Hi all,
I was hoping someone here would be able to help me out with a couple issues. I work in a school district and we have 2 Aruba WMC-7210 controllers. We don't have Clearpass and unfortunately I probably won't be able to get it since we are most likely moving off of Aruba in the next year to year and a half. One is running as the Master and the other as Standby. Both are running software version 6.5.4.20. Now I setup a basic Captive Portal Guest network. This network is for Staff in each of our 4 buildings to connect their personal devices. It is tied to an LDAP server group which checks against specific OUs across two of our AD Domain controllers. I have the associated AAA profile setup with specific access roles which allow dhcp/dns on the initial role and then block all internal access once authenticated that way they can only get out to the Internet. Right now I have a test AP group setup with only our IT Office AP in it so I can test everything.
My first issue is that it keeps making me reauthenticate through the portal. So for example, lets say I walk out of the office for a few minutes and go somewhere else in the building, when I get back it won't just auto reconnect it will make me authenticate on the portal again. I don't want this to be the case. I want it to be so that once someone connects, they stay connected and don't have to reconnect unlesss its a new device, replaced device, etc. The reauthentication interval value is set to 0 on both the initial role and the authenticated role. I also do not have User Idle Timeout enabled anywhere on any profile. Is there any way to get this to work in a way that it won't keep asking the users to authenticate each time if they fall off the network. Even if I am in the office for 1 hour and my phone is just sitting there on my desk in its standby mode, once I wake it up it will force me to reauthenticate again.
Second issue isn't as important. I was trying to integrate this staff network with our Palo Alto Firewall. I setup the native integration but unfortunately Aruba only sends the base username format (ie jsmith instead of domain\jsmith) and as far as I can tell there is no way to change that or change it so that they authenticate through the LDAP captive portal via domain\username format. I then looked into the syslog solution I found here (
Airheads Community). I have it setup but the Palo Alto isn't showing any logs coming through when I authenticate (I ran the show user server-monitor state all command). When I run the show log user 20 | include username command on the controller, I am seeing the user authentication logs. Would 802.1x work better? I am spinning up a new Server 2019 server right now to setup Network Policy Server so I can redirect Aruba to RADIUS. Can I have the captive portal check user logins via RADIUS instead?
Sorry for the wall of text here. The first issue is much more important because I am trying to get this setup ASAP and I can't implement it if it is going to make the users reauthenticate on the portal all day long. Any recommendations would be greatly appreciated. Thank you for your time.
------------------------------
Brian Santomauro
------------------------------