Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Iap and cppm, a single ssid with different authentication pages by circumstance (time)

This thread has been viewed 0 times

  • 1.  Iap and cppm, a single ssid with different authentication pages by circumstance (time)

    Posted Feb 04, 2017 12:06 PM

    Hello,
    I have a demo platform for a solution made up of iap and cppm 6.6.
    The integration between both was made by raidus specific profile for platform Aruba, and everything works well up to that point.

    The problem is how to make a single ssid, example: ssid: visits, can re-address or re-direct url using a self-service portal and deploy a web with specific settings up to a certain time of day, example: http: // ipaddcppm / guest / Abc.php; And after a specific time and date have elapsed, to display another registration page with another self-service + sponsor type configuration, for example: http: //ipaddcppm/guest/123.php

    I could see for reference the following 2 cases attached:


    http://community.arubanetworks.com/t5/Security/Cisco-URL-Redirect/td-p/202713

    http://community.arubanetworks.com/t5/Security/Different-captive-portal-for-each-SSID/m-p/96149#M6761

    For the first case I already tried almost all the options available in the radius profile to modify this variable, and I could not find the correct one. I find it hard to believe that for integration with cisco wlc, it is so easy to make a change in the destination url for registration, and that it is sorted from the radius server cppm; And that for the iap, there is no direct modification option, being sent from cppm.

    For the second case, I do not know the configuration by php, which I understand is what is used, but I do not see how I can compare the time variable and make decision making through this information, to know which page should be presented.

    Thanks for the prompt help and assistance with this case.



  • 2.  RE: Iap and cppm, a single ssid with different authentication pages by circumstance (time)
    Best Answer

    Posted Feb 06, 2017 07:39 AM

    Hello Yiosep like i was telling you on saturday try this

    https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Time-Based-Guest-Registration/ta-p/246002

     

    Maybe that is what you are looking for?

    Let us know if that is

     

    Cheers

    Carlos



  • 3.  RE: Iap and cppm, a single ssid with different authentication pages by circumstance (time)

    Posted Feb 13, 2017 04:02 PM

    hi cdelarosa,

    Thank you very much for the help information, correct answer ;)



  • 4.  RE: Iap and cppm, a single ssid with different authentication pages by circumstance (time)

    Posted Feb 14, 2017 05:49 AM

    While that solution works, it's an old-school way (as in Amigopod) of doing that instead of using the CPPM functionality.

     

    Build your guest solution using MAB, server-sided login method that return role during mac-auth, which enforce different roles with different captive-portals. This way you have one way to do everything instead of smarty-code hidden within one or more portals.

     

    Besides - doing guest using server-sided login is something you already should be doing to avoid having public https certificates on your controller/iap's.

     

    Example of the enforcement profile in the attached screenshot

    Here you should also be able to use in_range 08:00:00,15:59:00, tho I haven't tried it

    14.02.jpg