Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

external captive portal authentication

This thread has been viewed 5 times

  • 1.  external captive portal authentication

    Posted Mar 29, 2012 07:37 PM

    We have a 3600 controller running 5.0.3.3 with remote ap 105s in split tunnel.  We have an external captive portal (using the https get method) that takes the user to a usage agreement where they have to agree.  Once they agree it redirects them to a website and they can then go anywhere from there.  the problem we are having is that regular users are always having to go to that agreement page.  We would like to allow users who give us their email address to be able to stay authenticated.  We are thinking of creating a form on the external captive portal server that asks them for their email.  Once they put their email address in the next time they sign on to the free wifi it would let them right in.  It would see their mac address, look at the external captive portal database of allowed mac addresses (people who have submitted valid emails) and then allow them through without any redirect.  Does that makes sense and if so Is this feasible?


    #3600


  • 2.  RE: external captive portal authentication

    Posted Mar 30, 2012 03:16 AM

    This is the only idea I can think of immediately.

     

    If your server (whatever it is) could dynamically add the MACs of these users to something when they enter their email, it strikes me you might be able to add mac-auth to the same VAP that's in use. Then leave all your other rules as is on the controller, but set a mac-auth role of whatever the portal authenticated one is.

     

    The result would be that previously seen MACs would be fully auth'd. Either that or define a totally new role which delivers a reduced captive portal for previous users missing out the acceptance page bit?

     

    The complexity will be getting the MACs into a database from the original user auth (via captive portal). The controller would definately know the client MAC, but with offloaded captive portals, I'm not sure if the controller sends the MAC to the other server as well as the HTTP content? Need to do some sniffing or see if anybody knows!

     

    I'm not an Amigopod expert, but maybe that product could do it?

     



  • 3.  RE: external captive portal authentication

    Posted Mar 30, 2012 12:23 PM

    Yes the controller sends the external captive portal the mac, and ip address of the client.  When the user clicks on ok to the agreement it sends an https get with a user name and password to the 3600 controller which then puts the authenticated user into the correct role.  Could the external captive portal just verify the mac address has an email associated with it (against a database it creates) and then just automatically send an https get with the correct user and password allowing the client to get access with out seeing an agreement page.  Or would we need to turn on Mac authentication as well and have the external captive portal use the xml API to add users?



  • 4.  RE: external captive portal authentication

    EMPLOYEE
    Posted Mar 30, 2012 12:28 PM
    @bigtone wrote:

    Yes the controller sends the external captive portal the mac, and ip address of the client.  When the user clicks on ok to the agreement it sends an https get with a user name and password to the 3600 controller which then puts the authenticated user into the correct role.  Could the external captive portal just verify the mac address has an email associated with it (against a database it creates) and then just automatically send an https get with the correct user and password allowing the client to get access with out seeing an agreement page.  Or would we need to turn on Mac authentication as well and have the external captive portal use the xml API to add users?

    As configured, the external captive portal does pretty much exactly what the controller would do, but externally.  The https get in question merely submits a username and password to be authenticated to the server group configured in the Captive Portal Authentication Profile configured.

     

    The best way that you can avoid a user seeing the login screen is mac authentication to change the role, IMHO.  Maybe someone who has done this exclusively via the XML-API can chime in.

     

     

     



  • 5.  RE: external captive portal authentication

    EMPLOYEE
    Posted Mar 30, 2012 07:02 AM
    @bigtone wrote:

    We have a 3600 controller running 5.0.3.3 with remote ap 105s in split tunnel.  We have an external captive portal (using the https get method) that takes the user to a usage agreement where they have to agree.  Once they agree it redirects them to a website and they can then go anywhere from there.  the problem we are having is that regular users are always having to go to that agreement page.  We would like to allow users who give us their email address to be able to stay authenticated.  We are thinking of creating a form on the external captive portal server that asks them for their email.  Once they put their email address in the next time they sign on to the free wifi it would let them right in.  It would see their mac address, look at the external captive portal database of allowed mac addresses (people who have submitted valid emails) and then allow them through without any redirect.  Does that makes sense and if so Is this feasible?

    Amigopod is a solution to this, where it does add the user's mac address to a database, for as long as you want the user to NOT authenticate a second time.  As an example, we have this running where the Physicians only want to authenticate once a week, the employees only once a day and the patients, every 4 hours...

     

     

    With just the controller, you could manipulate the user idle-timeout, but this will affect all users.

     



  • 6.  RE: external captive portal authentication

    Posted Mar 30, 2012 12:16 PM

    the maximum user idle timeout you can set on the controller is only 4 hours, so each user would be taken through the authentication process on the external captive portal server after every 4 hours of idle time out.  Would mac authentication be a way to just let them through without having to redirect them to the external captive portal server?



  • 7.  RE: external captive portal authentication

    EMPLOYEE
    Posted Mar 30, 2012 12:18 PM
    @bigtone wrote:

    the maximum user idle timeout you can set on the controller is only 4 hours, so each user would be taken through the authentication process on the external captive portal server after every 4 hours of idle time out.  Would mac authentication be a way to just let them through without having to redirect them to the external captive portal server?

    That is a good point.  It is possible to manually enter the mac addresses into the Aruba user database, but it becomes a management issue.  Amigopod will do it automatically.  

     

    The Amigopod doc on this is here:  http://support.arubanetworks.com/DOCUMENTATION/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=6205

     

    I can tell you we have it working quite well in a number of places.

     

     

     



  • 8.  RE: external captive portal authentication

    Posted Mar 30, 2012 12:25 PM

    Using the xml API we can automate that process though, I guess I just want to know if we would need to turn on mac authentication to do that or if we could just have the external captive portal do an https get every time a valid mac address tries to connect...