Wired Intelligent Edge

Hi Airheads,

Hope everyone's powering through this pandemic craziness ok. With the weather getting cold and no pandemic-compatible indoor activities to do this past Saturday, I ended up cranking out Cisco ISE 3 + ArubaOS-Switch Wired Guest Captive Portal in my homelab, and it turned out just ok.

The reason I say it turned out "just ok" is if you print out the PDF of that lab, it's about 18 pages long, and a lot more complicated than I'd like. I'm sure it would have been a tiny bit smoother & straightforward with Clearpass instead of doing all the ISE stuff to support switches other than Cisco's. That being said, there's still all the aaa port-access configs & whatnot that must be perfectly applied to every access layer switch for the captive portal to work. Getting all of the configs applied to every single wired guest port on every single access switch isn't necessarily something I find enjoyable, even with the right automation tools.

I'd really like to do something more like NetReg: Network DHCP Registration System where you have one box that's effectively a DHCP server handling all things captive portal, no need for complicated access switch configs! Only problem is that project is not maintained anymore, doesn't support HTTPS redirect, and I'm sure getting that old code to work on a newer Linux server would be a headache.

Then I stumbled upon Configuring Wired Profile for Guest Access, Cisco Wireless Controller Configuration Guide, Release 7.6 - Configuring Wired Guest Access [Cisco Wireless LAN Controller Software], and How to have captive portal for wired uses only on one vlan on a trunk link?. This got me thinking: "what if I get the cheapest Aruba InstantOn switch, Aruba Mobility Controller, or Cisco WLC, punt my wired guest networks into it at layer2, and just use that as a wired guest captive portal appliance?" Obviously there'd be licenses to buy and some router-on-a-stick style pain associated with doing this, but I'm curious if anyone's had a good experience running wired guest captive portals on wireless controllers? If so, I'm even more curious if you find it to be a more graceful solution than all the Cisco ISE 3 + ArubaOS-Switch Wired Guest Captive Portal chaos.

Cheers,
Tom

Just to close the loop on this, I ended up getting an Aruba Mobility Controller to work with a Cisco ISE captive portal for wired guests on plain L2 switches per the https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-1183 trick. Could not believe how simple that was compared to all the craziness of setting up full-blown RADIUS + MAB + Captive Portal Redirect on the AOS-S and AOS-CX switches!

Lastly, I did a guide for Cisco ISE 3 + ArubaOS-CX Wired Guest Captive Portal earlier in the year in case anyone finds it helpful. Just like the ArubaOS-Switch guide, it's pretty complicated, but could be deployed campus-wide easily with NetEdit. Hopefully it helps someone out there turn captive portal problems into captive portal solutions :)

Cheers,
Tom
Original Message:
Sent: Nov 16, 2020 03:33 PM
From: Tom Costello
Subject: Wired guest captive portal without aaa on access switches?

Hi Airheads,

Hope everyone's powering through this pandemic craziness ok. With the weather getting cold and no pandemic-compatible indoor activities to do this past Saturday, I ended up cranking out Cisco ISE 3 + ArubaOS-Switch Wired Guest Captive Portal in my homelab, and it turned out just ok.

The reason I say it turned out "just ok" is if you print out the PDF of that lab, it's about 18 pages long, and a lot more complicated than I'd like. I'm sure it would have been a tiny bit smoother & straightforward with Clearpass instead of doing all the ISE stuff to support switches other than Cisco's. That being said, there's still all the aaa port-access configs & whatnot that must be perfectly applied to every access layer switch for the captive portal to work. Getting all of the configs applied to every single wired guest port on every single access switch isn't necessarily something I find enjoyable, even with the right automation tools.

I'd really like to do something more like NetReg: Network DHCP Registration System where you have one box that's effectively a DHCP server handling all things captive portal, no need for complicated access switch configs! Only problem is that project is not maintained anymore, doesn't support HTTPS redirect, and I'm sure getting that old code to work on a newer Linux server would be a headache.

Then I stumbled upon Configuring Wired Profile for Guest Access, Cisco Wireless Controller Configuration Guide, Release 7.6 - Configuring Wired Guest Access [Cisco Wireless LAN Controller Software], and How to have captive portal for wired uses only on one vlan on a trunk link?. This got me thinking: "what if I get the cheapest Aruba InstantOn switch, Aruba Mobility Controller, or Cisco WLC, punt my wired guest networks into it at layer2, and just use that as a wired guest captive portal appliance?" Obviously there'd be licenses to buy and some router-on-a-stick style pain associated with doing this, but I'm curious if anyone's had a good experience running wired guest captive portals on wireless controllers? If so, I'm even more curious if you find it to be a more graceful solution than all the Cisco ISE 3 + ArubaOS-Switch Wired Guest Captive Portal chaos.

Cheers,
Tom