Security

Reply
Occasional Contributor II
Posts: 19
Registered: ‎05-02-2009

Multiple captive portals on one SSID

[ Edited ]

I was hoping that someone could look over what I've done and suggest ways to make it better... or explain how I'm actually re-inventing the wheel and could have done it in fewer steps.

 

We have a single SSID, call it 'guest', (and we only want to use single SSID for this sort of thing).

 

What I want, though, is multiple captive portals accessible from this one SSID for, say, multiple simultaneous conferences in different locations.

 

I could have a 'menu' web page as the captive portal page with links to each conference CP but that requires users to know which conference they're at and I don't want to assume that level of cognitive ability.

 

So, I put together a configuration in Clearpass (my first as it happens) which does this:

 

1. Controller is configured with a logon role which does MAC authentication to Clearpass CPPM.

2. The associated Clearpass Service is 'Allow all MAC AUTH' and acts as a way of obtaining information such as 'AP Name' from the RADIUS request. 

3. The Enforcement Policy for this Service says something like "if the Connection:AP-Name

begins with AP-CONF1 then use Enforcement profile 'Conf1 Captive Portal' or 'if the Connection:AP-Name begins with AP-CONF2 then use Enforcement profile 'Conf2 Captive Portal'.

4. The 'ConfX Captive Portal' profiles send back the RADIUS attribute Aruba-User-Role with the value of 'confX-captive-portal-logon', where X represents a conference.

5. On the controller are matching user roles with L3 Captive Portal authentication profiles of 'Conf1', 'Conf2' etc. etc.

6. These Captive Portal profiles each have a Login Page URL entry corresponding to a Web Login page on Clearpass Guest. 

7. Each Web Login page is specific to a particular conference.

 

Thus, when a client connects Clearpass spots the AP Name and sends back a user role which corresponds to the conference being held using those AP. (In this example the APs are named for their buildings and we only have one conference at a time per building.) Then the client's web request is redirected to the captive portal for that conference.

 

The approach is a bit simplistic in its logic but for each conference it requires

 

1. An edit to the Enforcement Policy to add/remove the conditions

2. An Enforcement Profile

3. A user Role on the controller

4. An L3 Captive Portal Authentication profile on the controller

5. A Web Login page on Clearpass Guest.

 

Is there a more efficient and elegant way of doing this, preferably that doesn't require steps 3 and 4?  It would be nice if the Enforcement Policy could simply say 'If Name begins XXXX sent back generic-captive-portal-role' and then have a generic-captive-portal-role on the controller which redirects to a generic captive portal URL and that page picks up some saved attribute associated with the MAC AUTH to say 'redirect to the appropriate Web Login'.

 

Mike

 

Guru Elite
Posts: 8,633
Registered: ‎09-08-2010

Re: Multiple captive portals on one SSID

I've done this in the past. Based on your requirements, that's the best way
to do it.



You can create generic role names and captive portal profiles to make it
easier:



User-role conf-a

Aaa authentication captive-portal conf-a





Makes it easier to track everything.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 19
Registered: ‎05-02-2009

Re: Multiple captive portals on one SSID

Thanks for that. Good to know I'm on the right path.

 

Is it likely that a future version of Clearpass will implement a way to support multiple captive portal like this internally, without the need for special controller config?

Guru Elite
Posts: 8,633
Registered: ‎09-08-2010

Re: Multiple captive portals on one SSID

It really has nothing to do with ClearPass. ClearPass can support thousands of captive portals.

Something that would make your policy a bit more simple would be to leverage AP group names instead of trying to match on individual names.

Also, something you could try on the ClearPass side would be using JavaScript to parse out the AP group from the URL redirect and do a conditional redirect to another page based on that value.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 382
Registered: ‎05-09-2013

Re: Multiple captive portals on one SSID

Tim,

 

Do you have an example of a javascript code that works? I've been looking for generic code, but can't find anything reliable. Does Cisco WLC also send AP name in URL redirect? I'm hoping to accomplish this with location-based captive portal based on AP naming.

 

Thanks.


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
New Contributor
Posts: 3
Registered: ‎03-27-2017

Re: Multiple captive portals on one SSID

I have the exact same requirement of location based captive portal for Cisco and Aruba WLC. Apparently the Cisco WLC would append the AP mac in the login URL. Could you make it work and can you share the details ?

Guru Elite
Posts: 8,633
Registered: ‎09-08-2010

Re: Multiple captive portals on one SSID

Create a new generic page that all clients will be redirected to.

Add if then statements to redirect the user to the correct page based on the apgroup URL parameter:

Example:

{if $apgroup == "SJ"}
<meta http-equiv="refresh" content=0;url=https://clearpass.server/guest/sj-reg.php"> 
     {elseif $apgroup == "SF"}
<meta http-equiv="refresh" content="0;url=https://clearpass.server/guest/sf-reg.php"> 
     {else}
<meta http-equiv="refresh" content="0;url=https://clearpass.server/guest/fallback-page.php"> 
{/if}

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: