Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Captive Portal / NPS Radius

This thread has been viewed 3 times

  • 1.  Captive Portal / NPS Radius

    Posted Jan 20, 2012 12:07 PM

    I am running dual 3400 controllers and about 60 AP 105's.  I am broadcasting 2 SSID's .

     

    1 of those ID's is a "secure" wireless that authenticates through an NPS radius server.  to connect, you need to have a domain pc and an AD username/password.

     

    The second ID is a "guest".  I want to secure it to require an AD username/password that i create.  SO, i have it setup to go to a captive portal page that requires username/password.  I setup a seperate access policy in NPS.

     

    THe problem is the processing order of the policies in NPS.  If i put my "secure" policy first, then my captive portal will not work, it will say authentication failed.  If i raise my "guest" policy to the top, captive portal will work but "secure" will not.

     

    So i guess my question is, how do i setup NPS so that it can use 2 seperate policies from the same radius client?


    #3400


  • 2.  RE: Captive Portal / NPS Radius

    Posted Jan 20, 2012 12:23 PM

    Define two different AAA servers that use the same IP/key.  Use one for the non-CP SSID and put the name of the SSID in the NAS-ID.  Use the other for the CP SSID and put the SSID in the NAS-ID.

     

    Now, from NPS, you can use the NAS-ID as a filter and know which SSID is sending the request.



  • 3.  RE: Captive Portal / NPS Radius

    Posted Jan 23, 2012 09:24 AM

    Fantastic idea

     

    One question - how do i set/change the NAS-ID on the aruba AP?



  • 4.  RE: Captive Portal / NPS Radius

    Posted Jan 23, 2012 09:59 AM

    It is done via the AAA profile.  You should create a new AAA profile (make a copy of the one you use today) and set the NAS-ID in one of them to the name of the first SSID and the NAS-ID in the other to the name of the second SSID.  Then, in the AP-Group settings, click on the VAPs, then change the AAA profile for VAP1 to the AAA profile for SSID1.  Set the AAA profile for VAP2 to the AAA that has SSID2 as the NAS-ID.  All other settings should be the same between the two AAA profiles (server IP, key, NAS-IP, etc).

     

    Does tha make sense?

     

    Once you have that done, the IAS/NPS rules can differentiate based on the NAS-ID of the request.



  • 5.  RE: Captive Portal / NPS Radius

    Posted Jan 23, 2012 10:08 AM

    makes perfect sense -

     

    could you possibly provide the command to set the NAS-ID?



  • 6.  RE: Captive Portal / NPS Radius

    Posted Jan 23, 2012 10:26 AM

    Thats what I get for going on memory and not double checking things...

     

    It is actually done via the AAA server, not the AAA profile.  I recommend using the GUI for this as there are a lot of things that are intertwined and the GUI "Save As" will come in handy... There is a "clone" command in the CLI, but in this case, the GUI is easier.

     

    CLI -

     

    aaa authentication-server radius xyz (where xyz is the name you want to use for the server)

    nas-identifier SSID1

     

    GUI -

     

    Click on Configuration>Authentication>RADIUS server

    Add a new RADIUS server by clicking on the existing one, then clicking Save As and giving it a new name

    Click on Server Group and create a new Server Group.  Add the new Server created above.

    Click on AAA profiles (tab)

    Add a new AAA profile by clicking on the existing one, then clicking Save As and giving it a new name

     

    Now you are ready to set the new SSID profile to use the new AAA profile.