Controllerless Networks

last person joined: 2 days ago 

Aruba Instant Wi-Fi: Meet the controllerless Wi-Fi solution that's easy to set-up, is loaded with security and smarts, and won't break your budget.
Expand all | Collapse all

EAP-TLS + Captive Portal

Jump to Best Answer
This thread has been viewed 10 times
  • 1.  EAP-TLS + Captive Portal

    Posted Sep 16, 2021 11:08 PM
    My Instant is running and I am trying to setup Captive Portal authentication after EAP-TLS authentication.  the idea is to use EAP-TLS to authenticate device, then captive portal to authenticate users. I can see that captive portal users in Instant get default role of "External CP" but I am not able to modify this role or even edit it. I want EAP-TLS authenticated users to get captive portal pre-auth role.

    Radius server is ClearPass

    any one tested this before? anyway to customize captive-portal pre-auth role and send it from ClearPass after EAP-TLS authentication?

    Ahmad Enaya

  • 2.  RE: EAP-TLS + Captive Portal
    Best Answer

    Posted Sep 17, 2021 07:46 AM
    YOu will need the following created in the Instant Cluster...

    Authentication Server created for Captive Portal - This will contain the URL for the Webpage you want the client to land on after EAP-TLS is complete. 

    Need a role with Access Rules - NOte the name of this role - Something like ACME-Guest-Logon
    - 1st Rule - Enforce Captive Portal
    - 2nd Rule - Allow DNS
    - 3rd Rule - Allow DHCP
    - Next set of rules - Allow only HTTP/HTTPS to the IP of Clearpass - Create a rule for each Clearpass server

    Do not attempt to switch VLANs during enforcement. That gets ugly. 

    In Clearpass, create an Enforcement Profile for Aruba User Role and set the Value to ACME-Guest-Logon

    COnfigure the EAP-TLS Service / Enforcement policy to send the new Enforcement Profile when EAP-TLS has been completed successfully. 


    YOur users should not be re-directed to the Captive Portal after EAP-TLS 

    I would be sure to test your Captive Portal functionality without EAP-TLS in play first to make sure it functions OK. To test that Certificates are correct, the re-direct works, DNS, etc. Once you confirm it is good, THEN attempt the EAP-TLS stuff above. 

    Philip Wightman, ACEX (AMFX) #69. Aruba Partner Ambassador

  • 3.  RE: EAP-TLS + Captive Portal

    Posted Sep 17, 2021 10:44 AM
    One thing I found is that not all clients will do a captive portal test on an 802.1X SSID. So it can be that even if you have a role that redirects to a captive portal, that will not trigger automatically. Don't know which OS does work or which doesn't.

    Herman Robers
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.