Security

Hi,

I need a captive portal with a customizable page (the internal captive portals are not customizable enough) that only grants access to the clients once they have agreed to the terms and conditions (the authentication text workflow doesn't allow this).

I am trying to configure an external captive portal with RADIUS server so that I can grant internet access to users from a PHP page, say valid.php, where they get redirected from index.php of my captive portal.

When I connect clients I can see the captive portal, but I don't know how the IAP can "detect" the RADIUS handshake that would happen between my PHP code and the RADIUS server.

I have configured the SSID:

• Splash Page Type is "External"
• Captive Portal Profile is of Type "RADIUS Authentication" (NOT Authentication Text)
• Primary Server is my RADIUS server with Shared Key
• I have validated my RADIUS config with the Linux tool radtest.

So here is my question: how do I grant internet access after the RADIUS authentication? Does my PHP code need to connect to the IAP via SSH and run some commands to move the client to the post-auth role??

I have found this list of steps that I understand but it doesn't exactly explain how the handshake is done: https://community.arubanetworks.com/t5/Wireless-Access/Externally-hosted-Captive-Portal-and-RADIUS-server-controller/m-p/221661?advanced=false&collapse_discussion=true&filter=location&location=forum-board:unified-wired-wireless-access&q=external%20captive%20portal%20radius&search_type=thread

Thanks for any help

Take a look at this thread: https://community.arubanetworks.com/t5/Wireless-Access/External-Captive-Portal-RADIUS-Authentication/td-p/302266 

After the user inputs their credentials in the external captive portal the page needs to POST this back to the IAP so it can perform the RADIUS authentication phase. By default the IAP will have a certificate for "securelogin.arubanetworks.com" but this isn't signed by a public CA (it's not trusted by clients) so it's best to change the certificate. If the IAP is managed by Aruba Central then the certificate is updated with a new one that is more likely trusted by clients "securelogin.hpe.com". You are posting back to this address so that the IAP captures the next phase.

There is a bit of info about how this works at the bottom of this page: https://www.arubanetworks.com/techdocs/Instant_83_WebHelp/Content/Instant_UG/CaptivePortal/External%20Captive%20PortalwithCPPM.htm?Highlight=portal

And this might help: https://www.arubanetworks.com/techdocs/Instant_83_WebHelp/Content/Instant_UG/CaptivePortal/External%20Captive%20Portal.htm?Highlight=portal

If all that fails, ClearPass does it for you.

Good luck!

Thank you for the quick reply, this works!

So the workflow is that the external captive portal page POSTs the captive portal data (MAC address, IP, original URL, etc.) and the RADIUS credentials (username and password) to https://securelogin.hpe.com, and that request is intercepted by the IAP. The IAP then performs the RADIUS authentication with the provided credentials + the shared secret (configured in Aruba Central). Upon RADIUS success, the client is redirected to the final page (configured in Aruba Central).