Controllerless Networks

last person joined: 33 minutes ago 

Aruba Instant Wi-Fi: Meet the controllerless Wi-Fi solution that's easy to set-up, is loaded with security and smarts, and won't break your budget.
Expand all | Collapse all

Captive Portal derivation rule

This thread has been viewed 13 times
  • 1.  Captive Portal derivation rule

    Posted May 27, 2021 08:21 AM
    Hi,

    I'm about to migrate a controller based AOS 6 environment to AOS 8 IAPs. The customer uses an external Captive Portal (not Clearpass) with acknowledgment of user terms. There are some devices with no grafical interface that should connect to this guest SSID as well.

    On the controller there is a derivation rule with mac addresses to identify these devices and allow access without captive portal. 

    I try to set this up on the IAP but when configuring the external Captive Portal, it always kicks in first, ignoring the rule I made under section 4 (Access) of the networks configuration.

    The rules is like:

    If mac-address not-equals e2bccb0bcb39 assign role Authenticated

    If I leave the SSID open, without any authetication, the role assignment works fine, so there is not typo in the mac address etc. 

    I think it is a matter of the order, the IAP treats authentication and  access rules. However I'm not sure.

    Is there a way to achive what I need (derivation based on mac address) to avoid captive portal authetication?

      







    ------------------------------
    Joachim Becker
    ------------------------------


  • 2.  RE: Captive Portal derivation rule

    Posted Jun 05, 2021 08:33 PM
    Have you enabled MAC auth under the "security" tab of your Guest SSID?

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 3.  RE: Captive Portal derivation rule

    Posted Jun 14, 2021 04:06 AM
    I tested the setup again today. If I use the internal captive portal of the IAP,  i can use the internal authentication server for MAC Auth and this setup gives me the required behaviour. MAC Auth is checked first and if successful, the client is authenticated. If MAC auth fails, the captive portal page is presented to the client.

    However, with an external captive portal and radius server, I can't use the internal auth server. The local guest user database is ignored and the captive portal is always presented to the client.  


    ------------------------------
    Joachim Becker
    ------------------------------