Security

Reply
Frequent Contributor II
Posts: 104
Registered: ‎02-25-2011

Captive portal - option to choose VLAN

Hi,

 

I'm trying to find a way to enable a user to choose which VLAN they connect to when connecting to 1 single SSID.

 

I'm open to suggestions on how to do this, but one way I thought of was to use a Captive  Portal page.

 

The user connects to the page and then choose a VLAN from a list.

 

I believe that this would require the use of the Change of Authorization functionality on RADIUS, so my main quesiton is,

 

with Windows NPS as RADIUS, can we do a Change of Authorization,  and what else should we consider to enable this to work.

 

Any other suggestions on providing the described access control would also be appreciated.

 

Thanks

Frequent Contributor II
Posts: 113
Registered: ‎11-27-2012

Re: Captive portal - option to choose VLAN

Why would you want the user to choose a different VLAN each time he connects?

This is a contradiction to how the Aruba network access model is made to work.

Aruba believes in role-based network access. This means that the network access is derived based on the user or client device (or both). This is why you need to put all clients in a role which defines their allowed access in the network.

This way, a user can access the resources he needs to no matter what VLAN the resources exists on.

-----------------------------------
-ACMX #352-
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Frequent Contributor II
Posts: 104
Registered: ‎02-25-2011

Re: Captive portal - option to choose VLAN

This is a manufacturing environment.   The devices on each VLAN are not allowed to talk to devices on other VLANs as they are very sensitive to broadcast/multicast tracffic.

 

The operators of the devices need to access the manufacturing lines that are in all VLANs and they need to be on the VLAN that the line is on as some applications just use broadcast to find the host.

 

Currently, this is done by placing AP's near the manufacturing lines with a separate SSID for each line.

 

I'd like to have one SSID per plant and use Aruba's functionality to get the user on the right VLAN when they connect.

Regular Contributor II
Posts: 226
Registered: ‎03-03-2011

Re: Captive portal - option to choose VLAN

You could do this a couple of ways depending on what the customer is prepared to do back end.

 

1. You could have separate user accounts for each line so the user logs in with the appropriate account and is automatically assigned to the correct VLAN. This could be an 802.1x authentication method. This may involve a lot more user accounts being created on their user DB (Active Directory???) which may not be desirable.

 

2. As you stated you could ask the user on a captive portal page to specify the line they want to work on. This would assign a user-role which would have a specified VLAN assigned to it. The issue with this is that captive portal is a L3 authentication method meaning the user is already assigned an IP address. You would need to specify a short DHCP lease on the initial VLAN which launches the captive portal and the user would have to expect a disconnect before the connection became active. This would also rely on some captive portal customisation to get the options available.

David
ACDX #98 | ACMP | ACCP
Frequent Contributor II
Posts: 104
Registered: ‎02-25-2011

Re: Captive portal - option to choose VLAN

Hi David,

 

In regards to option 2 that you described.  I thought that using the RADIUS Change of Authorization (CoA) functionality that I could have the user-reauthenticate when they selected the VLAN they wished to be placed on in the Captive Portal.

 

I have no experience with using CoA so I'm not sure it will work,  Do you know of any particular reason that CoA wouldn't work in this scenario ?

 

Thanks

Regular Contributor II
Posts: 226
Registered: ‎03-03-2011

Re: Captive portal - option to choose VLAN

RADIUS CoA would not cause the client to request a new IP address which would be required if they changed VLAN. I think you would still need a short DHCP lease time and the user to request a new IP address once the controller has assigned them the new VLAN.

David
ACDX #98 | ACMP | ACCP
Guru Elite
Posts: 19,960
Registered: ‎03-29-2007

Re: Captive portal - option to choose VLAN


lee_d_m wrote:

This is a manufacturing environment.   The devices on each VLAN are not allowed to talk to devices on other VLANs as they are very sensitive to broadcast/multicast tracffic.

 

The operators of the devices need to access the manufacturing lines that are in all VLANs and they need to be on the VLAN that the line is on as some applications just use broadcast to find the host.

 

Currently, this is done by placing AP's near the manufacturing lines with a separate SSID for each line.

 

I'd like to have one SSID per plant and use Aruba's functionality to get the user on the right VLAN when they connect.


Why not use a single SSID that has preshared key and use the approach here:  http://community.arubanetworks.com/t5/Community-Tribal-Knowledge-Base/PSK-MAC-Address-based-VLAN-Steering/ta-p/85212

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Frequent Contributor II
Posts: 104
Registered: ‎02-25-2011

Re: Captive portal - option to choose VLAN

Unfortunately I don't think that will work.  The devices are mostly laptops and the operator needs to be able to access any of the vlans.

 

What they aren't allowed to do is access vlan a from vlan b etc, so when they are working on a machine line device that's on vlan a, their laptop needs to be connected to vlan a.

 

Thanks

Guru Elite
Posts: 19,960
Registered: ‎03-29-2007

Re: Captive portal - option to choose VLAN

So then, you have no choice.  You are a prisoner of your network design.

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
New Contributor
Posts: 2
Registered: ‎09-24-2013

Re: Captive portal - option to choose VLAN

David,

 

Are you versed in CoA and the Captive Portal customization to handle VLAN ovveride tagging from a RADIUS database?

 

Alex

Search Airheads
Showing results for 
Search instead for 
Did you mean: