Dell PowerConnect W-Clearpass 100 Software Integration Guide
Contents
1. Amigopod and ArubaOS Integration Version 1 0 Amigopod and ArubaOS Integration Application Note Copyright 2011 Aruba Networks Inc AirWave Aruba Networks Aruba Mobility Management System Bluescanner For Wireless That Works Mobile Edge Architecture People Move Networks Must Follow RFprotect The All Wireless Workplace Is Now Open For Business Green Island and The Mobile Edge Company are trademarks of Aruba Networks Inc All rights reserved Aruba Networks reserves the right to change modify transfer or otherwise revise this publication and the product specifications without notice While Aruba uses commercially reasonable efforts to ensure the accuracy of the specifications contained in this document Aruba will assume no responsibility for any errors or omissions Open Source Code Certain Aruba products include Open Source software code developed by third parties including software code subject to the GNU General Public License GPL GNU Lesser General Public License LGPL or other Open Source Licenses The Open Source code used can be found at this site http www arubanetworks com open_source Legal Notice ARUBA DISCLAIMS ANY AND ALL OTHER REPRESENTATIONS AND WARRANTIES WEATHER EXPRESS IMPLIED OR STATUTORY INCLUDING WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE TITLE NONINFRINGEMENT ACCURACY AND QUET ENJOYMENT IN NO EVENT SHALL THE AGGREGATE LIABILITY OF AR2. Servers AAA Profiles L2 Authentication L3 Authentication User Rules Advanced Server Group Server Group gt Guest Amigopod Show Reference Save As Reset default Fail Through B Guest Amigopod internal Servers Name Server Type trim FQDN Match Rule Actions NPS Server Name Amigopod Radius Trim FQDN Match Rules RADIUS Server Internal Local Authstring 1 PF O Amigopod Radius Amigopod NPS1 Radius Add Rule Delete Rule NPS1 Add Server Cancel LDAP Server Server Rules Priority Attribute Operation Operand Type Action Value Validated Actions Internal OB Siew Tacacs Accounting Server TACACS Server XML API Server RFC 3576 Server Figure6 Adding a AAA server group Creating an RFC3576 Server Instance RFC3576 is an extension to the RADIUS standard that allows for a RADIUS server initiated control of an established RADIUS AAA session The two primary functions of the RFC are represented by the following two messages Disconnect messages The RADIUS server sends a Disconnect Request packet to terminate a user session on a NAS and removes all associated session context The Disconnect Request packet is sent to UDP port 3799 and it identifies the user session to be terminated by inclusion of the session identification attributes Change of Authorization CoA messages CoA request packets contain information for dynamically changing session authorizations Ty
3. Back to guests 8 List guest accounts J Back to main Figure 37 Completed guest account lf numeric user credentials will be challenging during your testing phase these credentials can be edited easily by clicking the List guest accounts option Click the newly created guest account to display the actions that are available for the new account Click Edit to make changes to the user credentials Aruba Networks Inc Guest Manager Accounts The following table shows the guest accounts that have been created Click an account to modify it Quick Help 4 Create EF More Options Filter Username Role Status Expiration 22163841 Guest Enabled N A D Reset password 4 Change expiration amp Remove Eg Edit opt Sessions Print To update the properties of this guest account use the form below Edit Account visitor s Test Account Name Name of the visitor aruba guest Username Name of the visitor account Account No changes Account is active b Activation Select an option for changing the activation time of this account Account No changes Account will not expire 3 Expiration Select an option for changing the expiration time of this account No changes N A J Account rae The amount of time after the first login before the visitor account will expire and be deleted Noch N A Allowed Usage Eino changes n a F0 Select an option for changing the allowed us
4. Check the RADIUS NAS list and ensure that it has an entry that matches the IP address listed in the error message The Aruba controller may be using loopback instead of the interface address as source for RADIUS traffic Make sure you restarted the RADIUS server after you added the new RADIUS NAS entry for the Aruba controller Run test RADIUS authentication from the Aruba controller to ensure basic connectivity using UDP 1812 1813 lf you receive an error message in the RADIUS logs about an incorrect login Check that the username and password has been entered correctly Reset the password if necessary Check that the shared secrets are the same on the Amigopod and ArubaOS Reset the keys on both ends to be sure Run RADIUS debugger on Amigopod for deeper analysis of the transaction Aruba Networks Inc Troubleshooting Tips 49 Amigopod and ArubaOS Integration Application Note Appendix A Contacting Aruba Networks Contacting Aruba Networks Web Site Support Main Site http www arubanetworks com Support Site https support arubanetworks com Software Licensing Site https icensing arubanetworks com login php Wireless Security Incident http www arubanetworks com support wsirt php Response Team WSIRT Support Emails Americas and APAC support arubanetworks com EMEA emea_support arubanetworks com WSIRT Email wsirt arubanetworks com Please email details of any security p
5. Alternatively the switchip variable that is sent as part of the redirect URL can be parsed automatically and used as the IP address for the web login credential submission This option should be selected in multicontroller environments so that the web login page dynamically is aware of which controller the guest user is currently connected to and therefore which controller must be part of the authentication transaction Here is a sample redirect URL that includes the switchip variable https 10 169 130 50 Aruba_login php cmd login amp switchip 10 169 130 6 amp mac 00 21 00 95 61 2 9 amp 1p 10 0 20 58 amp essid gquestnet amp url http 3A 2F 2 Fwww 2Egoogles2Ecom 2F To make use of the switchip variable enable Dynamic Address as shown in Figure 25 Additional security mechanisms have been implemented in the form of white and black lists that allow the administrator to define valid IP addresses of the controller deployment in their environment This additional security measure prevents modification of the redirect URL by individuals that might attempt to extract user credentials by spoofing the form submission to a device in their control If the Amigopod receives a switchip value that does not match the white list the Amigopod responds to the default address The example in Figure 25 shows that the master and local controllers defined in the campus VRD are permitted in the white list of valid controller IP addresses The web login page now is c
6. Test Basic RADIUS Transactions Diagnostic RADIUS transactions can be initiated from the controller from either the WebUI or the CLI as shown Testing the AAA Server LC1 Sunnyvale 6000 aaa test server mschapv2 Amigopod aruba guest x x Authentication Successful AROBA MOBILITY CONTROLLER LC2 Sunnyvale 6000 networks Dashboard Monitoring Configuration Diagnostics Maintenance Master Switch F NETWORK Network gt AAA Test Server Ping Traceroute Server Name Amigopod IP Address 10 169 130 50 Radius Tacopat Authentication method mMSCHAPV2 PAP gt AAA Test Server Username laru ba guest Debug Config Password esesecen GENERAL Technical Support SSH Terminal Authentication Successful ACCESS POINT Received Configuration System Status Debug Log Technical Support Detailed Statistics Copyright c 2002 2011 Aruba Networks Inc Figure 40 Testing the AAA server Aruba Networks Inc Integration Verification 44 Amigopod and ArubaOS Integration Application Note On the Amigopod side you can also look at the end of the RADIUS log to verify that the transactions are executing on that side ARUDA networks Home Guests Administrator Customization Advertising Services RADIUS Start Here Authentication Database List Dictionary NAS List Server Control Server Configuration User Roles Reporting Support Logout Amigopod RADIUS Server Control Control the lo
7. 0 827 494 34526 Bezeq 14 807 494 34526 Barack ITC 13 808 494 34526 EIRCOM 0 806 494 34526 HKTI 1 805 494 34526 Deutsche Telkom 0 804 494 34526 France Telecom 0 803 494 34526 China Telecom South 0 801 494 34526 China Netcom Group 0 802 494 34526 800 8445708 800 04416077 2510 0200 8885177267 within Cairo 02 2510 0200 8885177267 outside Cairo 91 044 66768150 Contacting Aruba Networks 51
8. Amigopod and ArubaOS Integration Application Note Chapter 5 Integration Verification If you complete the steps in Chapter 3 ArubaOS Configuration and Chapter 4 Amigopod Configuration you should have the base configuration for a functioning guest access solution that can be further customized to suit each local deployment The chapter provides some simple verification tests that can be performed to ensure that all the functional components are in place and are working as expected Create a Test Account Within Amigopod Guest Manager To start testing the guest access functionality an account must be created in the Amigopod local database Accounts can be created through the Amigopod WebUI in many different ways e Create a single guest account Guests gt Create Account e Create multiple guest accounts Guests gt Create Multiple e Import from CSV Guests gt Import Device e Create a MAC device Guest gt Create Device Any of these methods can be used to create the testing accounts In the example in Figure 36 Create Multiple has been selected as a quick method to create one or more guest accounts An vay 3 Logged in as admin amigopod rde arubanetworks com as ALF EDs Amigopoad networks Home Create Accounts Guests Start Here Create multiple guest accounts each with a randomly assigned username and password amp Help Active Sessions Account usernames will have 8 random digits Create Account Account
9. 50 Advanced Services gt Stateful Firewall gt Destinations gt Edit Destination Amigopod Global Setting White List BW Contracts Network Services Destination BW Contracts BW Contracts E IP Version iPyd Destination Name Amigopod Invert Type IP Address NetMask Range Actions host 10 169 130 50 32 Delete T Add Figure 12 Amigopod netdestination alias Based on the nature of the captive portal traffic HTTP and HTTPS traffic are permitted through this policy to the Amigopod IP address Depending on the routing topology in place at each customer environment Network Address Translation NAT may be used to hide the source address space allocated to guest users NAT can be implemented in the following two methods within the ArubaOS controller Source NAT all traffic from the guest VLAN on the controller Source NAT traffic per application through the use of policies in the PEF configuration on the controller Based on these topology and routing decisions the configuration of the policies to permit the initial redirect traffic to Amigopod will change slightly Source NAT on VLAN If you are performing a source NAT on the VLAN use this configuration Aruba Networks Inc ArubaOS Configuration 23 Amigopod and ArubaOS Integration Example of Source NAT on VLAN 1p access list session amigopod alias user alias Amigopod alias user alias Amigopod Security gt Firewall Policies gt Add New Policy Ap
10. Aang Firewall Polichis Aulo Count Locatian Action Edit Geteic F capthveportal I Edt eein i 7 gucn logen sccess i Edit Deia F 7 Ang R rut ontcation Inbarwal Dabing Change 0 desables re euthentication A poste welue enables authertication 0 096 Bole WLAN ID Mot dp pegned Ket Aspa henge Bandwidth Contract Upstream Mot Enforced i Change Per Role Dosrabeam Wot Enfenceel i Chenge Per Rete VPA Dialer hot Agigned he Adie E Chars PPTP PeH delault potp pool Hot Assigned Change Captive Portal Profile o B Figure 15 Captive portal logon role configuration Aruba Networks Inc ArubaOS Configuration 25 Amigopod and ArubaOS Integration Application Note Verify Virtual AP Configuration Based on the baseline configuration detailed in the campus VRD resource the guest virtual AP should have the appropriate SSID and AAA profile applied Virtual AP Configuration wlan virtual ap guestnet ssid profile guestnet aaa profile guestnet Advanced Services gt All Profile Management Profiles AP RF Management Profile Details Virtual AP profile gt guestnet Show Reference Save As Reset Wireless LAN _ Virtual AP enable v Allowed band all 802 11K Profile 900 7 SSID Profile VLAN PT Forward mode tunnel H High throughput SSID profile Deny ti
11. will be provisioned on the Amigopod system a RADIUS definition must be defined on the controller The RADIUS server definition requires that the following fields be configured Host should be configured to the Amigopod IP address Key is the shared secret that is needed to secure RADIUS communications e Amigopod uses the default ports of 1812 for authentication and 1813 for accounting The default Retransmit and Timeout value are adequate for most installs The following configuration must be performed on the master controller This RADIUS definition is then replicated to all local controllers In a standalone controller deployment this RADIUS server instance must be created on each controller individually Do not set the NAS ID or NAS IP now You will configure the NAS ID and NAS Tore IP on each controller in the next step Aruba Networks Inc ArubaOS Configuration 12 Application Note Amigopod and ArubaOS Integration Adding a RADIUS Server aaa authentication server radius host 10 169 130 50 key KKKKKKK Security gt Authentication gt Servers Servers AAA Profiles E NOTE Server Group RADIUS Server Amigopod NPS1 LDAP Server Internal DB Tacacs Accounting Server TACACS Server XML API Server RFC 3576 Server Windows Server L2 Authentication L3 Authentication RADIUS Server gt Amigopod Host Auth Port Retransmits NAS
12. ADIUS NAS entries must be created in master local environments TI because each local controller sources its own RADIUS client traffic ARUBA Amigopod Logged in as admin amigopod rde arubanetworks com nee RADIUS Network Access Servers Administrator Each network access server that will use this RADIUS Server for authentication or accounting purposes should be defined here Help Customization Advertising Services Qe Quick Help dl Create snes te Create Network Access Serve STATE ENR nN MC1 Sunnyvale 3600 Login ame Authentication A descriptive name for the network access server NAS This name is used to identify each NAS Database List 10 169 130 6 IP Address Dictionary The IP address or hostname of the network access server i Aruba Networks RFC 3576 support J NAS List NAS Type Select the type of NAS Server Control Server Configuration Shared Secret The shared secret used by this network access server User Roles Conf eh ween a Reportin onfirm Shared Secret P g Confirm the shared secret for this network access server Support Logout Description Enter notes or descriptive text here Web Login cl Create a RADIUS Web Login page for this network access server dal Create NAS Device 7 Reset Form YQ Cancel required field There are no network access servers to display 0 network access servers O Reload 20 rows per page B Fp Import a list of network acc
13. Customization Se RADIUS Role Editor Advertising Services Role ID 2 RADIUS Tasi Role Name start Here Enter a name for this role Authentication Default role for guest accounts Database List Description Dictiona ry Enter comments or descriptive text about the role NAS List RADIUS Attributes Server Control i Quick Help yy Add Attribute Server Configuration User Roles RADIUS Attribute Editor Reporting Amba sw Vendor Support Select a vendor Aruba User Role i Attribute LAruba User Role Select a vendor specific attribute Attributes Value Enter a value for this attribute Always E Condition Select when this attribute should be returned in a RADIUS Access Accept packet Sy Add Attribute Modify the list of RADIUS attributes that are attached to this role Ld Save Changes required flebd a3 Back to RADIUS user roles S Back to RADIUS Figure 30 RADIUS user role definition The Aruba User Role is an example of an Aruba VSA that allows a RADIUS authentication session to automatically have a user role applied The example of auth guest is a user role that is defined as part of the campus VRD baseline configuration Amigopod automatically calculates the available time of a guest session and return this value in the session timeout attribute so the controller can manage the termination of the session For example if a guest account was created with a 2 hour
14. D design this guide assumes that the Amigopod appliance is installed and available on the network The reference design has Amigopod installed on an IP address of 10 169 130 50 and the assumption is that there is Internet access available to this IP address Figure 17 Summarizes the steps to successfully mirror the RADIUS and captive portal configurations of Update Amigopod Plugins Create RADIUS NAS Entry for controller the ArubaOS controller Modify Web Login Restore sample Welcome Page Customize User Role Figure 17 Amigopod configuration process arun 0542 Check for Updated Amigopod Plugins Aruba publishes regular updates for the Amigopod solution via the online software distribution server which is accessible from a standard Internet connection via the HTTPS protocol Each Amigopod install is identified on the distribution server by a unique key known as a subscription ID which is provided at the time of purchase or during an evaluation electronically The subscription ID is entered into the Amigopod wizard during the initial installation which triggers a download of all licensed software and updates for the individual deployment at hand A subscription ID is in this format which has been modified for illustration purposes zdwomn xXxXxxxx c8cy7b yyyyyy x228 jr Aruba Networks Inc Amigopod Configuration 27 Amigopod and ArubaOS Integration Application Note A correctly configured subscription ID can be verifie
