Security

Hi,

 

Is there anyway to use captive portal in addition to 802.1x? We are using dot 1x authentication for our staff and students BYOD. Can we present a captive portal 802.1x authentication?

 

We are using rule derivatives on aruba controller to assign role and vlans to staff and to students. We are planning to have a userid and password for guest to first do 802.1x authentication and then be presented with a captive portal to authenticate. Or in other case we have some kiosk machine which students can use to check their time table. We want those machines to be connected using 802.1x so that they remain on network but user access can only be set using captive portal.

 

thanks

You can use a captive portal for informational screens after an 802.1X authentication but you can't really perform a web auth after 1X

 

802.1x = L2 auth 

Captive = L3 auth

 

(Thanks to cjoseph)

 

After successfully authenticating with the Captive Portal, the user role is then the "Default Role" specified in the Captive Portal authentication profile; the AAA profile is not in play when Captive Portal authentication is being done.

When you are doing 802.1x in the AAA profile, the 802.1x profile is what a user gets, UNLESS you have a server derivation rule in the server group that overrides this (like if your radius server returned an attribute). You are doing the right thing; you do not need enforce machine authentication.

 

read here:

http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/802-1x-with-Internal-Captive-Portal/td-p/12156

 

 

 

 

After successful authentication through 802.1x client gets a role which is assigned through server derivative rules which will hijack the client's session and present with captive portal. When client browse, he is forwarded to captive portal and after successful captive portal authentication nothing happens. It sits there and on controller the role doesn't change.

 

I am close but I don't know why after successful authentication on captive portal the role doesn't change on controller.

 

Any advice?

Is this cppm or controller captive portal

Actually it is an external captive portal and it works just fine with other captive portal SSID. It is the 802.1x SSID I am having trouble with.

I don’t think you can do a captive portal authentication after an 802.1X auth because the user’s state is already authenticated.

What are you trying to achieve with this? Why are you authenticating them twice?

Sent from Surface Pro

We have several kiosk machines which we want to be connected to our wireless network. Suppose when a student browse to website he or she should be presented with captive portal to login with their respective usernames and password. When the machine is shutdown there session will be terminated on controller and hence when another user logs in, he should be presented with captive portal again. But on the back end machines should be connected to our 802.1x protected SSID.

 

Is it possible to achieve this? I don't want to have multiple SSIDs like different for 802.1x and one for captive portal.

Why bother with 802.1x?  Just have it use a Captive Portal....  OR, if it is a domain machine, just make the user login to windows with 802.1x credentials...

But then I have to create one more SSID with captive portal authentication, isn't it?

 

At the moment we have two 802.1x SSIDs.

If you already have 802.1x, make the kiosk a Windows machine and make them login into it; that way you will not need to create a separate Captive portal SSID.

 

So this means that after 802.1x authentication it is not advisable to use captive portal as a second phase of authentication?

You could do that, but it is very clumsy.  If the kiosk manages to roam for whatever reason, the user will be logged out, because it will do 802.1x. and that will reset the initial role to Captive Portal.

 

We had a customer who tried to do 802.1x with MACs and then have the users login via captive portal, but on a roam, it would reset the user role to "logon" or captive portal and the user would have to login all over again.  In addtion, the user would have to log out so that nobody reuses their session.  

 

The question is, if it is a kiosk, who are you trying to keep out, or is there personalized content that you need to deliver to the user, that requires a login?

Hi Colin,

 

Is it possible to use an open SSID to impose captive portal and authenticate using AD credentials. Once the end-user provide their AD credentials on the captive portal is it possible to redirect to their specific VLAN depents on the AD security group.

 

For ex: if Paul is authenticated using his AD credential and he is belongs to MS Student AD group and this user needs to fall in VLAN 10. Same way William is in the Staff Group and he should fall in VLAN 20 and Sara is belongs to HS Student and she should fall in VLAN 30. 

 

Just keep in mind that all our clients are Mac running Yosemite and Maveriks OS. We are thinking about this solution because we are facing lot of issues in our wireless environmet. We have lots of wireless issues such as wifi disconnectivity, connection issues, internet speed and so on. We are using 802.1x authentication and using CPPM as the RADIUS server. Is this a known issue with the combination of Aruba and Mac OS X or is this something wrong in our system.

 

We can't figureout the cause of this so that we can rectify the issue. Please give us your thought on this.

 

Regards,

 

Paul.

It is difficult and unreliable using captive portal to switch VLANs after authentication.  Using 802.1x, the user gets the VLAN and ip address after authentication, so that is the way to go.  

 

If you have connectivity issues, you need to look at the wifi side of things, because 802.1x is the way to go.  If you have not, please open a TAC case in parallel to get to the bottom of your wifi issues.

Also, I am not discouraging you from posting here.  If you are having wifi issues, please open a new thread so that the community can try to help.