Security

Reply
Occasional Contributor II
Posts: 30
Registered: ‎06-21-2014

Providing guest & corporate access..

Hi Guys,

 

Let me get to the point directly:

 

The customer wants the following.

  1. Password-of-the-day for guest access.
    1. Receptionist to hand out username and password of the day if guest arrives and requires Internet access so they may log into a captive portal on Aruba.
  2. Single-signon with AD or RADIUS authentication
    1. Corporate users looking to log into the wireless network but with AD\RADIUS authentication.
    2. However, only selected corporate users identified through the AD\RADIUS server if username is part of a group, for example.
    3. Looking at logging in once where when they roam back into the network the following day, device will automatically join.
    4. If AD password expires after 90 days, need to login (understandable).
    5. Not looking to use certificates.
  3. Time-based usernames
    1. Can certain usernames on Aruba ClearPass be time-based. That means from 9am – 9pm, the username is allowed to login. Anything after that, they cannot.
  4. Customizable captive portal page
    1. And lastly, the ability to customize the captive portal page.

My questions:

 

Question for item (1): Does this feature comes with the Aruba Mobility Controler 3200XM or do I need the Aruba ClearPass Guest ?

 

Question for item (2): What products from Aruba are capable of this feature? If not possible, can we do with one of the following:

  • Manually import username into the Aruba solution.
  • Increase session timeout to the maximum possible (What is the maximum possible??)
  • Use WPA2-Enterprise?

Question for item (3): Can certain usernames on Aruba ClearPass be time-based where they are allowed access at certain time-ranges?

 

Question for item (4): How much degree of customization can be done?

Guru Elite
Posts: 20,585
Registered: ‎03-29-2007

Re: Providing guest & corporate access..

1.  Yes.

2.  ClearPass Policy Manager.  Yes.  Yes...indefinite.  Yes.

3.  Yes.

4.  A great deal...  http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=12979



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 30
Registered: ‎06-21-2014

Re: Providing guest & corporate access..

Hi cjoseph,

 

Thanks for replying on a Sunday. If it isn't too much, I do have a few more questions:

 

1. For password-of-the day to work, if I use just the Aruba Mobility Controller (without ClearPass), would it be able to generate a username & password for guest password daily to a specific email address (say the receptionist) so that he\she would hand out to guests when they come?

 

2. For single-signon with AD\RADIUS:

 

  • if I use layer-3 authentication (captive portal), how would Aruba ClearPass would know that the AD password has expired if I extend the session to indefinte?
  • if I use WPA2-enterprise, can I choose not to use the certificates?
Guru Elite
Posts: 20,585
Registered: ‎03-29-2007

Re: Providing guest & corporate access..

tvlview,

 

1.  You would have to setup the controller to point to your email server when guests are generated, so that passwords can be sent:

config t
guest-access-email
smtp-server <ip address of your email server>

 You would then have to setup the controller to automatically send emails when guests are created:

config t
local-userdb send-to-sponsor

 Last, but not least, you would need to have a script that automatically logs into the controller every day and creates an account with a random username and password.  The command below generates a random username, random password for a day and sends it to receptionist@company provided that you setup the email configuration above.

(controller) #local-userdb add generate-username generate-password sponsor-email receptionist@company expiry duration 1440

GuestConnect
Username: guest-5616811
Password: EGMg3916
Start date: Sun Jun 22 08:41:00 2014

Expiration: 1440 minutes

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 20,585
Registered: ‎03-29-2007

Re: Providing guest & corporate access..

2.  Extending Captive Portal users to indefinite will involve using mac caching and mac authentication every time the user associates to the captive portal.  When the user associates, the mac cache can check on the status of the username of the associated user in AD by checking on an LDAP attribute on that username to see if it is expired.

 

3.  802.1x requires at least the radius server certificate to be trusted on the client-side even if you are only using username and passwords (PEAP) for user connectivity.  You would also need a server certificate on the radius server, of course.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 30
Registered: ‎06-21-2014

Re: Providing guest & corporate access..

When I perform the below:

 

Extending Captive Portal users to indefinite will involve using mac caching and mac authentication every time the user associates to the captive portal.  When the user associates, the mac cache can check on the status of the username of the associated user in AD by checking on an LDAP attribute on that username to see if it is expired.

 

This option doesn't use ClearPass?

Guru Elite
Posts: 20,585
Registered: ‎03-29-2007

Re: Providing guest & corporate access..

Yes, it does.  There is no other direct interface into AD that the controller alone can do. It also cannot do flexible mac caching to allow you to make decisions about different types of users and how long before they next need to login.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 30
Registered: ‎06-21-2014

Re: Providing guest & corporate access..

Okay!. I understand now. Thanks for the details!

Occasional Contributor II
Posts: 30
Registered: ‎06-21-2014

Re: Providing guest & corporate access..

Hi Joseph,

 

One more last question, if you may, do I need ClearPass Guest or ClearPass Policy Manager for the below:

 

Extending Captive Portal users to indefinite will involve using mac caching and mac authentication every time the user associates to the captive portal.  When the user associates, the mac cache can check on the status of the username of the associated user in AD by checking on an LDAP attribute on that username to see if it is expired.

Guru Elite
Posts: 20,585
Registered: ‎03-29-2007

Re: Providing guest & corporate access..

Yes. Both work in combination to provide the above service.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: