Security

I'm struggling to understand the steps required to set up a single open SSID with a captive portal that will allow guests to self-register and employees to login with AD credentials.

 

Most of the documentation I've seen makes heavy use of Mobility controllers rather than Virtual controllers.

 

I did have some luck last week with settings up seperate SSIDs but I've managed to break things to the point where I've flushed the configuration database to start fresh.

 

If anyone has any links to guides or posts to help me on my way, I sure would appreciate them.

 

Thanks

 

tharg

This video should help you out :
http://youtu.be/9x5uvhn2pHg

Hi Victor, thanks for taking the time to look in and the link to the video.

 

At 8.56 in the video, the authentication source is set as Local User Repository.

 

If I choose the options in the video, will I only be able to authenticate users that have a local account in the Guest Manager section of the CPPM?  Would I need to choose AD Authentication aswell or instead?

Make sure you select AD as your authentication source under the Guest services
Configuration » Services » Edit -&nbsp;<GUEST service="" name="">
Also need to add PAP as one of the authentication methods since it is require to do the Captive portal authentication piece
&nbsp;
And also need to add ClearPass to add :
Configuration » Authentication » Sources » <ACTIVE directory="">
&nbsp;
Check Page 137 of the Instant user guide (Configuring External Captive Portal Authentication Using ClearPass Guest)&nbsp;
&nbsp;
&nbsp;</ACTIVE></GUEST>

Right, so I've been playing with this remotely for most of the weekend and now I'm onsite trying to get things sorted.

 

I followed the video links and the Instant guide regarding capitve portals kindly provided by Victor, and I'm totally confused as to whats happening now.

 

At the moment, I have a single open SSID with a captive portal as per the video link.  When I went to Services in the CPPM, I only had 4 services pre-configured (Policy Manager Admin Network Login Service, Airgroup Authorization Service, Aruba Device Access Service and Guest Operator Logins) so I've added Guest Access - Web Login Pre-Auth and Guest Access.

 

 

As I got myself into such a mess a few weeks back and was looking to factory default the CPPM, I ran a cluster reset-database command.  Out of the box and prior to running the cluster reset-database, I had 11 services pre-defined so don't know if I've deleted a required service or profile etc.

 

If I try and connect to the SSID, I get the captive portal page asking for username and password and when I enter the username/password I can see in the CPPM Access Tracker that I get Guest Access - Web Login Pre-Auth Accept.

 

What I don't understand is that the portal the attempts to direct me to securelogin.arubanetworks.com/cgi-bin/login, which isn't resolving.  If I replace the securearubanetworks.com with the IP then I get the Onguard portal attempting to run run some Java for health checking.

 

Any advice would be really helpful right now.

 

 

Were you able to watch this video :

 

http://www.youtube.com/watch?v=JJXyLWtfQRo

 

 

Sorry for the late reply. I was taken off the project for a while and only got envolved again on Thursday.

 

We ended up with a support case, lots of calls back and forward with Aruba support and a potential bug that was sometimes replicated and sometimes not in their lab.

 

In the end we had to flatten the IAP virtual controller and reset the IAPs to factory and do a cluster reset-database on the CPPM.

 

We got things working but then hit a number of small bumps along the way.

 

The original plan was to setup a single SSID with captive portal for both guest and employees.  Guests to self register, employees to be AD authenticated and that was fine.  What we couldn't do was come up with any method for moving guests from the default vlan to vlan 200 post authentication.

 

Then we were going to do 2 SSIDs with seperate captive portals, but found the the URL for the captive portal on the IAP virtual controller is a global setting so both SSIDs were served the same page regardless.  We also found that after 5-10 minutes of inactivity, employees were being disconnected and had to enter there AD credentials again to continue access.  Not ideal.

 

So the next best option was 2 SSIDs with the employee one using 802.1x, but couldn't get past the need to modify the profile for each users laptop to be able to accept the GoDaddy cert we had installed.

 

Finally we ended up with a guest SSID with self-registration and an employee SSID with WPA2 Personal.  Not ideal but at least something is working now.

 

Would I be right in thinking that the path we really wanted to go down was BYOD via Onboarding so that staff could register their own devices, get a certificate installed and then the device would automatically connect for the life of the certificate?

 

If Onboarding is indeed the holy grail for our employee users, how would we publish a device registration page on the employee SSID and not the guest SSID?

 

I'm left wondering how many of these things are possible if any and whether a mobility controller would have been the answer to some of the issues.

My thoughts and my thoughts alone;

 

Setup a 802.1x SSID on IAP.  Use Group Policy to push the wireless 802.1x settings and the Godaddy Cert Trust out to domain clients.

 

Allow BYOD users to connect as well to the same SSID with domain credentials.

 

Setup a separate Captive Portal SSID for guests in ClearPass.

 

 

Thanks for the suggestion.  I hadn't considered using a gpo for the 802.1x settings and certificate trust.

 

It might be a while before I get to test this but I've every confidence it would work.

First you need to setup a group policy for your users to trust that GoDaddy Certificate:  http://technet.microsoft.com/en-us/library/cc738131(v=ws.10).aspx

 

Next, setup the Group Policy to Push the wireless settings here:  http://community.arubanetworks.com/t5/Command-of-the-Day/COTD-How-to-create-a-Wireless-Group-Policy-on-Windows-2008/td-p/11768