Configuring Aruba for Authentication
OVERVIEW
This document describes the interactions between SNAPx based captive portal authentication system, and Aruba gateway, Wireless Control and Aruba Central.
SNAPx Equipment Table Requirements
- Type: Gateway, Wireless Controller
- Vendor: Aruba
- Model: 7005, Aruba 7205-US, Instant-AP-Controller
- IP Address: Public IP Address
- SNMP IP Address: Private IP Address
- Protocol: HTTPS
- Username:
- Password:
- MAC Address:
- Status: Production
- API URL: Gateway: https://{IP}:{PORT}, Switch: http://{IP}:{PORT}/rest
- API Version: Gateway & Wireless Controller: v1+ | Switch: v3+
Gateway/SNAPx Wireless Connectivity
There are 3 types of communication between the gateway and SNAPx.
- RADIUS authentication from the gateway
- RADIUS Accounting from the gateway
- XML from SNAPx to the gateway
This requires that the gateway be reachable from a static public IP address.
Aruba Gateway Configuration Overview
Auth Servers
- Ensure that you add 3 servers below with the Host names specified below.
SNAP_RADIUS
For SNAP_RADIUS ensure that you use the SNAP RADIUS key also used in Nomadix and replicate the settings as you see them below.
XML {YOUR INGRESS IP}
- The KEY should be aruba123 for all devices.
- The KEY should be aruba123 for all devices.
Create AAA Profile
Navigate to Configuration→Authentication→AAA Profile: AAA Profiles List: Create SNAP-AAA profile
MAC Authentication:
Navigate to Configuration→Authentication→SNAP→MAC Authentication ensure the settings appear as the screenshot below:
Configure captive portal
- Configuration→Authentication→L3 Authentication→Captive Portal→add SNAP captive portal
- Assign Captive Portal to Logon role:
- Navigate to Configuration→Roles & Policies→role logon→on the box below right top click Show Advanced→click tab More→click Authentication→SNAP as Captive portal profile
- Configuration→Authentication→L3 Authentication→Captive Portal→add SNAP captive portal
Assign AAA Profile to the SSID
Navigate to: Configuration→System→Under All profiles→Wireless LAN→scroll down in the list up to Virtual AP→Select the desired (Aruba Room)→Select AAA→on the right choose “snap-aaa”
Clear authenticated device from aruba
- Login to Aruba device via SSH using Putty
- To list all the connected devices, run the following command: show user
- To delete the device, note down the IP Address of the device and run the following command: aaa user delete 192.168.50.3
Enable NAS Port to make the Zone Migration to work
Aruba does not send the NAS-Port-ID attribute in the radius accounting requests. The following commands need to be run:
configure terminal aaa radius modifier “SNAP-TEST-RAD” include “NAS-Port-ID” dynamic user-vlan1
Example:
(Aruba7205) [mynode] #configure terminal Enter Configuration commands, one per line. End with CNTL/Z (Aruba7205) [mynode] (config) #aaa radius modifier "SNAP-TEST-RAD" (Aruba7205) ^[mynode] (Radius Modifier Profile "SNAP-TEST-RAD") #include "NAS-Port-ID" dynamic user-vlan1 (Aruba7205) ^[mynode] (Radius Modifier Profile "SNAP-TEST-RAD") #!
Net Destination / Whitelist
Before a user is authenticated, the firewall prohibits most communication to the Internet. For users to reach the SNAPx captive portal servers and any other web site or content that the property may want users to access before they login needs to be added to the whitelist. Consult SNAP and the property to correctly build the whitelist. Net Destinations can include IP addresses, ranges, hostnames, etc.
User Authentication
Captive Portal Profile
Create a captive portal profile that defines the external SNAP captive portal page, and authentication options. In the example below, we will place all authenticated users in the “authenticated” role by default, use the RADIUS server that is in the “SNAP” server group, send users to the specific login page, insert information in the redirect URL for SNAP, and apply the whitelist.
Logon Role
Create an initial logon role that is assigned to a specific authentication profile. This role is applied to all new users who connect where the authentication profile is applied (guest wired VLAN, Virtual AP, etc.). Different VLANs or SSIDs can have different initial logon roles, providing unique authentication experience for each. In this example, we are using default logon role access-lists (logon-control and captiveportal) that can be modified for required security policies. We also apply the captive-portal profile.
Authentication Profile
Create an authentication profile that can be assigned to wired or wireless users. Here we control how users authenticate.
- Assigns all new users the initial role
- Enables RADIUS accounting
- Defines the external XML API servers to use
Applying the Roles to Users
The last thing we want to do is enable guest authentication on the guest VLAN.
Untrusted Guest VLAN
We need to set the guest VLAN as untrusted. We can do this by specifying on the interface that only VLAN 1 (or whatever the management VLAN is) should be trusted.
User Whitelisting – Captive Portal Bypass
It may be required to have wired or wireless client devices bypass authentication and be allowed access the internet directly. We can do this several ways. We can simply change the device’s role to a post-authentication role or we can change the devices role and place them in a different VLAN than the one they are on without having to physically move the client to that other VLAN.
For example, a guest may have a gaming device that does not have a traditional web browser. You can get the device’s MAC address and allow that device to bypass the portal. You may also have a device that needs access to the public WAN segment. This is traditionally done by placing the device in a specific WAN VLAN or SSID. You also have the ability to place the user in the WAN VLAN by using the MAC address.