Security

We are looking to customise the captive portal on our Aruba guest solution and I wondered if anyone knew a way to have the page (and system) authenticated based only on 1 'voucher code'?

At the moment it uses a 'username' and 'password' either automatically generated or specified by the guest administrator but we would like to change this so that the landing page just asks for 'Voucher Code' only and therefore guest administrators only create 1 voucher code for any one event with a specified concurrency.

Is this possible on the Aruba system? If anyone has any suggestions I would be extremely grateful.

Thanks

SW

One way to do this would be to create a single user called "voucher" or something like that.

Then you can create a custom html for your captive portal where the username field is hidden in the web form.

See the code under for example html. The code is untested, but should work more or less ;)

<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<!DOCTYPE HTML PUBLIC"-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body>

<form name="form1" method="post" action="/auth/index.html/u">
<input type="hidden" id="user" name="user" type="text" value="voucher" accesskey="u" />
<input type="hidden" name="cmd" value="authenticate" />
<input type="password" id="password" name="password" />
<input type="submit" name="Login" value="Login" />
</form>

</body>
</html>

This will show a page with only a password input and a button. The password should be what you enter as the password for the "voucher" user in your DB :)

Hi Nesvik,

This is great, thanks very much for your reply...that code works great!

I'm actually going to swap it around though so that the Username is the unique identifier and not the password (so that at least in the back-end DB we can track a user by username, not just by password given that all usernames would be 'voucher') :smileyhappy:

I did have one question though, if I do that, would you have any suggestions of how to customise the back-end guest provisioning system in Aruba to mean that the guest password was coded as always the same (and hidden on the form from administrators)?

I really appreciate your help on this by the way.

Thanks

SW

I dont think it is possible in the Aruba back-end as far as I know, to set a default password.

Also if you do this, anyone who knows how to right-click->"Show source" will be able to read the password in cleartext which is never a good thing :)

But I dont understand completely.. you want a single voucher code for login, but still want to be able to track a user by username?
If you need individual usernames, it kind of defeats the need for a single voucher code?

Yes I'd thought about the show source in cleartext but i'm looking to see if I can hide the html attribute in the code which may help with this.

Basically I want to be able to create multiple voucher codes (usernames) but with no passwords, so basically then it is just 1 generated code per user instead of 2 in effect, simplifying the process slightly and turning it into a more 'hotel like' solution. In that sense we can track individual users by their generated user id, password is the irrelevant if that makes sense...? :smileyhappy:

It is not possible to hide the html attribute completely, but you can look into obfuscating it. This often relies on Javascript and will only make it harder to get the password, but it will be there and the script used for obfuscating will be there too as it will neet to be parsed by the users browser.

What you want to do probably need an external sollution to enter the password automatic.

It would require a different tool to create the vouchers in a database or directory (AD) where the tool (script) creates the same password and the user only need to enter the username.

This could be done with a powershell script talking with AD in a windows environment and using IAS for RADIUS authentication in stead of using the internal Database. This way your admins would run the script, enter the username and it is done.

If you dont know how to create and manage this kind of system, or you dont have the environment required. It should not be to difficult for your administrators to remember to put the same password each time they create a new user (voucher), and it probably takes 3 seconds of extra time. Since this is a voucher system, it is probably not an unmanagable amount of administration?

Ok sure, understood, thanks for your advice :smileyhappy:

I just have one more question I think, i've altered the code around slightly so that it would allow the password field to be hidden and the user field be the 'voucher code' now but for some reason it's not authenticating. The code now looks like this:

<form name="form1" method="post" action="/auth/index.html/u">
<input type="hidden" id="password" name="password" type="password" value="password1"
accesskey="u" />
<input type="hidden" name="cmd" value="authenticate" />
<input type="password" id="user" name="user" />
<input type="submit" name="Login" value="Login" />
</form>

Any ideas on if i'm doing something wrong here?

Thanks

SW