Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Acceptable use page for guest access without login

This thread has been viewed 6 times

  • 1.  Acceptable use page for guest access without login

    Posted Nov 19, 2013 03:20 PM

    Hello, I have one Aruba 3400 controller running OS 3.3.2.14.  For guest access we are currently using a captive portal page that requires a username and password.  We are switching to WPA2 authentication with passphrase for guest access, but we need to have the guest users click on an accept button on a terms of use type page.  From looking at the forum, it seems that this is built in on 3.4 but I'm running 3.3.x.  I have the WPA part configured and working but after entering the passphrase they can go straight to the internet.  I need to set it up to show the acceptable use page with accept button before they can browse the internet.  Any help is appreciated. 


    #3400


  • 2.  RE: Acceptable use page for guest access without login

    Posted Nov 19, 2013 04:18 PM

    I found this in another post:

     

    https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-154.

     

    It looks like what I need but I'm not sure if I meet the 4 Assumptions mentioned and how to implement it.



  • 3.  RE: Acceptable use page for guest access without login

    Posted Nov 21, 2013 10:01 AM

    You need to have the captive portal mapped on your initial role (look at your aaa profile your using the initial role since your not authenticating your user PSK is not authentication).

     

    After you get the captive portal displayed, user  accepts AUP by default they will be placed in the guest role.

     



  • 4.  RE: Acceptable use page for guest access without login

    Posted Nov 21, 2013 08:26 PM

    Thanks ddipert.  I went to security>Authentication>Profiles and then to the AAA profiles tab, and clicked on ABCD_GUEST-aaa-profile and changed the initial role from Authenticated to ABCD_GUEST-captiveportal-profile and applied the config.  Then I connected to the guest wi-fi and it let me right on and I browsed to the internet with no accept page.  Guests used to have to provide a username and password at the captive portal.  I didn't change anything with the captive portal.  I just changed over to WPA2 with passphrase.  Do I need to make changes to the captive portal?  I know I will need to upload custom text for our page but I thought there is a default page in there.



  • 5.  RE: Acceptable use page for guest access without login

    Posted Nov 21, 2013 09:24 PM
      |   view attached

    Need to make the required changes to the captive portal or create a new captive portal to reflect the box with an "I Accept". 

     

    The 2nd part is to map the captive portal to the role. 

    go to: config->access control->ABCD_GUEST-captiveportal role

         edit the role look for "captive portal profile" use the drop down to find the captive portal you created/modified. Click "change" then apply.  See the screen shot provided.

     

    This is off topic but why are you on such old code? 



  • 6.  RE: Acceptable use page for guest access without login

    Posted Nov 21, 2013 09:48 PM

    Thanks again, we are out of support.  Don't you need a support contract to get new OS versions?



  • 7.  RE: Acceptable use page for guest access without login

    Posted Nov 21, 2013 09:58 PM

    I changed the captive portal profile for the role as you suggested.  I also have a role called cp-logon.  Do I need to change anything for that too?



  • 8.  RE: Acceptable use page for guest access without login

    Posted Nov 21, 2013 10:35 PM
      |   view attached

    Yes you would need a support contract to upgrade. I don’t recommend running without a support contract. But that’s your business.

     


    What we are dealing with is the role that is assigned to a user when they associate to your said (the initial role) needs to have a captive portal on the role. Inside the role the policy should be logon-control & captive portal.

    The policy will allow basic network access (DNS, DHCP… ETC) and the captive portal will redirect the user to the captive portal page.  

     

    cp-logon might be a better initial role if the policies are correct. 



  • 9.  RE: Acceptable use page for guest access without login

    Posted Nov 21, 2013 11:48 PM

    Thanks again.  I think I'm close with that config example from Aruba.  I'm piecing things together in the CLI but I just ran out of time in my maintenance window so I'll have to revisit later.  I agree with you on the support contract.  I'd love to have it again but unfortunaltely  I don't control the $$$ around here!



  • 10.  RE: Acceptable use page for guest access without login

    Posted Nov 21, 2013 09:47 PM

    OK I went into the document from that link I posted above.  Of  the 4 requirements listed

     

    AssumptionsThe following assumptions apply to the configuration example:

    • A valid Policy Enforcement Firewall (PEF) license is installed.
    • The software version on the controller is 3.x.
    • The VLAN 100 and DHCP servers of the Captive Portal users are already defined.
    • The SSID profile "public" with essid "public" is already defined.

    1. I have the PEF license installed.

    2. The software is 3.x

    3. I don't have VLAN 100 defined.  We use VLAN 900 for our guest network so I guess I would reference VLAN 900instead of VLAN 100 in the configs provided.  We use VLAN 100 elsewhere on our wired network

    4. How do I make a SSID profile "public" with essid "public" ?

     

    I did the config listed up to step 6.  I guess my question is how do I define an SSID profile "public" with essid "public"?