Wireless Access

last person joined: 2 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Internal Captive Portal - MAC Caching?

This thread has been viewed 22 times
  • 1.  Internal Captive Portal - MAC Caching?

    Posted May 20, 2021 06:05 PM

    I have a ticket open/pending with TAC, but they are super busy these days.

    I have 3 SSID's setup, and manage my AP's in Aruba Central.
    1. one for internal laptops that use Radius and an internal PKI to authenticate, so no password and only internal devices can connect. Nearly full internal access
    2. A true Guest/Visitor Wi-Fi, this uses a cloud captive portal with self registration, and has MAC caching enabled.

    3. I have Wi-Fi for Employee Devices that need a bit more access than guests, but not full blown laptop levels.
    This one uses an internal captive portal, that goes to an internal Radius server and requires the internal Active Directory username and password
    It works, but there is no option that I can find to do MAC caching. It makes them sign in usually once per day, but sometimes 2 -3 times
    I set the inactivity timeout to the max of 86400 seconds, or 24 hours, and I set the "ReAuth Interval" to 0 so it should be off.

    I would like the employee device option to not have to re-authenticate until their active directory password expires /changes.
    Anyone know if this is possible?



    ------------------------------
    Matt
    ------------------------------


  • 2.  RE: Internal Captive Portal - MAC Caching?

    Posted May 20, 2021 06:22 PM

    This was an accidental duplicate post due to a web browser glitch.
    Link to original and identical post.

    Internal Captive Portal - MAC Caching? | Wireless Access (arubanetworks.com)



    ------------------------------
    Matt
    ------------------------------



  • 3.  RE: Internal Captive Portal - MAC Caching?

    Posted May 21, 2021 03:42 AM
    Hi Matt.

    You will need Policy Manager like ClearPass for MAC caching.


    Why don't use EAP-PEAP for this SSID? 

    Best, Gorazd

    ------------------------------
    Gorazd Kikelj
    ------------------------------



  • 4.  RE: Internal Captive Portal - MAC Caching?

    Posted May 21, 2021 10:27 AM

    We are looking to go away from it because every phone make/model does it just a little different, and we get asked to "create a how-to document" that encompasses every possible phone type.

    With the captive portal every single user save 1 has been able to sign in on their own, we just need it to save the MAC a little longer.



    ------------------------------
    Matt
    ------------------------------



  • 5.  RE: Internal Captive Portal - MAC Caching?

    Posted May 21, 2021 11:03 AM
    Please work with your Aruba partner or local Aruba SE to design this solution. You probably should not deploy captive portal for employees, nor EAP-PEAP because of known security weaknesses, but EAP-TLS instead, nor should end-users manually configure their devices. Configuration through a devices management system, or Onboard for non-managed devices is probably more secure and more user-friendly.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: Internal Captive Portal - MAC Caching?

    Posted May 21, 2021 11:25 AM

    You are not incorrect on any of that.
    However, we are not in a place to add a mobile device management system at the moment, due to political and financial reasons.

    We also are not in a place to get our hands on every device and manually configure them to the Wi-Fi, which is also unfortunate.

     

    The captive portal is the best solution that solves all the needs of all of our different internal leadership from all departments, and allows users to connect the necessary devices to Wi-Fi when required.

    We have set it up so that laptops with full access (well full access as far as employees go) uses in internal PKI and no password, so it requires the laptop to be part of the domain, part of a correct group, and have the correct internal certificate to connect.

    The employee devices we are configuring here are much closer to a "guest" access than a full access, and we have only allowed them access to a very small subset of internal things using the firewall rules and access rules available to us.

    Because their devices do in fact require access to only those very few things above what a true guest access does, that is why we have opted to do this.

     

    Due to all of those restrictions we feel safe using the captive portal for these employee devices in this way, and feel safe in using the captive portal.
    ClearPass is very likely the solution we will be moving forward with, in light of the fact that we can not do MAC caching without it.