Question - 1. What is pre-auth role in aruba instant?
2. When should we use the pre-auth role?
3. How can we configure the same?
4. When we cannot use the pre-auth role?
Environment - The commands in this article were tested on Aruba Instant 6.4.2.3-4.1.1.2.
Answer- Pre-auth role in Aruba instant can be used in following authentication types:
a. Captive portal authentication.
b. MAC authentication.
This can be used when we want to allow some access to the clients:
a. Before they are able to authenticate.
b. They do not have credentials authenticate.
To set a role as pre-auth:
======================
wlan ssid-profile TEST-155
enable
index 1
type guest
essid TEST-155
opmode opensystem
max-authentication-failures 0
vlan guest
auth-server InternalServer
set-role-pre-auth TEST-155
rf-band all
captive-portal internal
dtim-period 1
inactivity-timeout 1000
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64
=========================
In this role, we can specify access to specific services to the client which he can access before he passes the configured authentication. For example below we allow the client to access TFTP using udp 69 rule. This call allow some devices such as thin clients to download firmware from central server before using TFTP even if it fails authentication:
wlan access-rule TEST-155
index 3
rule any any match udp 69 69 permit.
Note:
1. We need not add DNS, DHCP in pre-auth role. It is automatically allowed when we set a role as pre-auth.
2. ACLs to allow DNS, DHCP will not be visible in the pre-auth role.
3. We can however see the DNS, DHCP traffic in the datapth for the user in datapath ACL:
#show datapath user
Datapath User Table Entries
---------------------------
IP MAC ACLs Contract Location Age Sessions Flags Vlan FM
--------------- ----------------- ------- --------- -------- ----- --------- ----- ---- --
172.31.99.20 F0:25:B7:31:44:B5 110/0 0/0 0 1 0/65535 3333 B
00:0b:86:8f:93:cd# show datapath acl 110
show datapath acl 110
Datapath ACL 110 Entries
-----------------------
Flags: P - permit, L - log, E - established, M/e - MAC/etype filter
S - SNAT, D - DNAT, R - redirect, r - reverse redirect m - Mirror
I - Invert SA, i - Invert DA, H - high prio, O - set prio, C - Classify Media
A - Disable Scanning, B - black list, T - set TOS, 4 - IPv4, 6 - IPv6
K - App Throttle, d - Domain DA
----------------------------------------------------------------
1: any any 17 0-65535 8209-8211 P4
2: any 172.31.98.1 255.255.255.255 6 0-65535 80-80 PSD4
3: any 172.31.98.1 255.255.255.255 6 0-65535 443-443 PSD4 hits 8
4: any any 6 0-65535 80-80 PSD4 hits 18
5: any any 6 0-65535 443-443 PSD4 hits 50
6: 172.31.98.0 255.255.254.0 172.31.98.0 255.255.254.0 17 0-65535 67-68 P4
7: 172.31.98.0 255.255.254.0 224.0.0.0 224.0.0.0 17 0-65535 67-68 P4
8: 172.31.98.0 255.255.254.0 any 17 0-65535 67-68 PS4
9: any any 17 0-65535 67-68 P4
10: 172.31.98.0 255.255.254.0 172.31.98.0 255.255.254.0 17 0-65535 53-53 P4
11: 172.31.98.0 255.255.254.0 224.0.0.0 224.0.0.0 17 0-65535 53-53 P4
12: 172.31.98.0 255.255.254.0 any 17 0-65535 53-53 PS4 hits 21
13: any any 17 0-65535 53-53 P4
14: 172.31.98.0 255.255.254.0 172.31.98.0 255.255.254.0 6 0-65535 8081-8081 P4
15: 172.31.98.0 255.255.254.0 224.0.0.0 224.0.0.0 6 0-65535 8081-8081 P4
16: 172.31.98.0 255.255.254.0 any 6 0-65535 8081-8081 PS4
17: any any 6 0-65535 8081-8081 P4
18: any any any 4 hits 42
Above we see that DHCP traffic was automatically allowed for the user falling in pre-auth role even when we didnt specify it explicitly in the ACL.
AnswerLT - 1. Pre-auth is a special role in Aruba instant to allow some access to the client before it completes authentication.
2. We can use it when we want client to access network resources before it authenticates.
3. Pre-auth role will not work with 802.1x or PSK authentication.