Security

All,

 

I'm trying to figure out a way for guest users to be sent to a different VLAN when they log into a captive portal. I was told by my Aruba SE that they believe it was possible for a guest user to be handed off to another VLAN if you send a CoA after they log in. I've been trying to get this to work all night and I'm coming up short.

 

Has anyone got something similar to work?

Thanks for your help!

 

-Mike

 

The ArubaOS infrastructure is running 6.3.1.1 and Clearpass 6.2.3.

Boston1630,

 

The only way that has worked is if the initial VLAN that the Captive Portal user is in has a DHCP lease of 30 seconds or less (the controller can provide sub-30 second DHCP leases).  When the user authenticates, ClearPass can send back a role or VLAN that has the new VLAN.  The client will re-dhcp and obtain the new VLAN when the lease expires at the 50% mark and be placed into the new VLAN.

 

Others have said it can be done with COA, but COA, will resetting the authentication status of a Captive Portal client, does not force it to re-dhcp to obtain a new ip address.  It would be good if someone can show us how it would work that way.

 

CJoseph,

 

Thanks for the reply! That's an interesting way to go about it. I'm going to send this to my local SE and hope that his source can chime in on this topic. I, too, would like to be able to do it with a CoA, or something similar - that would be a lot slicker than waiting for the client to time out.

 

Thanks!

 

-Mike

---

@boston1630 wrote:

CJoseph,

 

Thanks for the reply! That's an interesting way to go about it. I'm going to send this to my local SE and hope that his source can chime in on this topic. I, too, would like to be able to do it with a CoA, or something similar - that would be a lot slicker than waiting for the client to time out.

 

Thanks!

 

-Mike

---

Boston1630,

 

Again, the reason why COA works for 802.1x is that ip addressing and auth in 802.1x are tied together.  In captive portal, it is not, so the client is not disconnected from the network; his authentication state is merely reset, which is independent from ip addressing.  

CJ,

 

Any chance there's an equivalent CoA function with Aruba similar to the "Port Bounce" with the Cisco? I know that is a signal to the physical port, but something equivalent might be able to do the trick. This is off course completely spit balling.

 

Thanks!

 

-Mike

There is none that I know of that is radius-server facing. Maybe someone can chime in if they know of one.

Boston,

Is this an open SSID? Are you using clearpass guest as a registration mechanism?


You should be able to do this without a problem.

Hi sdr53,

 

Yep, I'm using Clearpass 6.2.3 and it is providing a web login page. The controller is running 6.3.1.1 and is pointing to Clearpass from a captive portal profile - standard stuff.

 

Is this something that you've pulled off before? I'm really interested in how you did it.

 

Thanks!

 

-Mike

Mike,

Yes i do it and here is how

Set authentication method on service to allow all mac auth. Then set the default role on enforcement policy to return a user role on the controller include a vlan on radius return if you want. that user role should have the captive portal you would like to use for this SSID

The key is the initial role on your controller will never be used because you will approve all requests.

Hope this works for you.

Sdr53,

Thank you for that configuration.

Boston1630, I think wants to start from an unknown client with Captive Portal and switch vlans after Captive Portal authentication. Will your solution work with what he wants?

Yes, he should be able to switch vlans with a coa and the client will get new dhcp.

Sdr53,

 

Can you provide details on how it should be configured specifically?  It is not working for Boston when he configures it that way.

at the Bottom of my enforment policy i have this  

 

 

This is UserRole that is on the controller that has the Captive Portal you want to use.

sdr53,

 

I tried the following combinations to pull this off. Here's what I tried:

 

1. I put an Aruba CoA in the guest pre-auth service after they logged into the web page

2. I put an Aruba CoA in the guest service with MAC caching as part of the enforcement that was sent to the controller

 

The above put the user back into the default role for the Captive Portal, even through I was sending an Aruba VSA with a different VLAN and a different role.

 

I was able to get something working like what I was expecting, but it is kludgy and not consistent. Basically, a user can switch vlans once they time out of the user table and they re-associate against the MAC Auth service.

 

I wasn't able to get it to work in any other manner.

 

-Mike

My screen shots are from my mac auth service. You should have another service that process the captive portal login information. Based on information , mark endpoint as known, add username to an attribute on endpoint database, the COA.

Hi sdr53,

 

Yep, that's exactly what I have. I was looking to change VLANs with the values returned from Captive Portal service - not sure it's possible at this point.

 

Thanks!

 

-Mike

Oh Its Possible,  Well at least I do it.   Student Brings Device in  connect to SSID and deivce goes to the bottom of the enforment policy and get assigned a Guest Logon rold and are placed in a DMZ/Guest VLAN  & put them in role that has captive portal. Then user logs into the web-auth service. Web Auth service updates Endpoint database and Kills/COA's the session. Device comes back and  hits the Mac-Auth service and stops at the VLAN that I want to place them in.  Perfectly Seemless.

Hi sdr,

 

I'm picking up what you're putting down - so I'm not sure what I'm missing.

 

The workflow for your services is something similar:

 

1. User connects to an open SSID and gets placed into a Captive Portal. The user will currently have VLAN X

2. The user logs into the form on the Captive Portal and the pre-auth service authenticates their request

3. The user is then serviced by the Guest and MAC Caching service where a custom attribute is set and they are sent an Aruba Terminate Session CoA

4. The user is disconnected from the network

5. The user reconnects to the same SSID and performs a MAC Authentication.

6. As part of your enforcement profile, you send them a RADIUS VSA of an VLAN

7. The user is now in VLAN Y based on step 6

 

Does that sound right?

 

Thanks!

 

-Mike

Yes, Thats is correct. 

 

 I would place a Dummy enforcement line for a device that you have. Something like if Mac address = place into VLAN X.

 

Vlan X should not be the vlan that is set int he VAP profile on the controller. Just to see if you can assign VLANs.  You might have something wrong in controller where you cannot assign vlan.

 

Does everything look good in access tracker?

---

@boston1630 wrote:

Hi sdr,

 

I'm picking up what you're putting down - so I'm not sure what I'm missing.

 

The workflow for your services is something similar:

 

1. User connects to an open SSID and gets placed into a Captive Portal. The user will currently have VLAN X

2. The user logs into the form on the Captive Portal and the pre-auth service authenticates their request

3. The user is then serviced by the Guest and MAC Caching service where a custom attribute is set and they are sent an Aruba Terminate Session CoA

4. The user is disconnected from the network

5. The user reconnects to the same SSID and performs a MAC Authentication.

6. As part of your enforcement profile, you send them a RADIUS VSA of an VLAN

7. The user is now in VLAN Y based on step 6

 

Does that sound right?

 

Thanks!

 

-Mike

---

 

Thanks, I just configured this as I needed to do that for a specific use case and I can confirm it works well.

I attached a visio I did of the flow.

Oh yes it's been working great for us too. I have not tried to go back to using a default role. A plus about doing it this way is I have default role under VAP as a guest. If we are having problems with clearpass (we never do) all clients will have Internet access. :-). Glad it's working for you.

Sent from my iPhone