15. IA Web Authentication Figure 8 Welcome page Add switch IP address in the redirection URL 130 50 Aruba_welcome r Show Welcome Page Allow only one active user session v Delete ___ Delete White List Black List Add Add Show the acceptable use policy page Captive portal profile configuration Apply The example captive portal profile shows the use of HTTPS as the protocol for the redirect URLs for the login and welcome pages Based on this configuration the best practice is to install a trusted server certificate on the Amigopod and the controllers web server components of the controller These NOTE trusted server certificates can be obtained from an internal Certificate Authority if present at the customer site or various public commercial Certificate Authorities available online If no trusted server certificate is installed on the Amigopod and the Aruba controller the user experience will include some browser warning messages regarding the untrusted state of the default certificates Examples of commercial Certificate Authorities are Verisgn Thawte Entrust GeoTrust GoDaddy Aruba Networks Inc ArubaOS Configuration 19 Amigopod and ArubaOS Integration Application Note Configure Authentication for Captive Portal Profile Now that the new captive portal profile has been created you must select the server group for the Amigopod RADIUS definition as the authentication source Configur
16. ID Source Interface Mode Amigopod User Rules 10 169 130 50 1812 3 CE Key Acct Port Timeout NAS IP Use MD5 Show Reference Save As Reset Figure4 Adding a RADIUS server Ensure that the key is recorded because you will need this shared secret for a later step in the Amigopod configuration For security purposes each NAS should have its own key Aruba Networks Inc ArubaOS Configuration 13 Amigopod and ArubaOS Integration Application Note Modify NAS ID for Master Local Deployments In an Aruba master local deployment you must modify the NAS ID of the local controllers to ensure that the correct identifier is recorded in the RADIUS accounting traffic sourced from each local controller that is responsible terminating the APs In the VRD campus topology the local controllers are deployed on the 10 169 145 0 24 network VLAN 145 This network is used to send the RADIUS transactions toward the Amigopod deployed on 10 169 130 50 Data center Master standby AirWave Amigopod Pe A ee Local mobility controller N Local as 5 a j mobility d controller os Ss S amp S 2 Wi Th Be Air monitor arun_0279 Based on the VLAN numbering in the VRD Local Controller deployment the following modifications are recommended e Set the local controller NAS IP to the IP address on VLAN 145 e Define the source interface for RADIUS traffic to use VLAN 145 also These co
17. RADIUS key used in the first Aruba controller configuration step must be entered exactly the same here To add a new RADIUS NAS entry browse to RADIUS gt Network Access Servers and click Create RADIUS Network Access Servers Each network access server that will use this RADIUS server for authentication or accounting purposes should be defined here Oo Quick Help da Create Hostname Comments e e Guest AAA 10 169 145 4 aruba_3576 e LC2 Sunnyvale 6000 10 169 145 5 aruba_3576 MC1i Sunnyvale 3600 10 169 130 6 aruba_35 6 Login h a remote 10 169 131 6 aruba_3576 branch guest 4 network access servers O Reload 20 rows per page bap Import a list of network access servers WY Back to RADIUS Back to main Figure 22 RADIUS NAS servers Aruba Networks Inc Amigopod Configuration 30 Amigopod and ArubaOS Integration Application Note The following fields must be configured in the RADIUS NAS definition as seen in Figure 23 e Name the NAS entry to match the local controller naming convention need not be present in DNS e Enter IP address of the Aruba controller e The NAS Type should be set to Aruba Networks RFC3576 support e The Shared Secret called the Key in the first Aruba controller step must be configured and confirmed e Check Create a RADIUS Web Login page for this network access server which will be used in the next step The Aruba Networks presets are used to set up the web login page Additional R
