are planing on limiting the choise in the WEB GUI) - the work arround is to use an external Radius server or ClearPass
- Using WAP-2 Enterprise (Tested and working on 4.0.0.3)
The only improvement that I would like to see for this setup is to have the Reauth interval defined on the user role and I added an Idea on the Aruba site: https://arubanetworkskb.secure.force.com/prm/ideas/viewIdea.apexp?id=08740000000LEgT.
How to provide Guest and Employee access with the same SSID using Instant solution with Captive Portal
The idea of the tutorial was to be able to introduce new clients to the Aruba solution with the minimal investment in the hardware. Once the client would understand the benefits of getting Aruba hardware in his environment and would require an increase in scale we would depending on the size campus solution or we would stick with the instant solution.
High level the solution is to use a simple external captive portal, because this option provides access to the role base authentication on the iAP, with the internal Radius server. The external captive portal can be hosted on any computer that has apache with php installed.
We will start first with preparing the core code for the HTML pages that we will use to give access:
- Index.html will provide the choice of Guest or Employ access :
<form method=POST action="http://securelogin.arubanetworks.com/cgi-bin/login">
<input name=user value="GUsername" type="hidden">
<input name=password value="GUpassword" type="hidden">
<input name=cmd value="authenticate" type="hidden">
<input name=mac value="" type="hidden">
<input name=ip value="" type="hidden">
<input name=essid value="" type="hidden">
<input name=url value="http://www.google.com" type="hidden">
<BR><input type="submit" name="Guest" value="login" class="button" />
</form>
<a href="employ.html"><button type="button">Employ Access </button></a>
- Employ.html will provide the possibility to enter a username and password
<form method=POST action="http://securelogin.arubanetworks.com/cgi-bin/login">
Username: <input name=user value="">
Password: <input name=password value="" type="password" size=25>
<input name=cmd value="authenticate" type="hidden">
<input name=mac value="" type="hidden">
<input name=ip value="" type="hidden">
<input name=essid value="" type="hidden">
<input name=url value="http://www.google.com" type="hidden">
<BR><input type="submit" name="Guest" value="login" class="button" />
</form>
Now that the pages are done we will start to configure the iAP to provide different roles based on what username is typed:
- We will configure first the captive portal profile on the iAP:
- Under Security -> External Captive Portal we will click the New button
- Now we will configure the Users:
- Under Security -> Users for Internal Server we will add our usernames and passwords using the type Guest
- Next step will be to create the 2 user roles that we will want to give to the Guest users will be put under “Guest_cp” and Employ users will be put under “Employ_cp”
At this stage we will start to configure the SSID that will bring all this together:
- Step 1 :
- Step 2 (We could do Virtual Controller assigned or Network with VLAN’s and Client VLAN Assignment Dynamic if we want to split the users on VLAN’s too)
- Step 3 – we will choose the Slash page type to external and choose the Captive portal profile to the one that we have created previously (Marked in red are the options that need to be changed the other options are optional):
- Step 4 – Access rules will be Rule-based and then we create the Role Assignment Rules as in the picture bellow:
How to provide Guest and Employ access with the same SSID using Instant solution with WAP2-Enterprise
The idea of the tutorial was to be able to introduce new clients to the Aruba solution with the minimal investment in the hardware. Once the client would understand the benefits of getting Aruba hardware in his environment and would require an increase in scale we would depending on the size campus solution or we would stick with the instant solution.
High level the solution is to use a WPA2-Enterprise and internal Radius server in order to provide 2 or more user roles.
The first thing that we want first to think about is how to do the separation of the usernames between the Guest and Employee. The way I will do it is to use a set of character specific to each type, for Guest the username will start with “GU” and the employee will start with “EM”
Now we will configure the Users:
- Under Security -> Users for Internal Server we will add our usernames and passwords using the type Employee
- Next step will be to create the 2 user roles that we will want to give to the Guest users will be put under “Guest_wpa” and Employ users will be put under “Employee_wpa”
At this stage we will start to configure the SSID that will bring all this together:
- Step 1 :
- Step 2 (We could do Virtual Controller assigned or Network with VLAN’s and Client VLAN Assignment Dynamic if we want to split the users on VLAN’s too)
- Step 3 – we will choose Enterprise with Key management WPA-2 Enterprise and of course we will choose for the Authentication server the internal server:
- Step 4 – Access rules will be Rule-based and then we create the Role Assignment Rules as in the picture bellow: