Security

last person joined: 17 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Providing guest & corporate access..

This thread has been viewed 0 times

  • 1.  Providing guest & corporate access..

    Posted Jun 22, 2014 02:09 AM

    Hi Guys,

     

    Let me get to the point directly:

     

    The customer wants the following.

    1. Password-of-the-day for guest access.
      1. Receptionist to hand out username and password of the day if guest arrives and requires Internet access so they may log into a captive portal on Aruba.
    2. Single-signon with AD or RADIUS authentication
      1. Corporate users looking to log into the wireless network but with AD\RADIUS authentication.
      2. However, only selected corporate users identified through the AD\RADIUS server if username is part of a group, for example.
      3. Looking at logging in once where when they roam back into the network the following day, device will automatically join.
      4. If AD password expires after 90 days, need to login (understandable).
      5. Not looking to use certificates.
    3. Time-based usernames
      1. Can certain usernames on Aruba ClearPass be time-based. That means from 9am – 9pm, the username is allowed to login. Anything after that, they cannot.
    4. Customizable captive portal page
      1. And lastly, the ability to customize the captive portal page.

    My questions:

     

    Question for item (1): Does this feature comes with the Aruba Mobility Controler 3200XM or do I need the Aruba ClearPass Guest ?

     

    Question for item (2): What products from Aruba are capable of this feature? If not possible, can we do with one of the following:

    • Manually import username into the Aruba solution.
    • Increase session timeout to the maximum possible (What is the maximum possible??)
    • Use WPA2-Enterprise?

    Question for item (3): Can certain usernames on Aruba ClearPass be time-based where they are allowed access at certain time-ranges?

     

    Question for item (4): How much degree of customization can be done?



  • 2.  RE: Providing guest & corporate access..

    EMPLOYEE
    Posted Jun 22, 2014 05:49 AM

    1.  Yes.

    2.  ClearPass Policy Manager.  Yes.  Yes...indefinite.  Yes.

    3.  Yes.

    4.  A great deal...  http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=12979



  • 3.  RE: Providing guest & corporate access..

    Posted Jun 22, 2014 09:32 AM

    Hi cjoseph,

     

    Thanks for replying on a Sunday. If it isn't too much, I do have a few more questions:

     

    1. For password-of-the day to work, if I use just the Aruba Mobility Controller (without ClearPass), would it be able to generate a username & password for guest password daily to a specific email address (say the receptionist) so that he\she would hand out to guests when they come?

     

    2. For single-signon with AD\RADIUS:

     

    • if I use layer-3 authentication (captive portal), how would Aruba ClearPass would know that the AD password has expired if I extend the session to indefinte?
    • if I use WPA2-enterprise, can I choose not to use the certificates?


  • 4.  RE: Providing guest & corporate access..

    EMPLOYEE
    Posted Jun 22, 2014 09:43 AM

    tvlview,

     

    1.  You would have to setup the controller to point to your email server when guests are generated, so that passwords can be sent:

    config t
guest-access-email
smtp-server <ip address of your email server>

     You would then have to setup the controller to automatically send emails when guests are created:

    config t
local-userdb send-to-sponsor

     Last, but not least, you would need to have a script that automatically logs into the controller every day and creates an account with a random username and password.  The command below generates a random username, random password for a day and sends it to receptionist@company provided that you setup the email configuration above.

    (controller) #local-userdb add generate-username generate-password sponsor-email receptionist@company expiry duration 1440

GuestConnect
Username: guest-5616811
Password: EGMg3916
Start date: Sun Jun 22 08:41:00 2014

Expiration: 1440 minutes

     



  • 5.  RE: Providing guest & corporate access..
    Best Answer

    EMPLOYEE
    Posted Jun 22, 2014 09:49 AM

    2.  Extending Captive Portal users to indefinite will involve using mac caching and mac authentication every time the user associates to the captive portal.  When the user associates, the mac cache can check on the status of the username of the associated user in AD by checking on an LDAP attribute on that username to see if it is expired.

     

    3.  802.1x requires at least the radius server certificate to be trusted on the client-side even if you are only using username and passwords (PEAP) for user connectivity.  You would also need a server certificate on the radius server, of course.



  • 6.  RE: Providing guest & corporate access..

    Posted Jun 22, 2014 11:29 AM

    When I perform the below:

     

    Extending Captive Portal users to indefinite will involve using mac caching and mac authentication every time the user associates to the captive portal.  When the user associates, the mac cache can check on the status of the username of the associated user in AD by checking on an LDAP attribute on that username to see if it is expired.

     

    This option doesn't use ClearPass?



  • 7.  RE: Providing guest & corporate access..

    EMPLOYEE
    Posted Jun 22, 2014 11:31 AM

    Yes, it does.  There is no other direct interface into AD that the controller alone can do. It also cannot do flexible mac caching to allow you to make decisions about different types of users and how long before they next need to login.



  • 8.  RE: Providing guest & corporate access..

    Posted Jun 22, 2014 11:33 AM

    Okay!. I understand now. Thanks for the details!



  • 9.  RE: Providing guest & corporate access..

    Posted Jun 22, 2014 12:08 PM

    Hi Joseph,

     

    One more last question, if you may, do I need ClearPass Guest or ClearPass Policy Manager for the below:

     

    Extending Captive Portal users to indefinite will involve using mac caching and mac authentication every time the user associates to the captive portal.  When the user associates, the mac cache can check on the status of the username of the associated user in AD by checking on an LDAP attribute on that username to see if it is expired.



  • 10.  RE: Providing guest & corporate access..

    EMPLOYEE
    Posted Jun 22, 2014 12:10 PM
    Yes. Both work in combination to provide the above service.


  • 11.  RE: Providing guest & corporate access..

    Posted Jun 22, 2014 12:12 PM

    Okay, great. Thank you!:smileyhappy: