Controllerless Networks

 View Only
  • 1.  Captive Portal derivation rule

    Posted May 27, 2021 08:21 AM
    Hi,

    I'm about to migrate a controller based AOS 6 environment to AOS 8 IAPs. The customer uses an external Captive Portal (not Clearpass) with acknowledgment of user terms. There are some devices with no grafical interface that should connect to this guest SSID as well.

    On the controller there is a derivation rule with mac addresses to identify these devices and allow access without captive portal. 

    I try to set this up on the IAP but when configuring the external Captive Portal, it always kicks in first, ignoring the rule I made under section 4 (Access) of the networks configuration.

    The rules is like:

    If mac-address not-equals e2bccb0bcb39 assign role Authenticated

    If I leave the SSID open, without any authetication, the role assignment works fine, so there is not typo in the mac address etc. 

    I think it is a matter of the order, the IAP treats authentication and  access rules. However I'm not sure.

    Is there a way to achive what I need (derivation based on mac address) to avoid captive portal authetication?

      







    ------------------------------
    Joachim Becker
    ------------------------------


  • 2.  RE: Captive Portal derivation rule

    Posted Jun 05, 2021 08:33 PM
    Have you enabled MAC auth under the "security" tab of your Guest SSID?

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 3.  RE: Captive Portal derivation rule

    Posted Jun 14, 2021 04:06 AM
    I tested the setup again today. If I use the internal captive portal of the IAP,  i can use the internal authentication server for MAC Auth and this setup gives me the required behaviour. MAC Auth is checked first and if successful, the client is authenticated. If MAC auth fails, the captive portal page is presented to the client.

    However, with an external captive portal and radius server, I can't use the internal auth server. The local guest user database is ignored and the captive portal is always presented to the client.  


    ------------------------------
    Joachim Becker
    ------------------------------



  • 4.  RE: Captive Portal derivation rule

    Posted Apr 17, 2023 01:08 PM

    This is exactly what I'm trying to do but using campus AP's. Can't figure out how to get it to work.

    I'm created a "User Rule" under Configuration > Authentication > User Rule that looks at the MAC address and assigns it an authenticated role to bypass an internal captive portal. I have MAC Authentication Enabled in the SSID, but feel like I'm missing some steps.

    Does it work differently with IAP's?




  • 5.  RE: Captive Portal derivation rule

    Posted Apr 28, 2023 02:42 PM

    I have configured a requirements like this in the following way:

    SSID is Open with Captive Portal and it is pointing on the Internal Database (where i have registered the MAC Addresses)
    Under AAA Servers > Server Group i have created a server group point to the internal database and on the Server Rules i have set:
    User-Name equals <mac address of the Device> set role <setting up the role they should get>

    So what happens, when the Devices (in my case Car Chargers) are configured to use that SSID, they connect automatically and get the correct role. Everyone else who tries to connect to this SSID, it opens up the Captive Portal.

    (P.S: This is configured like this on the ArubaOS 8.x, but similar cases i have configured as well on Aruba OS6.5)

    Maybe this helps 



    ------------------------------
    Shpat | ACEP | ACMP | ACCP | ACDP |
    -Just an Aruba enthusiast and contributor by cases-
    ------------------------------