Security

Hi,

I have a pair of M3 controller in a master redundancy environment. So basically, all the work has performed by the active one.

 

I have 380 APs and more than 3000 users always connected, more than 8000 per day, most of them using captive portal authentication, and so the CPU suffers a lot! The process most involved is httpd, so the captive portal I suppose.

 

My question is, is it possible to move only the CP authentication on the standby controller, leaving all the other work on the active controller?

The Standby cannot terminate any users or access points while it is a standby controller.  What version of ArubaOS are you running?  Have you considered trying to use 802.1x for some of your users?

 

Hi Joseph,
yes I was thinking about moving to 802.1X, since even now the
authentication is made towards a RADIUS server. But I can't move now,
that's why I was thinking to move the CP process to the standby controller.

The AOS is a 6.4.3.5

Do you think the controller is being overloaded?

 

Type "show web-server profile" to see if "bypass cp landing page" is enabled.  Bypass cp landing page has the potential to decrease the load on your controller when using captive portal.  An explanation of the parameter is here;  http://www.arubanetworks.com/techdocs/ArubaOS_64x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/1CommandList/web-server.htm

 

You can also type "show web-server statistics" to see the current load your web server is taking on:  http://www.arubanetworks.com/techdocs/ArubaOS_64x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/1CommandList/showwebserver.htm

 

Typically your load is when users are authenticating or sitting at the Captive Portal page.  Once they authenticate, the web server load should be gone for that user.  You should really consider 802.1x so that you sidestep a great deal of the issues with Captive Portal and make your client traffic more secure. 

Hi Joseph,
yes the CPU is always high

> (Score) #show cpuload current

> Collecting System Statistics. This may take around 5 seconds.

>

> top2 - 09:44:01 up 1 day, 22:28, 2 users, load average: 3.16, 3.20, 3.27

> Tasks: 348 total, 10 running, 338 sleeping, 0 stopped, 0 zombie

> Cpu(s): 32.6%us, 1.9%sy, 0.0%ni, 65.0%id, 0.0%wa, 0.0%hi, 0.5%si,

> 0.0%st

Mem: 1502772k total, 1257248k used, 245524k free, 37312k buffers

Swap: 0k total, 0k used, 0k free, 488668k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND

18303 root 25 0 4516 648 376 R 95 0.0 0:06.48 busybox

18012 nobody 15 0 133m 10m 3728 S 19 0.7 0:02.14 httpd

18092 nobody 16 0 133m 10m 3728 R 13 0.7 0:00.61 httpd

18024 nobody 16 0 133m 10m 3728 R 12 0.7 0:01.45 httpd

18023 nobody 17 0 133m 10m 3728 S 12 0.7 0:01.73 httpd

18062 nobody 17 0 133m 10m 3728 S 9 0.7 0:00.68 httpd

18028 nobody 16 0 133m 10m 3728 S 9 0.7 0:01.75 httpd

18011 nobody 16 0 133m 10m 3728 S 8 0.7 0:00.49 httpd

18020 nobody 17 0 133m 10m 3728 R 8 0.7 0:00.56 httpd

18309 root 17 0 3988 1256 864 R 8 0.1 0:00.45 top2

18063 nobody 16 0 133m 10m 3728 R 7 0.7 0:00.93 httpd

18114 nobody 16 0 133m 10m 3728 S 7 0.7 0:00.79 httpd

18106 nobody 15 0 133m 10m 3728 S 7 0.7 0:00.36 httpd

18037 nobody 16 0 133m 10m 3728 S 6 0.7 0:01.02 httpd

18030 nobody 16 0 133m 10m 3728 S 6 0.7 0:01.40 httpd

18031 nobody 15 0 133m 10m 3728 S 6 0.7 0:01.02 httpd

2122 root 16 0 154m 84m 33m S 5 5.8 319:16.20 auth

2123 root 16 0 257m 176m 23m R 4 12.0 203:48.75 stm

18014 nobody 16 0 133m 10m 3728 S 4 0.7 0:01.66 httpd


mostly for the httpd process.


This is the show web-server profile output


(Score) # show web-server profile



Web Server Configuration

------------------------

Parameter Value

--------- -----

Cipher Suite Strength high

SSL/TLS Protocol Config tlsv1 tlsv1.1 tlsv1.2

Switch Certificate portal1.wifi.unipr.it

Captive Portal Certificate portal1.wifi.unipr.it

IDP Certificate default

Management user's WebUI access method username/password

User session timeout <30-3600> (seconds) 3600

Maximum supported concurrent clients <25-320> 50

Enable WebUI access on HTTPS port (443) false

Web Lync Listen Protocol/Port Config N/A

Enable bypass captive portal landing page false

Exclude Security Headers from HTTP Response false


Kindest regards,

Luca

Luca,

 

You should consider enabling the bypas captive portal landing page:

 

(Aruba7005-US) #configure t
Enter Configuration commands, one per line. End with CNTL/Z
(Aruba7005-US) (config) #web-server profile
(Aruba7005-US) (Web Server Configuration) #enable bypass
<cr>

Hi,

I would like to try this solution in these days, but since there are thousands of users, I need to use caution. Can that configuration lead to any problem? I have read the explanation but I don't fully understand the real impact for the user. Does the smartphone open anyway automatically the request for inserting the credentials, after being associated to the SSID?

 

Kindest regards,

Luca

There should be no difference.  Execute the command when you have a maintenence window.