Security

last person joined: 17 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Captive portal using radius server

This thread has been viewed 1 times

  • 1.  Captive portal using radius server

    Posted Dec 15, 2011 12:22 PM

     

    Hi all,

     

    I'm trying to setup a captive portal using a Microsoft NPS radius as the authentication server.

     

    I've seen previous messages in the forum suggesting permitting PAP in NPS configuration for get this working.  I've tested PAP and it works, but since PAP is unencrypted, is there any way of using CHAP?

    There is an use-chap command in the captive portal profile, but using it doesn't work.

     

    Any ideas?

     

    Greetings,

     

    Jose



  • 2.  RE: Captive portal using radius server

    EMPLOYEE
    Posted Dec 15, 2011 12:51 PM

    the CHAP in the profile does not correspond with the Chap is the Remote Access Policy.  Using https on the webpage will encrypt the traffic between your user and the controller and yes, cleartext from the controller to the radius server.  You can solve the encryption issue by using WPA2-AES on your clients, if that is the case.

     



  • 3.  RE: Captive portal using radius server

    Posted Dec 15, 2011 01:00 PM

     

    Hi,

     

    The issue is between the controller and the radius servers.  The server administrators are refusing to deploy a clear text authentication...

    So maybe, is there any other solution? I've tried LDAP, with no luck, and haven't found a guide onhow to configure it, appart from the Aruba OS guide which is quite general.

     

    Greetings and thank you,

     

    Jose

     



  • 4.  RE: Captive portal using radius server

    EMPLOYEE
    Posted Dec 15, 2011 01:03 PM

    Again,

     

    Why not deploy something like WPA2-AES encryption on your domain clients, and that will deal with a whole host of issues (including security) at the same time...?  Is that not an option?



  • 5.  RE: Captive portal using radius server

    Posted Dec 15, 2011 01:19 PM

     

    Ok, maybe I missed the explanation.

     

    We've already have an WPA2-AES VAP with both machine and user authentication. The problem comes with non-Windows clients (iOS, Androids), or Windows clients that are not part of our corporate AD. I would prefer not to deal with them, but I have no choice. And also, with some equipment with no users at all (electrocardiographers, for example).

    So, the solution Ithink about was a VAP with WPA2-PSK, with:

     - some ACLs permiting traffic to those servers used by that kind of equipment.

     - a captive portal, with both radius and internal database for authenticating users.

     

    My aim is not to deploy many VAPs. We already had three VAPs previosly: voice, corporate equipment, and guest access. So I would like to integrate both solutions (non-802.1x equipment and other OSs) in only one more VAP, so I think about this solution. And also keep a simple configuration that could meet the requirements of other vendor controllers I have on another sites, and have a similar WLAN deployment to easier the support.

     

    I would appreciate your thoughts about this question,

    many thanks,

     

    Jose



  • 6.  RE: Captive portal using radius server

    EMPLOYEE
    Posted Dec 15, 2011 01:32 PM

    Okay.  A customer just did this recently:  

     

    I am assuming that you are using group policy to push the wireless configuration to your domain laptops.  In the group policy for your wireless under advanced, there is an option to use computer and user authentication.  If you change that option to "computer only", your domain devices will connect only with their computer credentials, not as a user.

     

    In the 802.1x profile for your WLAN you can turn on "Enforce Machine Authentication". You would then configure  the Machine authentication Default Machine role to something "allow all" like authenticated.  You can then make the Machine Authentication Default User role to "Guest", and have the Guest VLAN hardcoded into the guest role.

     

    Here is how it will work:

     

    Devices that authenticate with their machine credentials get onto the network just fine.  Devices that only use user credentials like handhelds, and non-domain devices with authenticate, but get switched to the GUEST VLAN, already authenticated.  They will not have to see a captive portal and that will deal with your encryption situation, as well without having to deploy an additional WLAN.

     

    Devices that do not support the encryption you already have out there, you will unfortunately have to create a different WLAN for them.

     



  • 7.  RE: Captive portal using radius server

    Posted Jan 10, 2012 02:10 AM

    Nice implementation, but guest networks typically are open and unencrypted right? Meaning you put your devices - which sync email and whatever else that contain company stuph - on this network where "anyone" entering your reception area can get acces to.



  • 8.  RE: Captive portal using radius server

    EMPLOYEE
    Posted Jan 10, 2012 05:28 AM
    @jsolb wrote:

    Nice implementation, but guest networks typically are open and unencrypted right? Meaning you put your devices - which sync email and whatever else that contain company stuph - on this network where "anyone" entering your reception area can get acces to.

    Not true.  All the traffic will be encrypted over the air for everyone who uses WPA2-AES.  The devices that are moved to the "guest" VLAN will still have their traffic encrypted over the air.