Wireless Access

Reply
Frequent Contributor I
Posts: 67
Registered: ‎01-06-2011

external captive portal authentication

We have a 3600 controller running 5.0.3.3 with remote ap 105s in split tunnel.  We have an external captive portal (using the https get method) that takes the user to a usage agreement where they have to agree.  Once they agree it redirects them to a website and they can then go anywhere from there.  the problem we are having is that regular users are always having to go to that agreement page.  We would like to allow users who give us their email address to be able to stay authenticated.  We are thinking of creating a form on the external captive portal server that asks them for their email.  Once they put their email address in the next time they sign on to the free wifi it would let them right in.  It would see their mac address, look at the external captive portal database of allowed mac addresses (people who have submitted valid emails) and then allow them through without any redirect.  Does that makes sense and if so Is this feasible?

MVP
Posts: 562
Registered: ‎11-28-2011

Re: external captive portal authentication

This is the only idea I can think of immediately.

 

If your server (whatever it is) could dynamically add the MACs of these users to something when they enter their email, it strikes me you might be able to add mac-auth to the same VAP that's in use. Then leave all your other rules as is on the controller, but set a mac-auth role of whatever the portal authenticated one is.

 

The result would be that previously seen MACs would be fully auth'd. Either that or define a totally new role which delivers a reduced captive portal for previous users missing out the acceptance page bit?

 

The complexity will be getting the MACs into a database from the original user auth (via captive portal). The controller would definately know the client MAC, but with offloaded captive portals, I'm not sure if the controller sends the MAC to the other server as well as the HTTP content? Need to do some sniffing or see if anybody knows!

 

I'm not an Amigopod expert, but maybe that product could do it?

 

Kudos appreciated, but I'm not hunting! (ACMX 104)
Guru Elite
Posts: 21,037
Registered: ‎03-29-2007

Re: external captive portal authentication

[ Edited ]

bigtone wrote:

We have a 3600 controller running 5.0.3.3 with remote ap 105s in split tunnel.  We have an external captive portal (using the https get method) that takes the user to a usage agreement where they have to agree.  Once they agree it redirects them to a website and they can then go anywhere from there.  the problem we are having is that regular users are always having to go to that agreement page.  We would like to allow users who give us their email address to be able to stay authenticated.  We are thinking of creating a form on the external captive portal server that asks them for their email.  Once they put their email address in the next time they sign on to the free wifi it would let them right in.  It would see their mac address, look at the external captive portal database of allowed mac addresses (people who have submitted valid emails) and then allow them through without any redirect.  Does that makes sense and if so Is this feasible?


Amigopod is a solution to this, where it does add the user's mac address to a database, for as long as you want the user to NOT authenticate a second time.  As an example, we have this running where the Physicians only want to authenticate once a week, the employees only once a day and the patients, every 4 hours...

 

 

With just the controller, you could manipulate the user idle-timeout, but this will affect all users.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 67
Registered: ‎01-06-2011

Re: external captive portal authentication

the maximum user idle timeout you can set on the controller is only 4 hours, so each user would be taken through the authentication process on the external captive portal server after every 4 hours of idle time out.  Would mac authentication be a way to just let them through without having to redirect them to the external captive portal server?

Guru Elite
Posts: 21,037
Registered: ‎03-29-2007

Re: external captive portal authentication

[ Edited ]

bigtone wrote:

the maximum user idle timeout you can set on the controller is only 4 hours, so each user would be taken through the authentication process on the external captive portal server after every 4 hours of idle time out.  Would mac authentication be a way to just let them through without having to redirect them to the external captive portal server?


That is a good point.  It is possible to manually enter the mac addresses into the Aruba user database, but it becomes a management issue.  Amigopod will do it automatically.  

 

The Amigopod doc on this is here:  http://support.arubanetworks.com/DOCUMENTATION/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=6205

 

I can tell you we have it working quite well in a number of places.

 

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 67
Registered: ‎01-06-2011

Re: external captive portal authentication

Yes the controller sends the external captive portal the mac, and ip address of the client.  When the user clicks on ok to the agreement it sends an https get with a user name and password to the 3600 controller which then puts the authenticated user into the correct role.  Could the external captive portal just verify the mac address has an email associated with it (against a database it creates) and then just automatically send an https get with the correct user and password allowing the client to get access with out seeing an agreement page.  Or would we need to turn on Mac authentication as well and have the external captive portal use the xml API to add users?

Frequent Contributor I
Posts: 67
Registered: ‎01-06-2011

Re: external captive portal authentication

Using the xml API we can automate that process though, I guess I just want to know if we would need to turn on mac authentication to do that or if we could just have the external captive portal do an https get every time a valid mac address tries to connect...

Guru Elite
Posts: 21,037
Registered: ‎03-29-2007

Re: external captive portal authentication


bigtone wrote:

Yes the controller sends the external captive portal the mac, and ip address of the client.  When the user clicks on ok to the agreement it sends an https get with a user name and password to the 3600 controller which then puts the authenticated user into the correct role.  Could the external captive portal just verify the mac address has an email associated with it (against a database it creates) and then just automatically send an https get with the correct user and password allowing the client to get access with out seeing an agreement page.  Or would we need to turn on Mac authentication as well and have the external captive portal use the xml API to add users?


As configured, the external captive portal does pretty much exactly what the controller would do, but externally.  The https get in question merely submits a username and password to be authenticated to the server group configured in the Captive Portal Authentication Profile configured.

 

The best way that you can avoid a user seeing the login screen is mac authentication to change the role, IMHO.  Maybe someone who has done this exclusively via the XML-API can chime in.

 

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: