Security

Reply
Occasional Contributor II
Posts: 30
Registered: ‎06-21-2014

ARUBA CONTROLLER WITH CAPTIVE PORTAL AUTHENTICATION VIA NPS (RADIUS)

Hi All,

 

I have a deployment for a Aruba 3200 with a NPS server (running Windows 2012 and joined to AD) where end-users needs to login via a captive portal using their AD username and password. I don't have ClearPass.

 

I am trying to configure in such as way so that when the end-users logs in, they need not re-enter the AD and password when they logoff their PC or go to lunch. I have tried tuning the "user idle timeout" but this issue remains.

 

 

I want that the users to stay logged in regardless if they go to lunch, turn off or on their PC, logoff or login from Windows. However, if AD password expires then that is understandable.

 

After reading the below threads:

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/How-to-do-mac-auth-for-devices-after-the-captive-portal/td-p/137845

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Guest-User-Re-Authentication-Issue/td-p/187138

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Captive-Portal-Reauthentication-Timer/m-p/132073/highlight/true#M9104

 

It sounds like I need MAC caching or some sort but this is available under ClearPass.

 

Is there any workaround I can use to go around this?

Aruba
Posts: 1,548
Registered: ‎06-12-2012

Re: ARUBA CONTROLLER WITH CAPTIVE PORTAL AUTHENTICATION VIA NPS (RADIUS)

Clearpass is the only way to really solve your issue unless you move the clients to a certificate.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II
Posts: 30
Registered: ‎06-21-2014

Re: ARUBA CONTROLLER WITH CAPTIVE PORTAL AUTHENTICATION VIA NPS (RADIUS)

Hi Tarnold,

Serious?

How about increasing the Station Ageout Time and User Idle Timeout values to the maximum?
Aruba
Posts: 1,548
Registered: ‎06-12-2012

Re: ARUBA CONTROLLER WITH CAPTIVE PORTAL AUTHENTICATION VIA NPS (RADIUS)

Yes you can increase the session timeout but that is a more of a patch than fix. I have seen that cause more issues than fix the mac cacheing. Some of the wireless guys can talk more on it.

 

The max you can set it is at 15,300 seconds

 

Screen Shot 2014-09-12 at 12.55.26 AM.png

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Guru Elite
Posts: 8,641
Registered: ‎09-08-2010

Re: ARUBA CONTROLLER WITH CAPTIVE PORTAL AUTHENTICATION VIA NPS (RADIUS)

I would not change the station ageout timers. You can play with the user idle timeout but it is not a stable solution for what you're trying to do.

As Troy said, you either need to use ClearPass to setup MAC caching or move to something more secure like EAP-TLS or EAP-PEAP.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 30
Registered: ‎06-21-2014

Re: ARUBA CONTROLLER WITH CAPTIVE PORTAL AUTHENTICATION VIA NPS (RADIUS)

Hi guys, Thanks for the feedback. I need to find a workaround for this little problem of mine. Just wondering if I can do this workaround: 1. If I am getting this correctly, if I were to go about creating local users on the controller's local database instead of going through my RADIUS or NPS server. Then on each users created, I was being suggested to set those users account expiry to a later date. I see that there is a 'maximum expiration' and 'expiry' under each user attribute. Correct me if I am wrong, will this influence the frequency of users logging into the captive portal?
Occasional Contributor II
Posts: 30
Registered: ‎06-21-2014

Re: ARUBA CONTROLLER WITH CAPTIVE PORTAL AUTHENTICATION VIA NPS (RADIUS)

Hi guys, I understand ClearPass is needed. But I am hoping for some kind inputs and suggestions to this. As of now, it is apparent that having the MAC address of the user's PC is required on the controller. Is there any way that when a user logs into the captive portal, is there a way to capture their mac address and manipulate it to my use?
MVP
Posts: 1,414
Registered: ‎11-30-2011

Re: ARUBA CONTROLLER WITH CAPTIVE PORTAL AUTHENTICATION VIA NPS (RADIUS)


tvliew wrote:
Hi guys, Thanks for the feedback. I need to find a workaround for this little problem of mine. Just wondering if I can do this workaround: 1. If I am getting this correctly, if I were to go about creating local users on the controller's local database instead of going through my RADIUS or NPS server. Then on each users created, I was being suggested to set those users account expiry to a later date. I see that there is a 'maximum expiration' and 'expiry' under each user attribute. Correct me if I am wrong, will this influence the frequency of users logging into the captive portal?

that has no influence on the login on the portal, that affects how long the account can be used.

 

i understand your problem, but there simply is no way to solve this without to do Mac caching somewhere.

Occasional Contributor II
Posts: 30
Registered: ‎06-21-2014

Re: ARUBA CONTROLLER WITH CAPTIVE PORTAL AUTHENTICATION VIA NPS (RADIUS)

Thanks guys for the inputs. I'm closing this case.

Search Airheads
Showing results for 
Search instead for 
Did you mean: