Wired Intelligent Edge

It is possible to configure the MAS as a gateway of  guest vlan so everything on that vlan get a captive portal authetnication?

Something like a nomadix in which the nomadix is the gateway of that vlan and everything on that vlan get captive portal auth?

I was looking on the manual but it seems that you apply the initial role but to the physical port... and doesnt look like i can do what i want to but still i could be wrong.

 

Anyone?

 

Cheers

Carlos

Since it's tied to user state in the user-table, I think it would work.


Thanks,
Tim

Any idea of how it would be the config?

I would like to put a vlan which has the captive portal on the MAS and trunk that vlan to an instant AP and bring up the MAS captive portal on my instant with open network, or it could be a linksys or anything.   I would like that everything ont hat vlan gets the captive portal.

 

Like i said i was looking at the config but it looks like you attach the initial role to the physical port so im kind of lost on how you would do this.

 

Cheers

Carlos

Carlos,

 

Please see the ASE recipe here:  https://ase.arubanetworks.com/solutions/id/28

Hello Collin

Thanks for the link

I already saw it before but still, this just attach the initial role which redirects you to the captive portal to a physical port

 

Ill give you an example of what i want to achive.   I want to use MAS captive portal  with aruba instant or any other random AP  brand(which not necesary is connected to the mobility accesss switch) 

Example:

 

Let say i got a small network in which i got 1 MAS and 1 Dlink swtich

I got VLAN 100 which is the corporate Wirelesss network

I got VLAN 50 which is the guest vlan, and the default gateway is on the mobility access switch

For example if i connect this  instant AP to the port 0/0/1 and i would trunk this vlan 100 and vlan 50 to the instant AP i bealive i  would get the captive portal even on my 802.1x ssid. because he will assign this captive portal role to anything that is connecting to that port and i dont want that, i jsut want to assign it to the vlan 50, and not to the vlan 100, not to anything that connect to that 0/0/1 port.  Im connecting it to the same port but i just want the captive portal to one vlan  not to both.

 

i dont know if you getting what im trying to do? maybe my english is not good enough and im confusing you in what im trying to achive.. :( 

 

 

Cheers

Carlos

You can add a AAA profile to a VLAN, then make the VLAN untrusted.

 

http://www.arubanetworks.com/techdocs/ArubaOS_7_Web_Help/Default.htm?_ga=1.159382458.161686765.1439664329#mas_guides/1command_List/vlan.htm

 

"Note that this profile will only take effect if the VLAN and/or the port on the switch is untrusted. If both the port and the VLAN are trusted, no AAA profile is assigned."  So only make the VLAN untrusted, and trunk that to the switch from the IAP.

How can i make the vlan untrusted???

doesnt seems that it support that command

I can certainly make the port untrusted but i cannot make the vlan untrusted... or at least i dont see the command 

I mean you can do it on the controller as it accept on the port trusted vlan port but i dont see that command on the MAS, unless is another???

Unfortunately, you cannot apply a AAA profile to a VLAN, unless the physical port that the VLAN is on is untrusted:

 

http://www.arubanetworks.com/techdocs/ArubaOS_7_Web_Help/Default.htm?_ga=1.159382458.161686765.1439664329#mas_guides/aaa_authentication/AAA_Authentication_Profi.htm

 

"The AAA profile can be applied on a global or per port or per VLAN basis, but only if the port is marked as un-trusted."

 

Sorry about that.

 

Yes you would have to force traffic to flow through that port for this to work. So the switch/port would have to be between the client and its default gateway.


Thanks,
Tim

So what i want to do is not possible with the aruba switch? :( 

 

 

Why don't you setup the Captive Portal on the IAP, then?

 

Well it would be nice to have a captive portl which has time base

Instant does not have time base(and there are some clients which has aruba swithces and instant that could use this)

Another reason would be able to use clearpass guest trhough it without caring too much about the config on the 3rd party non aruba controller(which is kind of complicated when you do not manage the other brand, would it make it easier) i know there are manuals for motorola, cisco, etc but there are random wifi brands(allied telesys for example) that there are no manuals on how to do that. 

 

Cheers

Carlos

If you have an AP (or IAP) on a MAS port, you can apply a time-range to the POE on that port:

 

http://www.arubanetworks.com/techdocs/ArubaOS_7_Web_Help/Default.htm?_ga=1.62389932.161686765.1439664329#mas_guides/ethernet_interface/Creating_and_Applying_a_.htm

Hello Colin

When i mean the time range i mean for the guest user

On instant captive portal you just can make an user but you cannot say that user will expire in 3 days

that user will be there until you delete it

 

On the MAS you are able to decide when that guest user will be deleted fromt he internal database.

 

I was not referring to the poe

Sorry if my bad english made you understand something else!

Carlos,

 

No problem.

 

You said the right thing.

Ill try to do what you said Tim this week

Hopefully it will work jsut fine.

I cannot test it right now as on my home i just got one S1500P.

 

Cheers

Carlos

Collin last questions or Tim
If this works fine is this a suppoerted escenario?
Ti who i would need to ask this? And how many user maybe a s1500 would be able to authenticate this way?

I mean with the MAS alone using their interna database and also if i use just the s1500 to talk with the clearpass to authenticate guest users on a guest vlan for aps of other brands? Is this a questions for MAS productos managment?

It would likely not be “officially” supported.



The scaling limit would be the max MAC table and/or user-table entries.

Hello Tim

Sadly it seems the limit its another unless they have changed it with the newest firmwares

 

Check this out

This guy wanted to do the same or at least thats what i understood.

 

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Practical-Limits-to-S2500-and-S3500/td-p/200057

 

Looks to me that the limit its 472

 

Did you know this? did the limit changed to what you said or it is like this Tim?

 

Cheers

Carlos

You’d probably be better off using a 7005 controller instead of a MAS.

Exactly!

i though that as well

Now for that i would need i guess 1 pefng license? for everyone??

Nope, just 1 PEF license to enable the feature.

Thats what i said

I need to practice more english :( 

 

Cheers

Carlos

So Tim

I would need a MAS only for that

For example

Let say i got a Alcatel switch and Aruba Switch

 

The default gateway of the GUEST vlan is on the Aruba switch

 

I would need 2 ports

one for administration

one untrusted port for guest vlan

 

all the traffic will go through the untrusted port

 

And on the alcatel switch i would connect the instant AP with their trunks.  one for the internal network and one for the guest network.   Since the traffic of the guest network will pass through the untruested port you wil get the captive portal right? even if the ap is connected trhough another swtich.

 

If i want to manage it i would need to connect another port for administration which will be trusted.

 

it is like that?

Right. You'll need to test it though. I've done something similar but it was with 802.1X not web auth.


Thanks,
Tim