Please work with your Aruba partner or local Aruba SE to design this solution. You probably should not deploy captive portal for employees, nor EAP-PEAP because of known security weaknesses, but EAP-TLS instead, nor should end-users manually configure their devices. Configuration through a devices management system, or Onboard for non-managed devices is probably more secure and more user-friendly.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: May 21, 2021 10:26 AM
From: Matt Ervin
Subject: Internal Captive Portal - MAC Caching?
We are looking to go away from it because every phone make/model does it just a little different, and we get asked to "create a how-to document" that encompasses every possible phone type.
With the captive portal every single user save 1 has been able to sign in on their own, we just need it to save the MAC a little longer.
------------------------------
Matt
Original Message:
Sent: May 21, 2021 03:42 AM
From: Gorazd Kikelj
Subject: Internal Captive Portal - MAC Caching?
Hi Matt.
You will need Policy Manager like ClearPass for MAC caching.
Why don't use EAP-PEAP for this SSID?
Best, Gorazd
------------------------------
Gorazd Kikelj
Original Message:
Sent: May 20, 2021 06:04 PM
From: Matt Ervin
Subject: Internal Captive Portal - MAC Caching?
I have a ticket open/pending with TAC, but they are super busy these days.
I have 3 SSID's setup, and manage my AP's in Aruba Central.
1. one for internal laptops that use Radius and an internal PKI to authenticate, so no password and only internal devices can connect. Nearly full internal access
2. A true Guest/Visitor Wi-Fi, this uses a cloud captive portal with self registration, and has MAC caching enabled.
3. I have Wi-Fi for Employee Devices that need a bit more access than guests, but not full blown laptop levels.
This one uses an internal captive portal, that goes to an internal Radius server and requires the internal Active Directory username and password
It works, but there is no option that I can find to do MAC caching. It makes them sign in usually once per day, but sometimes 2 -3 times
I set the inactivity timeout to the max of 86400 seconds, or 24 hours, and I set the "ReAuth Interval" to 0 so it should be off.
I would like the employee device option to not have to re-authenticate until their active directory password expires /changes.
Anyone know if this is possible?
------------------------------
Matt
------------------------------