Security

Reply
Occasional Contributor I
Posts: 5
Registered: ‎10-13-2011

Captive portal using radius server

 

Hi all,

 

I'm trying to setup a captive portal using a Microsoft NPS radius as the authentication server.

 

I've seen previous messages in the forum suggesting permitting PAP in NPS configuration for get this working.  I've tested PAP and it works, but since PAP is unencrypted, is there any way of using CHAP?

There is an use-chap command in the captive portal profile, but using it doesn't work.

 

Any ideas?

 

Greetings,

 

Jose

Guru Elite
Posts: 21,488
Registered: ‎03-29-2007

Re: Captive portal using radius server

the CHAP in the profile does not correspond with the Chap is the Remote Access Policy.  Using https on the webpage will encrypt the traffic between your user and the controller and yes, cleartext from the controller to the radius server.  You can solve the encryption issue by using WPA2-AES on your clients, if that is the case.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 5
Registered: ‎10-13-2011

Re: Captive portal using radius server

 

Hi,

 

The issue is between the controller and the radius servers.  The server administrators are refusing to deploy a clear text authentication...

So maybe, is there any other solution? I've tried LDAP, with no luck, and haven't found a guide onhow to configure it, appart from the Aruba OS guide which is quite general.

 

Greetings and thank you,

 

Jose

 

Guru Elite
Posts: 21,488
Registered: ‎03-29-2007

Re: Captive portal using radius server

Again,

 

Why not deploy something like WPA2-AES encryption on your domain clients, and that will deal with a whole host of issues (including security) at the same time...?  Is that not an option?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 5
Registered: ‎10-13-2011

Re: Captive portal using radius server

 

Ok, maybe I missed the explanation.

 

We've already have an WPA2-AES VAP with both machine and user authentication. The problem comes with non-Windows clients (iOS, Androids), or Windows clients that are not part of our corporate AD. I would prefer not to deal with them, but I have no choice. And also, with some equipment with no users at all (electrocardiographers, for example).

So, the solution Ithink about was a VAP with WPA2-PSK, with:

 - some ACLs permiting traffic to those servers used by that kind of equipment.

 - a captive portal, with both radius and internal database for authenticating users.

 

My aim is not to deploy many VAPs. We already had three VAPs previosly: voice, corporate equipment, and guest access. So I would like to integrate both solutions (non-802.1x equipment and other OSs) in only one more VAP, so I think about this solution. And also keep a simple configuration that could meet the requirements of other vendor controllers I have on another sites, and have a similar WLAN deployment to easier the support.

 

I would appreciate your thoughts about this question,

many thanks,

 

Jose

Guru Elite
Posts: 21,488
Registered: ‎03-29-2007

Re: Captive portal using radius server

Okay.  A customer just did this recently:  

 

I am assuming that you are using group policy to push the wireless configuration to your domain laptops.  In the group policy for your wireless under advanced, there is an option to use computer and user authentication.  If you change that option to "computer only", your domain devices will connect only with their computer credentials, not as a user.

 

In the 802.1x profile for your WLAN you can turn on "Enforce Machine Authentication". You would then configure  the Machine authentication Default Machine role to something "allow all" like authenticated.  You can then make the Machine Authentication Default User role to "Guest", and have the Guest VLAN hardcoded into the guest role.

 

Here is how it will work:

 

Devices that authenticate with their machine credentials get onto the network just fine.  Devices that only use user credentials like handhelds, and non-domain devices with authenticate, but get switched to the GUEST VLAN, already authenticated.  They will not have to see a captive portal and that will deal with your encryption situation, as well without having to deploy an additional WLAN.

 

Devices that do not support the encryption you already have out there, you will unfortunately have to create a different WLAN for them.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 520
Registered: ‎05-11-2011

Re: Captive portal using radius server

Nice implementation, but guest networks typically are open and unencrypted right? Meaning you put your devices - which sync email and whatever else that contain company stuph - on this network where "anyone" entering your reception area can get acces to.


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Guru Elite
Posts: 21,488
Registered: ‎03-29-2007

Re: Captive portal using radius server


jsolb wrote:

Nice implementation, but guest networks typically are open and unencrypted right? Meaning you put your devices - which sync email and whatever else that contain company stuph - on this network where "anyone" entering your reception area can get acces to.


Not true.  All the traffic will be encrypted over the air for everyone who uses WPA2-AES.  The devices that are moved to the "guest" VLAN will still have their traffic encrypted over the air.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: