Security

Hi all,

      I was hoping someone here would be able to help me out with a couple issues. I work in a school district and we have 2 Aruba WMC-7210 controllers. We don't have Clearpass and unfortunately I probably won't be able to get it since we are most likely moving off of Aruba in the next year to year and a half. One is running as the Master and the other as Standby. Both are running software version 6.5.4.20. Now I setup a basic Captive Portal Guest network. This network is for Staff in each of our 4 buildings to connect their personal devices. It is tied to an LDAP server group which checks against specific OUs across two of our AD Domain controllers. I have the associated AAA profile setup with specific access roles which allow dhcp/dns on the initial role and then block all internal access once authenticated that way they can only get out to the Internet. Right now I have a test AP group setup with only our IT Office AP in it so I can test everything. 

       My first issue is that it keeps making me reauthenticate through the portal. So for example, lets say I walk out of the office for a few minutes and go somewhere else in the building, when I get back it won't just auto reconnect it will make me authenticate on the portal again. I don't want this to be the case. I want it to be so that once someone connects, they stay connected and don't have to reconnect unlesss its a new device, replaced device, etc. The reauthentication interval value is set to 0 on both the initial role and the authenticated role. I also do not have User Idle Timeout enabled anywhere on any profile. Is there any way to get this to work in a way that it won't keep asking the users to authenticate each time if they fall off the network. Even if I am in the office for 1 hour and my phone is just sitting there on my desk in its standby mode, once I wake it up it will force me to reauthenticate again.

        Second issue isn't as important. I was trying to integrate this staff network with our Palo Alto Firewall. I setup the native integration but unfortunately Aruba only sends the base username format (ie jsmith instead of domain\jsmith) and as far as I can tell there is no way to change that or change it so that they authenticate through the LDAP captive portal via domain\username format. I then looked into the syslog solution I found here (Airheads Community). I have it setup but the Palo Alto isn't showing any logs coming through when I authenticate (I ran the show user server-monitor state all command).  When I run the show log user 20 | include username command on the controller, I am seeing the user authentication logs. Would 802.1x work better? I am spinning up a new Server 2019 server right now to setup Network Policy Server so I can redirect Aruba to RADIUS. Can I have the captive portal check user logins via RADIUS instead?

          Sorry for the wall of text here. The first issue is much more important because I am trying to get this setup ASAP and I can't implement it if it is going to make the users reauthenticate on the portal all day long. Any recommendations would be greatly appreciated. Thank you for your time.


------------------------------
Brian Santomauro
------------------------------

If your access points are split between two different controllers, if you roam from one access point to another, you will be forced to reauthenticate.  If you are simply roaming out of coverage, the controller will "age out" a client after about 5 minutes and you will have to reauthenticate.  One way to extend that number is to increase the idle timeout in the captive portal authentication profile to how many minutes you want a user to be gone before they are forced to reauthenticate.  A side effect of this is that the user table will be artificially inflated by those users who have left, but have not been aged out, as of yet.

Unfortunately, I do not have any  knowledge about the Palo Alto solution to help you there.  Maybe someone else can help.


------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
------------------------------

Original Message:
Sent: Jun 02, 2022 02:27 PM
From: Brian Santomauro
Subject: Aruba Controller Captive Portal Guest Access Questions

Hi all,

      I was hoping someone here would be able to help me out with a couple issues. I work in a school district and we have 2 Aruba WMC-7210 controllers. We don't have Clearpass and unfortunately I probably won't be able to get it since we are most likely moving off of Aruba in the next year to year and a half. One is running as the Master and the other as Standby. Both are running software version 6.5.4.20. Now I setup a basic Captive Portal Guest network. This network is for Staff in each of our 4 buildings to connect their personal devices. It is tied to an LDAP server group which checks against specific OUs across two of our AD Domain controllers. I have the associated AAA profile setup with specific access roles which allow dhcp/dns on the initial role and then block all internal access once authenticated that way they can only get out to the Internet. Right now I have a test AP group setup with only our IT Office AP in it so I can test everything. 

       My first issue is that it keeps making me reauthenticate through the portal. So for example, lets say I walk out of the office for a few minutes and go somewhere else in the building, when I get back it won't just auto reconnect it will make me authenticate on the portal again. I don't want this to be the case. I want it to be so that once someone connects, they stay connected and don't have to reconnect unlesss its a new device, replaced device, etc. The reauthentication interval value is set to 0 on both the initial role and the authenticated role. I also do not have User Idle Timeout enabled anywhere on any profile. Is there any way to get this to work in a way that it won't keep asking the users to authenticate each time if they fall off the network. Even if I am in the office for 1 hour and my phone is just sitting there on my desk in its standby mode, once I wake it up it will force me to reauthenticate again.

