Wireless Access

last person joined: 18 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Customized GPP.Html

  • 1.  Customized GPP.Html

    Posted May 03, 2012 08:44 AM

    Hi Guys,

     

    I would like to customize the guest provisioning page by bringing in additional controls as to who can create guest access.  We are planning to use a separate broadband connection for guests, without any enterprise network access. 

     

    As of now we have to specifically provision a user on the GPP in the controller, who can then login and create a guest ID.  I would like to add code, so that the user is authenticated against our AD and check his authorization to create guest access.

     

    Cheers..

     

     



  • 2.  RE: Customized GPP.Html

    Posted May 04, 2012 06:42 AM

    You should use management authentication through active directory to determine the role of the user that logs into the controller:

     

    Chapter 33 in the ArubaOS 6.1 user guide "Management Access" describes how to change a management user's role depending on his group in active directory.  You can also use the legacy document below for perspective:

     

    http://community.arubanetworks.com/aruba/attachments/aruba/115/80/1/Management+Authentication+using+Windows+IAS+as+a+Radius+Server.doc

     

     



  • 3.  RE: Customized GPP.Html

    Posted May 05, 2012 05:45 AM
    Thanks for the response. To explain the scenario, we intend to give wi-fi network access, which is easily controlled by the user and computer authentication against AD. This gives access to our enterprise network and enterprise Internet. However, we are also setting up a separate vlan which is connected to a consumer grade broad band connection from the same controller. Once we do that, we need to set up guest provisioning, which as of now requires either an admin ID or ID created to access the provisioning site and generate a guest ID and password. We want access to this guest provisioning site controlled by AD, which does not seem possible or is it? Cheers..


  • 4.  RE: Customized GPP.Html

    Posted May 05, 2012 06:08 AM

    So,

     

    You want users in Active Directory to be able to authenticate to a Captive Portal that is on a separate Vlan for guest access?



  • 5.  RE: Customized GPP.Html

    Posted May 05, 2012 02:25 PM

    Yes, the idea is to control access to provisioning portal only to AD users and not have the need to create IDs which would then login separately and create guest ids.

     

    So an employee, opens the guest provisioning portal, gets authenticated from AD, and is able to generate a guest ID and password and hand it to the guest.

     

    Cheers



  • 6.  RE: Customized GPP.Html

    Posted May 05, 2012 02:44 PM

    Ok.  Here it is in detail:

     

    First - you need to setup that broadband connection on a separate physical interface on the controller so that you can place guest users on it.  We will need to setup a VLAN specifically for this network and tie it to that specific physical interface.  The controller will also need to have an ip address on that interface and we need to indicate to the controller, that is the ip address we want to serve the captive portal on.  The ip address of the controller must be in the range that the broadband router is giving out.

     

    config t
    vlan 1000   <--------- Set up guest vlan
    interface vlan 1000
    ip address 192.168.1.250 255.255.255.0 <------- Ip address on that guest Vlan
    exit
    ip cp-redirect address 192.168.1.250 <---------  Indicate to the controller that is the ip address you want to host the captive portal on
    interface gigabitethernet 0/3 <--------  Choose the physical interface on the controller that you will be plugging the broadband router into
    switchport access vlan 1000 <-------  Assign that Vlan to that port
    

     Next, if you already have a radius server configured to authenticate users from Active Directory and it is working, we need to configure a remote access policy on that radius server that (1) allows PAP and a Nas Port Type of VPN:

     

    Do you have Windows 2008 or Windows 2003 for your radius server?

     



  • 7.  RE: Customized GPP.Html

    Posted May 07, 2012 02:19 AM
     


    Thank you for the response Joseph.  We are using Cisco ACS 5.2.0 as a radius server which is bound to AD for user authentication.  We had done the settings on the controller earier.  The point missed out was:

     


    configure a remote access policy on that radius server that (1) allows PAP and a Nas Port Type of VPN: 

     


     

    Do you have any document to support this setup; which would be a great help.

     

    Cheers...