Wireless Access

Hi Guys,

 

I would like to customize the guest provisioning page by bringing in additional controls as to who can create guest access.  We are planning to use a separate broadband connection for guests, without any enterprise network access. 

 

As of now we have to specifically provision a user on the GPP in the controller, who can then login and create a guest ID.  I would like to add code, so that the user is authenticated against our AD and check his authorization to create guest access.

 

Cheers..

 

 

You should use management authentication through active directory to determine the role of the user that logs into the controller:

 

Chapter 33 in the ArubaOS 6.1 user guide "Management Access" describes how to change a management user's role depending on his group in active directory.  You can also use the legacy document below for perspective:

 

http://community.arubanetworks.com/aruba/attachments/aruba/115/80/1/Management+Authentication+using+Windows+IAS+as+a+Radius+Server.doc

 

 

Thanks for the response. To explain the scenario, we intend to give wi-fi network access, which is easily controlled by the user and computer authentication against AD. This gives access to our enterprise network and enterprise Internet. However, we are also setting up a separate vlan which is connected to a consumer grade broad band connection from the same controller. Once we do that, we need to set up guest provisioning, which as of now requires either an admin ID or ID created to access the provisioning site and generate a guest ID and password. We want access to this guest provisioning site controlled by AD, which does not seem possible or is it? Cheers..

So,

 

You want users in Active Directory to be able to authenticate to a Captive Portal that is on a separate Vlan for guest access?

Yes, the idea is to control access to provisioning portal only to AD users and not have the need to create IDs which would then login separately and create guest ids.

 

So an employee, opens the guest provisioning portal, gets authenticated from AD, and is able to generate a guest ID and password and hand it to the guest.

 

Cheers

Ok.  Here it is in detail:

 

First - you need to setup that broadband connection on a separate physical interface on the controller so that you can place guest users on it.  We will need to setup a VLAN specifically for this network and tie it to that specific physical interface.  The controller will also need to have an ip address on that interface and we need to indicate to the controller, that is the ip address we want to serve the captive portal on.  The ip address of the controller must be in the range that the broadband router is giving out.

 

config t
vlan 1000   <--------- Set up guest vlan
interface vlan 1000
ip address 192.168.1.250 255.255.255.0 <------- Ip address on that guest Vlan
exit
ip cp-redirect address 192.168.1.250 <---------  Indicate to the controller that is the ip address you want to host the captive portal on
interface gigabitethernet 0/3 <--------  Choose the physical interface on the controller that you will be plugging the broadband router into
switchport access vlan 1000 <-------  Assign that Vlan to that port

 Next, if you already have a radius server configured to authenticate users from Active Directory and it is working, we need to configure a remote access policy on that radius server that (1) allows PAP and a Nas Port Type of VPN:

 

Do you have Windows 2008 or Windows 2003 for your radius server?

 

 

Thank you for the response Joseph.  We are using Cisco ACS 5.2.0 as a radius server which is bound to AD for user authentication.  We had done the settings on the controller earier.  The point missed out was:

 

---

configure a remote access policy on that radius server that (1) allows PAP and a Nas Port Type of VPN: 

 

---

 

Do you have any document to support this setup; which would be a great help.

 

Cheers...