04-24-2019 02:21 PM
I need a captive portal with a customizable page (the internal captive portals are not customizable enough) that only grants access to the clients once they have agreed to the terms and conditions (the authentication text workflow doesn't allow this).
I am trying to configure an external captive portal with RADIUS server so that I can grant internet access to users from a PHP page, say valid.php, where they get redirected from index.php of my captive portal.
When I connect clients I can see the captive portal, but I don't know how the IAP can "detect" the RADIUS handshake that would happen between my PHP code and the RADIUS server.
I have configured the SSID:
- Splash Page Type is "External"
- Captive Portal Profile is of Type "RADIUS Authentication" (NOT Authentication Text)
- Primary Server is my RADIUS server with Shared Key
- I have validated my RADIUS config with the Linux tool radtest.
So here is my question: how do I grant internet access after the RADIUS authentication? Does my PHP code need to connect to the IAP via SSH and run some commands to move the client to the post-auth role??
I have found this list of steps that I understand but it doesn't exactly explain how the handshake is done: https://community.arubanetworks.com/t5/Wireless-Access/Externally-hosted-Captive-Portal-and-RADIUS-server-controller/m-p/221661?advanced=false&collapse_discussion=true&filter=location&location=forum-board:unified-wired-wireless-access&q=external%20ca...
Thanks for any help
Solved! Go to Solution.
04-24-2019 09:26 PM
Take a look at this thread: https://community.arubanetworks.com/t5/Wireless-Access/External-Captive-Portal-RADIUS-Authentication/td-p/302266
After the user inputs their credentials in the external captive portal the page needs to POST this back to the IAP so it can perform the RADIUS authentication phase. By default the IAP will have a certificate for "securelogin.arubanetworks.com" but this isn't signed by a public CA (it's not trusted by clients) so it's best to change the certificate. If the IAP is managed by Aruba Central then the certificate is updated with a new one that is more likely trusted by clients "securelogin.hpe.com". You are posting back to this address so that the IAP captures the next phase.
There is a bit of info about how this works at the bottom of this page: https://www.arubanetworks.com/techdocs/Instant_83_WebHelp/Content/Instant_UG/CaptivePortal/External%20Captive%20PortalwithCPPM.htm?Highlight=portal
If all that fails, ClearPass does it for you.
Re: IAP external captive portal with RADIUS server
04-25-2019 08:37 AM
Thank you for the quick reply, this works!
So the workflow is that the external captive portal page POSTs the captive portal data (MAC address, IP, original URL, etc.) and the RADIUS credentials (username and password) to https://securelogin.hpe.com, and that request is intercepted by the IAP. The IAP then performs the RADIUS authentication with the provided credentials + the shared secret (configured in Aruba Central). Upon RADIUS success, the client is redirected to the final page (configured in Aruba Central).