Security

We are using aruba 3400 controller and OS 3.3.2.14.  Right now we have guest access with captive portal.  My boss wants to do away with captive portal for guest access, but have them enter a passphrase or password to get on the guest wi-fi network.  I found a post on how to do guest access without captive portal but not how to do it while requiring a passphrase.  Can this be done?  Thanks.

Yes, If you want to remove the captive profile, please change the initial role to authenticated or any customized role as the logon role contains the captive portal access.

(Aruba_Controller) #show aaa profile default

AAA Profile "default"
---------------------
Parameter Value
--------- -----
Initial role logon =============> This needs to be changed.
MAC Authentication Profile N/A
MAC Authentication Default Role guest
MAC Authentication Server Group default
802.1X Authentication Profile N/A
802.1X Authentication Default Role guest
802.1X Authentication Server Group N/A
L2 Authentication Fail Through Disabled
RADIUS Accounting Server Group N/A
RADIUS Interim Accounting Disabled
XML API server N/A
RFC 3576 server N/A
User derivation rules N/A
Wired to Wireless Roaming Enabled
SIP authentication role N/A
Device Type Classification Enabled
Enforce DHCP Disabled

Then go to the ssid-profile to set the pass-phrase key as shown below.

(Aruba_Controller) #show wlan ssid-profile 802.1x

SSID Profile "802.1x"
---------------------
Parameter Value
--------- -----
SSID enable Enabled
ESSID 802.1x
Encryption wpa2-aes
DTIM Interval 1 beacon periods
802.11a Basic Rates 6 12 24
802.11a Transmit Rates 6 9 12 18 24 36 48 54
802.11g Basic Rates 1 2
802.11g Transmit Rates 1 2 5 6 9 11 12 18 24 36 48 54
Station Ageout Time 1000 sec
Max Transmit Attempts 8
RTS Threshold 2333 bytes
Short Preamble Enabled
Max Associations 64
Wireless Multimedia (WMM) Disabled
Wireless Multimedia U-APSD (WMM-UAPSD) Powersave Enabled
WMM TSPEC Min Inactivity Interval 0 msec
Override DSCP mappings for WMM clients Disabled
DSCP mapping for WMM voice AC 56
DSCP mapping for WMM video AC 40
DSCP mapping for WMM best-effort AC 24
DSCP mapping for WMM background AC 8
Multiple Tx Replay Counters Disabled
Hide SSID Disabled
Deny_Broadcast Probes Disabled
Local Probe Request Threshold (dB) 0
Disable Probe Retry Enabled
Battery Boost Disabled
WEP Key 1 N/A
WEP Key 2 N/A
WEP Key 3 N/A
WEP Key 4 N/A
WEP Transmit Key Index 1
WPA Hexkey N/A
WPA Passphrase N/A   ==================> Set the pass-phrase key over here.

Thanks !

Thanks, but forgive me I'm not too good with the Aruba yet.  I have a default AAA profile like you  show, and also one for the Guest network.  Do I make the changes to the default or Guest AAA profle?  Also for the ssid-profile part, I have 3, a corporate one, guest, and default.  I guess I'm not sure which profile to set the pass-phrase key on. 

To be clearer, if I enter

show wlan ssid-profile

I show 3 profiles:

default

ABCD-ssid-profile

ABCD_GUEST-ssid-profile

To find out what AAA profile is attached to your wlan, type "show user-table verbose"  on the commandline while some users are attached.  (HINT: MAKE YOUR TERMINAL VERY WIDE BEFORE TYPING THAT).  There will be a column called "profile" and that is the AAA profile that is attached to that user.  That is what you should modify (probably not the default profile).

Thanks cjoseph.  I did that and see connections to the Guest AAA profle so I will change that one's role to "authenticated".  I'm still wondering about the correct ssid-profile to change.  I guess that would be the ABCD_Guest-ssid-profile and I would need to change the encryption from "opensystem" to "wpa2-aes"  and then assign the WPA passphrase according to sriram's post above.

---

@johnpi wrote:

Thanks cjoseph.  I did that and see connections to the Guest AAA profle so I will change that one's role to "authenticated".  I'm still wondering about the correct ssid-profile to change.  I guess that would be the ABCD_Guest-ssid-profile and I would need to change the encryption from "opensystem" to "wpa2-aes"  and then assign the WPA passphrase according to sriram's post above.

---

It could be.  Here's how you find it:

Go to Configuration> Wireless Lan> AP Configuration.

Edit the AP Group that all of your access points are in.

Expand Wireless LAN.  Expand Virtual AP of the WLAN you want.  The Virtual AP should have under it the SSID profile and the AAA profile that we located above.  Change the SSID profile as was suggested.

Thanks cjoseph.  Probably better for me to stay out of the CLI if possible!  I'll make the changes after hours and post the results.  Thanks again for your quick responses.

johnpi,

Some things, like configuring interfaces are easier on the commandline.  Others, manipulating a SSID profile could be easier on the GUI.  It is up to you.

OK, I changed the initial logon role for the AAA profile to authenticated from guest-logon and it let me.  Then I went to the ssid-profile for the guest and when I tried to change it to wpa2-psk with AES encryption and entered the passphrase it gave me the error:

Error processing command 'wlan ssid-profile "ABCD_GUEST-ssid-profile" opmode wpa2-psk-aes':Error: dot1x profile needs to be enabled in aaa profile "ABCD_GUEST-aaa-profile" to support opmode "wpa2-psk-aes" configured in ssid profile "ABCD_GUEST-ssid-profile"

When I go to Security>Authentication>Profiles>AAA Profiles Tab and then to ABCD_GUEST-aaa-profile, it only has a dropdown menu called 802.1x Authentication Profile (which is currently set to N/A) with choices for:

default

default-psk

ABCD-dot1x-profile

Is this where I enable it and do I choose the ABCD-dot1x-profile?  sriram in the first reply above has 802.1x Authentication Profile as N/A in the config shown there.  Sorry I need this much hand-holding but I'm confused.  Thanks.

Please choose the profile default-psk and from the drop-down menu; choose the role "authenticated"  so that any users connecting to this profile will fall into authenticated role. By default, you will see the logon role please change it to authenticated.

Once you mapped the above profile; go back to ssid-profile and set the pass-phrase to take care.

Thanks much and let me know if you still have concerns that i can help you.

Thanks, I chose default-psk from the drop-down, but do I choose the role "authenticated"  under Machine Authentication : Default Machine Role or Machine Authentication : Default User Role ?

I changed the Default User role and it worked.  Thanks to all of you for your help.