        Second issue isn't as important. I was trying to integrate this staff network with our Palo Alto Firewall. I setup the native integration but unfortunately Aruba only sends the base username format (ie jsmith instead of domain\jsmith) and as far as I can tell there is no way to change that or change it so that they authenticate through the LDAP captive portal via domain\username format. I then looked into the syslog solution I found here (Airheads Community). I have it setup but the Palo Alto isn't showing any logs coming through when I authenticate (I ran the show user server-monitor state all command).  When I run the show log user 20 | include username command on the controller, I am seeing the user authentication logs. Would 802.1x work better? I am spinning up a new Server 2019 server right now to setup Network Policy Server so I can redirect Aruba to RADIUS. Can I have the captive portal check user logins via RADIUS instead?

          Sorry for the wall of text here. The first issue is much more important because I am trying to get this setup ASAP and I can't implement it if it is going to make the users reauthenticate on the portal all day long. Any recommendations would be greatly appreciated. Thank you for your time.


------------------------------
Brian Santomauro
------------------------------

Hi cjoseph,

      Thank you for your reply. Our APs currently all run on the master controller and the standby would only pick them up in the event of an issue with the master. We tried the user idle timeout setting but the issue with that is your limited to a max of 15,300 secs which is approximately 4 hrs 30 mins. This is fine for the day but will still make staff have to reauthenticate every day which isn't going to work. Right now we are looking into systems such as Clearpass/Cisco ISE as it seems this is the way to do this properly since they give us the mac caching feature. Thanks again for your help.
Original Message:
Sent: Jun 06, 2022 06:16 PM
From: Colin Joseph
Subject: Aruba Controller Captive Portal Guest Access Questions

If your access points are split between two different controllers, if you roam from one access point to another, you will be forced to reauthenticate.  If you are simply roaming out of coverage, the controller will "age out" a client after about 5 minutes and you will have to reauthenticate.  One way to extend that number is to increase the idle timeout in the captive portal authentication profile to how many minutes you want a user to be gone before they are forced to reauthenticate.  A side effect of this is that the user table will be artificially inflated by those users who have left, but have not been aged out, as of yet.

Unfortunately, I do not have any  knowledge about the Palo Alto solution to help you there.  Maybe someone else can help.


------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: Jun 02, 2022 02:27 PM
From: Brian Santomauro
Subject: Aruba Controller Captive Portal Guest Access Questions

Hi all,

      I was hoping someone here would be able to help me out with a couple issues. I work in a school district and we have 2 Aruba WMC-7210 controllers. We don't have Clearpass and unfortunately I probably won't be able to get it since we are most likely moving off of Aruba in the next year to year and a half. One is running as the Master and the other as Standby. Both are running software version 6.5.4.20. Now I setup a basic Captive Portal Guest network. This network is for Staff in each of our 4 buildings to connect their personal devices. It is tied to an LDAP server group which checks against specific OUs across two of our AD Domain controllers. I have the associated AAA profile setup with specific access roles which allow dhcp/dns on the initial role and then block all internal access once authenticated that way they can only get out to the Internet. Right now I have a test AP group setup with only our IT Office AP in it so I can test everything. 

       My first issue is that it keeps making me reauthenticate through the portal. So for example, lets say I walk out of the office for a few minutes and go somewhere else in the building, when I get back it won't just auto reconnect it will make me authenticate on the portal again. I don't want this to be the case. I want it to be so that once someone connects, they stay connected and don't have to reconnect unlesss its a new device, replaced device, etc. The reauthentication interval value is set to 0 on both the initial role and the authenticated role. I also do not have User Idle Timeout enabled anywhere on any profile. Is there any way to get this to work in a way that it won't keep asking the users to authenticate each time if they fall off the network. Even if I am in the office for 1 hour and my phone is just sitting there on my desk in its standby mode, once I wake it up it will force me to reauthenticate again.

        Second issue isn't as important. I was trying to integrate this staff network with our Palo Alto Firewall. I setup the native integration but unfortunately Aruba only sends the base username format (ie jsmith instead of domain\jsmith) and as far as I can tell there is no way to change that or change it so that they authenticate through the LDAP captive portal via domain\username format. I then looked into the syslog solution I found here (Airheads Community). I have it setup but the Palo Alto isn't showing any logs coming through when I authenticate (I ran the show user server-monitor state all command).  When I run the show log user 20 | include username command on the controller, I am seeing the user authentication logs. Would 802.1x work better? I am spinning up a new Server 2019 server right now to setup Network Policy Server so I can redirect Aruba to RADIUS. Can I have the captive portal check user logins via RADIUS instead?

          Sorry for the wall of text here. The first issue is much more important because I am trying to get this setup ASAP and I can't implement it if it is going to make the users reauthenticate on the portal all day long. Any recommendations would be greatly appreciated. Thank you for your time.


------------------------------
Brian Santomauro
------------------------------

Have you considered using AD authentication on an encrypted SSID for staff?  They would never have to authenticate.  You would only need an NPS Server to authenticate them.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
------------------------------

Original Message:
Sent: Jun 14, 2022 03:25 PM
From: Brian Santomauro
Subject: Aruba Controller Captive Portal Guest Access Questions

Hi cjoseph,

      Thank you for your reply. Our APs currently all run on the master controller and the standby would only pick them up in the event of an issue with the master. We tried the user idle timeout setting but the issue with that is your limited to a max of 15,300 secs which is approximately 4 hrs 30 mins. This is fine for the day but will still make staff have to reauthenticate every day which isn't going to work. Right now we are looking into systems such as Clearpass/Cisco ISE as it seems this is the way to do this properly since they give us the mac caching feature. Thanks again for your help.
Original Message:
Sent: Jun 06, 2022 06:16 PM
From: Colin Joseph
Subject: Aruba Controller Captive Portal Guest Access Questions

If your access points are split between two different controllers, if you roam from one access point to another, you will be forced to reauthenticate.  If you are simply roaming out of coverage, the controller will "age out" a client after about 5 minutes and you will have to reauthenticate.  One way to extend that number is to increase the idle timeout in the captive portal authentication profile to how many minutes you want a user to be gone before they are forced to reauthenticate.  A side effect of this is that the user table will be artificially inflated by those users who have left, but have not been aged out, as of yet.

Unfortunately, I do not have any  knowledge about the Palo Alto solution to help you there.  Maybe someone else can help.


------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: Jun 02, 2022 02:27 PM
From: Brian Santomauro
Subject: Aruba Controller Captive Portal Guest Access Questions

Hi all,

      I was hoping someone here would be able to help me out with a couple issues. I work in a school district and we have 2 Aruba WMC-7210 controllers. We don't have Clearpass and unfortunately I probably won't be able to get it since we are most likely moving off of Aruba in the next year to year and a half. One is running as the Master and the other as Standby. Both are running software version 6.5.4.20. Now I setup a basic Captive Portal Guest network. This network is for Staff in each of our 4 buildings to connect their personal devices. It is tied to an LDAP server group which checks against specific OUs across two of our AD Domain controllers. I have the associated AAA profile setup with specific access roles which allow dhcp/dns on the initial role and then block all internal access once authenticated that way they can only get out to the Internet. Right now I have a test AP group setup with only our IT Office AP in it so I can test everything. 

       My first issue is that it keeps making me reauthenticate through the portal. So for example, lets say I walk out of the office for a few minutes and go somewhere else in the building, when I get back it won't just auto reconnect it will make me authenticate on the portal again. I don't want this to be the case. I want it to be so that once someone connects, they stay connected and don't have to reconnect unlesss its a new device, replaced device, etc. The reauthentication interval value is set to 0 on both the initial role and the authenticated role. I also do not have User Idle Timeout enabled anywhere on any profile. Is there any way to get this to work in a way that it won't keep asking the users to authenticate each time if they fall off the network. Even if I am in the office for 1 hour and my phone is just sitting there on my desk in its standby mode, once I wake it up it will force me to reauthenticate again.

        Second issue isn't as important. I was trying to integrate this staff network with our Palo Alto Firewall. I setup the native integration but unfortunately Aruba only sends the base username format (ie jsmith instead of domain\jsmith) and as far as I can tell there is no way to change that or change it so that they authenticate through the LDAP captive portal via domain\username format. I then looked into the syslog solution I found here (Airheads Community). I have it setup but the Palo Alto isn't showing any logs coming through when I authenticate (I ran the show user server-monitor state all command).  When I run the show log user 20 | include username command on the controller, I am seeing the user authentication logs. Would 802.1x work better? I am spinning up a new Server 2019 server right now to setup Network Policy Server so I can redirect Aruba to RADIUS. Can I have the captive portal check user logins via RADIUS instead?

          Sorry for the wall of text here. The first issue is much more important because I am trying to get this setup ASAP and I can't implement it if it is going to make the users reauthenticate on the portal all day long. Any recommendations would be greatly appreciated. Thank you for your time.


------------------------------
Brian Santomauro
------------------------------

Hi cjoseph,

     So that was another avenue I was also pursuing just in case the cost of one of these Authorization systems is too high. This district when I started was pretty bare. No print server, AD CA/NPS server, etc. I spun up a server 2019 server already and installed NPS on it. Now I am working on setting up the AD CS on it since doing this through 802.1x requires at minimum the server to have a certificate (or at least that is what I gathered from what I researched on this). The only thing I would need to test here I guess is compatibility of devices. Most should be able to do 802.1x now a days but the process is slightly different based on OS.
Original Message:
Sent: Jun 14, 2022 03:31 PM
From: Colin Joseph
Subject: Aruba Controller Captive Portal Guest Access Questions

Have you considered using AD authentication on an encrypted SSID for staff?  They would never have to authenticate.  You would only need an NPS Server to authenticate them.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: Jun 14, 2022 03:25 PM
From: Brian Santomauro
Subject: Aruba Controller Captive Portal Guest Access Questions

Hi cjoseph,

      Thank you for your reply. Our APs currently all run on the master controller and the standby would only pick them up in the event of an issue with the master. We tried the user idle timeout setting but the issue with that is your limited to a max of 15,300 secs which is approximately 4 hrs 30 mins. This is fine for the day but will still make staff have to reauthenticate every day which isn't going to work. Right now we are looking into systems such as Clearpass/Cisco ISE as it seems this is the way to do this properly since they give us the mac caching feature. Thanks again for your help.
Original Message:
Sent: Jun 06, 2022 06:16 PM
From: Colin Joseph
Subject: Aruba Controller Captive Portal Guest Access Questions

If your access points are split between two different controllers, if you roam from one access point to another, you will be forced to reauthenticate.  If you are simply roaming out of coverage, the controller will "age out" a client after about 5 minutes and you will have to reauthenticate.  One way to extend that number is to increase the idle timeout in the captive portal authentication profile to how many minutes you want a user to be gone before they are forced to reauthenticate.  A side effect of this is that the user table will be artificially inflated by those users who have left, but have not been aged out, as of yet.

Unfortunately, I do not have any  knowledge about the Palo Alto solution to help you there.  Maybe someone else can help.


------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: Jun 02, 2022 02:27 PM
From: Brian Santomauro
Subject: Aruba Controller Captive Portal Guest Access Questions

Hi all,

      I was hoping someone here would be able to help me out with a couple issues. I work in a school district and we have 2 Aruba WMC-7210 controllers. We don't have Clearpass and unfortunately I probably won't be able to get it since we are most likely moving off of Aruba in the next year to year and a half. One is running as the Master and the other as Standby. Both are running software version 6.5.4.20. Now I setup a basic Captive Portal Guest network. This network is for Staff in each of our 4 buildings to connect their personal devices. It is tied to an LDAP server group which checks against specific OUs across two of our AD Domain controllers. I have the associated AAA profile setup with specific access roles which allow dhcp/dns on the initial role and then block all internal access once authenticated that way they can only get out to the Internet. Right now I have a test AP group setup with only our IT Office AP in it so I can test everything. 

       My first issue is that it keeps making me reauthenticate through the portal. So for example, lets say I walk out of the office for a few minutes and go somewhere else in the building, when I get back it won't just auto reconnect it will make me authenticate on the portal again. I don't want this to be the case. I want it to be so that once someone connects, they stay connected and don't have to reconnect unlesss its a new device, replaced device, etc. The reauthentication interval value is set to 0 on both the initial role and the authenticated role. I also do not have User Idle Timeout enabled anywhere on any profile. Is there any way to get this to work in a way that it won't keep asking the users to authenticate each time if they fall off the network. Even if I am in the office for 1 hour and my phone is just sitting there on my desk in its standby mode, once I wake it up it will force me to reauthenticate again.

        Second issue isn't as important. I was trying to integrate this staff network with our Palo Alto Firewall. I setup the native integration but unfortunately Aruba only sends the base username format (ie jsmith instead of domain\jsmith) and as far as I can tell there is no way to change that or change it so that they authenticate through the LDAP captive portal via domain\username format. I then looked into the syslog solution I found here (Airheads Community). I have it setup but the Palo Alto isn't showing any logs coming through when I authenticate (I ran the show user server-monitor state all command).  When I run the show log user 20 | include username command on the controller, I am seeing the user authentication logs. Would 802.1x work better? I am spinning up a new Server 2019 server right now to setup Network Policy Server so I can redirect Aruba to RADIUS. Can I have the captive portal check user logins via RADIUS instead?

          Sorry for the wall of text here. The first issue is much more important because I am trying to get this setup ASAP and I can't implement it if it is going to make the users reauthenticate on the portal all day long. Any recommendations would be greatly appreciated. Thank you for your time.


------------------------------
Brian Santomauro
------------------------------