Monitoring, Management & Location Tracking

Explaining pre-auth role in Aruba instant.

Aruba Employee

Question - 1. What is pre-auth role in aruba instant?
                  2. When should we use the pre-auth role?
                  3. How can we configure the same?
                  4. When we cannot use the pre-auth role?

 

Environment - The commands in this article were tested on Aruba Instant 6.4.2.3-4.1.1.2.

 

Answer- Pre-auth role in Aruba instant can be used in following authentication types:
a. Captive portal authentication.
b. MAC authentication.

This can be used when we want to allow some access to the clients:
a. Before they are able to authenticate.
b. They do not have credentials authenticate.

To set a role as pre-auth:
======================
wlan ssid-profile TEST-155
 enable
 index 1
 type guest
 essid TEST-155
 opmode opensystem
 max-authentication-failures 0
 vlan guest
 auth-server InternalServer
 set-role-pre-auth TEST-155
 rf-band all
 captive-portal internal
 dtim-period 1
 inactivity-timeout 1000
 broadcast-filter arp
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 0
 max-clients-threshold 64
=========================

In this role, we can specify access to specific services to the client which he can access before he passes the configured authentication. For example below we allow the client to access TFTP using udp 69 rule. This call allow some devices such as thin clients to download firmware from central server before using TFTP even if it fails authentication:

wlan access-rule TEST-155
 index 3
 rule any any match udp 69 69  permit.


Note:
1. We need not add DNS, DHCP in pre-auth role. It is automatically allowed when we set a role as pre-auth.
2. ACLs to allow DNS, DHCP will not be visible in the pre-auth role.
3. We can however see the DNS, DHCP traffic in the datapth for the user in datapath ACL:

#show datapath user
Datapath User Table Entries
---------------------------
   IP                     MAC                            ACLs     Contract       Location      Age    Sessions      Flags     Vlan       FM
---------------         -----------------              -------           ---------       --------          -----       ---------        -----        ----          --
172.31.99.20     F0:25:B7:31:44:B5      110/0         0/0                0                 1        0/65535                    3333        B

00:0b:86:8f:93:cd# show datapath acl 110

show datapath acl 110
Datapath ACL 110 Entries
-----------------------
Flags: P - permit, L - log, E - established, M/e - MAC/etype filter
       S - SNAT, D - DNAT, R - redirect, r - reverse redirect m - Mirror
       I - Invert SA, i - Invert DA, H - high prio, O - set prio, C - Classify Media
       A - Disable Scanning, B - black list, T - set TOS, 4 - IPv4, 6 - IPv6
       K - App Throttle, d - Domain DA
----------------------------------------------------------------
1:  any  any  17 0-65535 8209-8211  P4  
 2:  any  172.31.98.1 255.255.255.255  6 0-65535 80-80  PSD4  
 3:  any  172.31.98.1 255.255.255.255  6 0-65535 443-443  PSD4  hits 8
4:  any  any  6 0-65535 80-80  PSD4  hits 18
5:  any  any  6 0-65535 443-443  PSD4  hits 50
6:  172.31.98.0 255.255.254.0  172.31.98.0 255.255.254.0  17 0-65535 67-68  P4  
 7:  172.31.98.0 255.255.254.0  224.0.0.0 224.0.0.0  17 0-65535 67-68  P4  
 8:  172.31.98.0 255.255.254.0  any  17 0-65535 67-68  PS4  
 9:  any  any  17 0-65535 67-68  P4  
10:  172.31.98.0 255.255.254.0  172.31.98.0 255.255.254.0  17 0-65535 53-53  P4  
11:  172.31.98.0 255.255.254.0  224.0.0.0 224.0.0.0  17 0-65535 53-53  P4  
12:  172.31.98.0 255.255.254.0  any  17 0-65535 53-53  PS4  hits 21
13:  any  any  17 0-65535 53-53  P4  
14:  172.31.98.0 255.255.254.0  172.31.98.0 255.255.254.0  6 0-65535 8081-8081  P4  
15:  172.31.98.0 255.255.254.0  224.0.0.0 224.0.0.0  6 0-65535 8081-8081  P4  
16:  172.31.98.0 255.255.254.0  any  6 0-65535 8081-8081  PS4  
17:  any  any  6 0-65535 8081-8081  P4  
18:  any  any  any  4  hits 42

Above we see that DHCP traffic was automatically allowed for the user falling in pre-auth role even when we didnt specify it explicitly in the ACL.

 

AnswerLT - 1. Pre-auth is a special role in Aruba instant to allow some access to the client before it completes                         authentication.
                    2. We can use it when we want client to access network resources before it authenticates.
                    3. Pre-auth role will not work with 802.1x or PSK authentication.

Version history
Revision #:
1 of 1
Last update:
‎04-07-2015 10:15 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.