Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Re: Captive Portal Aruba Controller 7030

This thread has been viewed 2 times

  • 1.  Re: Captive Portal Aruba Controller 7030

    Posted Dec 19, 2019 02:41 AM

    This was solved through TAC after 2 days.

     

    It seems that there is an issue with enabling Captive Portal when no PEF-ENG licence is available.

     

    TAC created all the settings required from sctratch one by one(roles,virtual ap ,ssid,essid, acls, etc..). 

     

    Infact when i try to view settings from the GUI most of them are blanks, which have to rollback if touched. The SSID is not setup as guest but as employee type. Furthermore, without PEF-ENG there ca only be one Captive Portal Policy / SSID. 

     

    Everytime you enable PEF-ENG and disable PEF-ENG a restart of the controllers is required as settings will not work properly. 

     

    below find the configuration provided implemented by TAC

     

    ip access-list session logon-control
 user any udp 68 deny
 any any svc-icmp permit
 any any svc-dns permit
 any any svc-dhcp permit
 any any svc-natt permit
 any network 169.254.0.0 255.255.0.0 any deny
 any network 240.0.0.0 240.0.0.0 any deny

ip access-list session captiveportal
 user alias controller svc-https dst-nat 8081
 user any svc-http dst-nat 8080
 user any svc-https dst-nat 8081
 user any svc-http-proxy1 dst-nat 8088
 user any svc-http-proxy2 dst-nat 8088
 user any svc-http-proxy3 dst-nat 8088


ip access-list session captiveportal6
  ipv6  user   alias controller6 svc-https  captive
  ipv6  user any svc-http  captive
  ipv6  user any svc-https  captive
  ipv6  user any svc-http-proxy1  captive
  ipv6  user any svc-http-proxy2  captive
  ipv6  user any svc-http-proxy3  captive

ip access-list session v6-logon-control
 ipv6 user any udp 546 deny
 ipv6 any any svc-v6-icmp permit
 ipv6 any any svc-v6-dhcp permit
 ipv6 any any svc-dns permit
 ipv6 any network fc00::/7 any permit
 ipv6 any network fe80::/64 any permit
 ipv6 any alias ipv6-reserved-range any deny

!
aaa profile "Wifi_Guest"
    initial-role "Wifi_Guest"
    dot1x-server-group "internal"
!
aaa authentication captive-portal "Wifi_Guest"
    default-role "Wifi_Guest"
    show-acceptable-use-policy
!
wlan virtual-ap "Wifi_Guest"
    aaa-profile "Wifi_Guest"
    vlan 255
    ssid-profile "Wifi_Guest"

user-role aruba1234-guest-logon
    access-list session logon-control
    access-list session captiveportal
    access-list session v6-logon-control
    captive-portal Wifi_Guest

ap-group "default"
	virtual-ap "Wifi_Guest"

wlan ssid-profile "wifi_Guest"
    essid "Wifi_Guest"