Security

Reply
Occasional Contributor II

Acceptable use page for guest access without login

Hello, I have one Aruba 3400 controller running OS 3.3.2.14.  For guest access we are currently using a captive portal page that requires a username and password.  We are switching to WPA2 authentication with passphrase for guest access, but we need to have the guest users click on an accept button on a terms of use type page.  From looking at the forum, it seems that this is built in on 3.4 but I'm running 3.3.x.  I have the WPA part configured and working but after entering the passphrase they can go straight to the internet.  I need to set it up to show the acceptable use page with accept button before they can browse the internet.  Any help is appreciated. 

Occasional Contributor II

Re: Acceptable use page for guest access without login

I found this in another post:

 

https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-154.

 

It looks like what I need but I'm not sure if I meet the 4 Assumptions mentioned and how to implement it.

Frequent Contributor II

Re: Acceptable use page for guest access without login

You need to have the captive portal mapped on your initial role (look at your aaa profile your using the initial role since your not authenticating your user PSK is not authentication).

 

After you get the captive portal displayed, user  accepts AUP by default they will be placed in the guest role.

 

David Dipert
Occasional Contributor II

Re: Acceptable use page for guest access without login

Thanks ddipert.  I went to security>Authentication>Profiles and then to the AAA profiles tab, and clicked on ABCD_GUEST-aaa-profile and changed the initial role from Authenticated to ABCD_GUEST-captiveportal-profile and applied the config.  Then I connected to the guest wi-fi and it let me right on and I browsed to the internet with no accept page.  Guests used to have to provide a username and password at the captive portal.  I didn't change anything with the captive portal.  I just changed over to WPA2 with passphrase.  Do I need to make changes to the captive portal?  I know I will need to upload custom text for our page but I thought there is a default page in there.

Frequent Contributor II

Re: Acceptable use page for guest access without login

Need to make the required changes to the captive portal or create a new captive portal to reflect the box with an "I Accept". 

 

The 2nd part is to map the captive portal to the role. 

go to: config->access control->ABCD_GUEST-captiveportal role

     edit the role look for "captive portal profile" use the drop down to find the captive portal you created/modified. Click "change" then apply.  See the screen shot provided.

 

This is off topic but why are you on such old code? 

David Dipert
Occasional Contributor II

Re: Acceptable use page for guest access without login

OK I went into the document from that link I posted above.  Of  the 4 requirements listed

 

AssumptionsThe following assumptions apply to the configuration example:

  • A valid Policy Enforcement Firewall (PEF) license is installed.
  • The software version on the controller is 3.x.
  • The VLAN 100 and DHCP servers of the Captive Portal users are already defined.
  • The SSID profile "public" with essid "public" is already defined.

1. I have the PEF license installed.

2. The software is 3.x

3. I don't have VLAN 100 defined.  We use VLAN 900 for our guest network so I guess I would reference VLAN 900instead of VLAN 100 in the configs provided.  We use VLAN 100 elsewhere on our wired network

4. How do I make a SSID profile "public" with essid "public" ?

 

I did the config listed up to step 6.  I guess my question is how do I define an SSID profile "public" with essid "public"?

Occasional Contributor II

Re: Acceptable use page for guest access without login

Thanks again, we are out of support.  Don't you need a support contract to get new OS versions?

Occasional Contributor II

Re: Acceptable use page for guest access without login

I changed the captive portal profile for the role as you suggested.  I also have a role called cp-logon.  Do I need to change anything for that too?

Frequent Contributor II

Re: Acceptable use page for guest access without login

Yes you would need a support contract to upgrade. I don’t recommend running without a support contract. But that’s your business.

 


What we are dealing with is the role that is assigned to a user when they associate to your said (the initial role) needs to have a captive portal on the role. Inside the role the policy should be logon-control & captive portal.

The policy will allow basic network access (DNS, DHCP… ETC) and the captive portal will redirect the user to the captive portal page.  

 

cp-logon might be a better initial role if the policies are correct. 

David Dipert
Occasional Contributor II

Re: Acceptable use page for guest access without login

Thanks again.  I think I'm close with that config example from Aruba.  I'm piecing things together in the CLI but I just ran out of time in my maintenance window so I'll have to revisit later.  I agree with you on the support contract.  I'd love to have it again but unfortunaltely  I don't control the $$$ around here!

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: