Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Captive Portal Authentication-)CPA)

This thread has been viewed 1 times

  • 1.  Captive Portal Authentication-)CPA)

    Posted Apr 24, 2013 08:38 AM

    Dear Forum,

     

                            Our guest users are using captive portal authentication for access internet.I found some of our employee users are using captive portal for accessing internet.I dont want them to authenticate via CPA.I want employee users to connect to there SSID only and guest users to there SSID only.



  • 2.  RE: Captive Portal Authentication-)CPA)

    EMPLOYEE
    Posted Apr 24, 2013 09:03 AM
    @vinit@tifr.res.in wrote:

    Dear Forum,

     

                            Our guest users are using captive portal authentication for access internet.I found some of our employee users are using captive portal for accessing internet.I dont want them to authenticate via CPA.I want employee users to connect to there SSID only and guest users to there SSID only.

    If you are authenticating captive portal users, you would only give out usernames and passwords to guests to possibly solve that problem.  How are you allowing guest access today?



  • 3.  RE: Captive Portal Authentication-)CPA)

    Posted Apr 24, 2013 09:07 AM

    I am allowing  guest users to login via CPA only but some of my employee users can also login via CPA.I dont want employee user to login via CPA.



  • 4.  RE: Captive Portal Authentication-)CPA)

    EMPLOYEE
    Posted Apr 24, 2013 09:10 AM

    Do they login because they have the password?  If they have the password, we cannot stop them.

     



  • 5.  RE: Captive Portal Authentication-)CPA)

    Posted Apr 24, 2013 09:24 AM

    We are using mac based authentication plus 802.1x authentication for employee users,if both mac and 802.1x is passed then employee users can access internet using EMPLOYEE ssid and since for guest users we are using Captive portal authentication we are providing them username and password to access internet using GUEST ssid.Somehow i found employee users can access to internet using GUEST ssid.I want to separate them.Guest users can access via only to GUEST ssid and Employee users can access via EMPLOYEE ssid only.Please suggest any solution to this problem.



  • 6.  RE: Captive Portal Authentication-)CPA)

    EMPLOYEE
    Posted Apr 24, 2013 09:26 AM

    First you need to find what credentials they are using to access the guest network.  Then you can fix your problem.



  • 7.  RE: Captive Portal Authentication-)CPA)

    Posted Apr 24, 2013 09:29 AM

    They are using there own username and password which we have aasigned them in 802.1x and mac based authentication.With those username and password they are accesing guest network.



  • 8.  RE: Captive Portal Authentication-)CPA)

    EMPLOYEE
    Posted Apr 24, 2013 09:31 AM

    The Captive Portal Authentication profile for your guest network has a server group that it uses to authenticate users.  That server group must not have your 802.1x server in it, otherwise your employees can access your guest network.

     



  • 9.  RE: Captive Portal Authentication-)CPA)

    Posted Apr 24, 2013 09:40 AM

    As cjoseph points out: If the server that is used for 802.1x exists in the server group that authenticates your guests, then the employee users will be able to authenticate on that SSID.

     

    Just a thought:

    Do your captive portal have a static username / password used by everyone?

    If you don't have the 802.1x server in the CP server group, then maybe some of your employees is using that username/password to access the guest SSID? You can easily check this by going to Monitoring > Controller > Clients and checking the Auth Type Column. If you see "Captive Portal" here for an employee user, then they have logged in this way.

     

     



  • 10.  RE: Captive Portal Authentication-)CPA)

    Posted Apr 24, 2013 09:45 AM

    Yes the Auth type conatins Captive Portal...please suggest what changes i have to do to stop them accessing via GUEST SSID.



  • 11.  RE: Captive Portal Authentication-)CPA)

    Posted Apr 24, 2013 09:45 PM

    To expand upon the existing replies.  It seems your Captive Portal authentication profile is likely using the same server group as your secure 802.1X network (or atleast it is using the same servers).   You have a couple of options to consider.

     

    The username and passwords you are giving out to legitimate guests, where do these accounts exist?  If they are on the controller, make sure the server group assigned to the captive portal profile only has Internal DB defined and does not have your enterprise servers.  If the accounts are on the Radius server or in AD internally, then you'll need to make modifications to the authentication policies on the Radius side. For example, if you are using NPS, you'd have to setup two Network Policies; one for Guest access (with specific conditions and supported authentication types) and one for your Employee network.   Aside from the supported authentication types, you could narrow down the conditions so that to match the Guest Network Policy the user account must be in a certain user group or setup a unique NAS-Identifier to differentiate the request (discussed in some posts on this forum; including here) .  If you use ClearPass, similar conditions can be set using multiple services.

     

    Before we can say for sure, can you:

    1) Confirm whether the server group defined for the Captive Portal profile does contain your Radius servers for 802.1X authentication

    2) Confirm where the legitimate guest accounts are created and reside; if they are in AD, are they assigned to a specific user group?

    3) Tell us what Radius server you are using