The tutorial was by: Constantin
Video Tutorial by: Jamie E
I will add 2 ways of doing the access using the same SSID:
The only improvement that I would like to see for this setup is to have the Reauth interval defined on the user role and I added an Idea on the Aruba site: https://arubanetworkskb.secure.force.com/prm/ideas/viewIdea.apexp?id=08740000000LEgT.
How to provide Guest and Employee access with the same SSID using Instant solution with Captive Portal
The idea of the tutorial was to be able to introduce new clients to the Aruba solution with the minimal investment in the hardware. Once the client would understand the benefits of getting Aruba hardware in his environment and would require an increase in scale we would depending on the size campus solution or we would stick with the instant solution.
High level the solution is to use a simple external captive portal, because this option provides access to the role base authentication on the iAP, with the internal Radius server. The external captive portal can be hosted on any computer that has apache with php installed.
We will start first with preparing the core code for the HTML pages that we will use to give access:
- Index.html will provide the choice of Guest or Employ access :
<form method=POST action="http://securelogin.arubanetworks.com/cgi-bin/login">
<input name=user value="GUsername" type="hidden">
<input name=password value="GUpassword" type="hidden">
<input name=cmd value="authenticate" type="hidden">
<input name=mac value="" type="hidden">
<input name=ip value="" type="hidden">
<input name=essid value="" type="hidden">
<input name=url value="http://www.google.com" type="hidden">
<BR><input type="submit" name="Guest" value="login" class="button" />
<a href="employ.html"><button type="button">Employ Access </button></a>
- Employ.html will provide the possibility to enter a username and password
Username: <input name=user value="">
Password: <input name=password value="" type="password" size=25>
Now that the pages are done we will start to configure the iAP to provide different roles based on what username is typed:
- We will configure first the captive portal profile on the iAP:
- Now we will configure the Users:
- Next step will be to create the 2 user roles that we will want to give to the Guest users will be put under “Guest_cp” and Employ users will be put under “Employ_cp”
At this stage we will start to configure the SSID that will bring all this together:
- Step 1 :
- Step 2 (We could do Virtual Controller assigned or Network with VLAN’s and Client VLAN Assignment Dynamic if we want to split the users on VLAN’s too)
- Step 3 – we will choose the Slash page type to external and choose the Captive portal profile to the one that we have created previously (Marked in red are the options that need to be changed the other options are optional):
- Step 4 – Access rules will be Rule-based and then we create the Role Assignment Rules as in the picture bellow:
How to provide Guest and Employ access with the same SSID using Instant solution with WAP2-Enterprise
High level the solution is to use a WPA2-Enterprise and internal Radius server in order to provide 2 or more user roles.
The first thing that we want first to think about is how to do the separation of the usernames between the Guest and Employee. The way I will do it is to use a set of character specific to each type, for Guest the username will start with “GU” and the employee will start with “EM”
Now we will configure the Users:
- Next step will be to create the 2 user roles that we will want to give to the Guest users will be put under “Guest_wpa” and Employ users will be put under “Employee_wpa”
- Step 3 – we will choose Enterprise with Key management WPA-2 Enterprise and of course we will choose for the Authentication server the internal server:
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.