Product and software: This article applies to all Aruba wireless controllers and ArubaOS 3.1.1.x and later.
Guidelines
- This is a step by step configuration of an Aruba controller that redirects wireless users to an external captive portal page.
- The configuration applies to ArubaOS 3.x and later.
- The external server will present the login page, authenticate the user and in case of a successful authentication, communicate with the controller via XML to move the user to a predefined role on the Aruba controller.
Assumptions
We assume the following is already implemented:
- An ESI license is installed on the controller.
- A wireless users VLAN, a DHCP pool for those with the controller interface VLAN IP address as the default gateway, an SSID profile, and a virtual AP profile are already configured on the controller.
Implementation
For illustration purposes, the following configuration is assumed to be in place as per the above assumptions:
- External Captive Portal IP Address: 10.10.10.50
- DNS Server IP Address: 10.10.10.5
- Captive Portal SSID: guest
- Wireless VLAN: 30
- Wireless VLAN interface IP: 172.16.30.1 / 24
- DHCP Pool: 172.16.30.0 / 24 gtw: 172.16.30.1 dns: 10.10.10.5
- Captive Portal SSID Profile ext_cp_ssid
Step 1: Allow http(s) access to the external server in the captiveportal ACL.
(config) #ip access-list session captiveportal
user alias mswitch svc-http dst-nat 8080
user alias mswitch svc-https dst-nat 8081
user alias 10.10.10.50 svc-http permit
user alias 10.10.10.50 svc-https permit
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
Step 2: Define a new captive portal profile.
(config) #aaa authentication captive-portal "external"
default-role guest
no user-logon <- Auth done by external server
login-page https://10.10.10.50/ <- URL details may differ
no enable-welcome-page
Step 3: Define the captive portal initial role.
(config) #user-role cp-logon
captive-portal external
session-acl control
session-acl captiveportal
Step 4: Define the captive portal default ACL and role.
(config) #ip access-list session guest-acl
any any svc-dhcp permit
user any svc-icmp permit
user any svc-dns permit
user any svc-http permit
user any svc-https permit
!
(config) #user-role guest
session-acl guest-acl
Step 5: Define the external captive portal server as an xml-api server.
(config) #aaa xml-api server "10.10.10.50"
key "secretkey"
Step 6: Define a new aaa profile to use the initial role and xml-api server.
(config) # aaa profile "external_auth"
initial-role "cp-logon" <-- defined in step 3
xml-api-server "10.10.10.50"
Step 7: Define a new virtual AP profile for the external captive portal users.
(config) # wlan virtual-ap "ext_cp_vap"
ssid-profile "ext_cp_ssid" <-- predefined in the prerequisites
vlan 30 <-- wireless user vlan
aaa profile "external_auth" <-- defined in step 6
Important Notes
- Knowing that the external server will communicate with the Aruba controller via HTTPS POST to send xml commands, it is important that the server uses the 'user_add' xml command that includes the "guest" role among others.
- The 'user_authenticate' xml command should be used in case the Aruba controller authenticates the users. In such case: - The "user login" option should be enabled. - An authentication server should be configured and its group added to the captive portal profile.
- In the case that SRC_NAT is desired, it is advisable not to use the "ip nat inside" command under the users VLAN interface, and go for scr_nat'ing the users at the ACL level in the post-auth role. If src-nat is used in the initial role, the redirection may fail and the output of the 'show aaa xml-api statistics command will show that the counter "Cant use Switch IP" has incremented by 1:
(MM800) #show aaa xml-api statistics
ECP Statistics
--------------
Statistics 10.10.10.50
---------- -----------
user_authenticate 0 (0)
user_add 1 (0)
user_delete 0 (0)
user_blacklist 0 (0)
user_query 0 (0)
unknown user 0 (0)
unknown role 0 (0)
unknown external agent 0 (0)
authentication failed 0 (0)
invalid command 0 (0)
invalid message authentication method 0 (0)
invalid message digest 0 (0)
missing message authentication 0 (0)
missing or invalid version number 0 (0)
internal error 0 (0)
client not authorized 0 (0)
Cant use VLAN IP 0 (0)
Invalid IP 0 (0)
Cant use Switch IP 1 (0)
Packets received from unknown clients : 0 (0)
Packets received with unknown request : 0 (0)
Requests Received/Success/Failed : 1/0/1 (0/0/0)
4. A new captive portal profile option was introduced in ArubaOS 3.3.x: switchip-in-redirection
When this option is enabled it will add the switchip as a CGI parameter to the redirection URL that already contains the user MAC and IP addresses. The benefit of this option is to allow multiple switches to use the same XML server.