18. UBA EXCEED THE AMOUNTS ACUTALLY PAID TO ARUBA UNDER ANY APPLICABLE WRITTEN AGREEMENT OR FOR ARUBA PRODUCTS OR SERVICES PURSHASED DIRECTLY FROM ARUBA WHICHEVER IS LESS Warning and Disclaimer This guide is designed to provide information about wireless networking which includes Aruba Network products Though Aruba uses commercially reasonable efforts to ensure the accuracy of the specifications contained in this document this guide and the information in it is provided on an as is basis Aruba assumes no liability or responsibility for any errors or omissions ARUBA DISCLAIMS ANY AND ALL OTHER REPRESENTATIONS AND WARRANTIES WHETHER EXPRESSED IMPLIED OR STATUTORY INCLUDING WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE TITLE NONINFRINGEMENT ACCURACY AND QUIET ENJOYMENT IN NO EVENT SHALL THE AGGREGATE LIABILITY OF ARUBA EXCEED THE AMOUNTS ACTUALLY PAID TO ARUBA UNDER ANY APPLICABLE WRITTEN AGREEMENT OR FOR ARUBA PRODUCTS OR SERVICES PURCHASED DIRECTLY FROM ARUBA WHICHEVER IS LESS Aruba Networks reserves the right to change modify transfer or otherwise revise this publication and the product specifications without notice www arubanetworks com 1344 Crossman Avenue Sunnyvale California 94089 Phone 408 227 4500 Fax 408 227 4550 Aruba Networks Inc 2 Amigopod and ArubaOS Integration Table of Contents Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Introduction Reference Ma
19. ack forms Target ads and promotions Visitor data mining MAC or cookie based reauthentication portal bypass lt E AE I gt IE gt E lt IE lt IE lt SIE IE IE IE E E E lt Reporting and Notification Peak guest network usage Total guest sessions per day per week etc Bandwidth usage on guest network Top x users session time and bandwidth 00000 O00000 Expiring passwords Aruba Networks Inc Captive Portal Authentication 8 Amigopod and ArubaOS Integration Application Note Table 2 Comparison of ArubaOS Captive Portal and Amigopod Continued ArubaOS ArubaOS Plus Amigopod Enterprise Features and Scalability Managing 1000s of accounts O High availability redundancy O Q Expandability plug in architecture v Although ArubaOS supports internal and external captive portal functionality this guide focuses on external captive portal functionality The internal captive portal dictates the use of the internal login page on the controller itself The login page is very basic and does not allow for the extensive customization that is possible with the Amigopod Web Logins feature Amigopod provides the Skin plugin technology where the presentation of the UI is separated from the mechanics of the underlying application This separation allows Aruba to supply end users with a branded skin for all Amigopod interaction both visitor and administrators for a nominal fee at the time of purchase Users can als
20. age time of this account No changes Guest B Role to assign to this visitor account T in a new password B Password aa Select an option for editing the visitor account s password Account Role COETTTTTTI New password Type in a new password to assign to the visitor account Confirm Password Repeat the new password for the visitor account 5 Session Limit The number of simultaneous sessions allowed for this visitor account Type 0 for unlimited use Eg Update Account required field Figure 38 Editing a guest account Integration Verification 43 Amigopod and ArubaOS Integration Application Note On the Edit screen a new username and password can be defined manually to make any level of repetitive testing easier on the administrator Click Update Account to display the confirmation page as shown in Figure 39 Fe Reset password 4 Change expiration Remove Es Edit y Sessions ga Print The guest account was successfully updated Account Detalls Guest username aruba guest Guest password k kkk kk Account status Enabled Session limit 5 simultaneous sessions Sponsor name admin Open print window using template a Send SMS receipt gt Send email receipt Figure 39 Updated guest account Testing RADIUS This section shows how RADIUS transactions with the Amigopod server can be tested to confirm that the configuration is correct
21. al allows a wireless client to authenticate using a web based portal page Captive portals are typically used in wireless hotspots or for hotel in room Internet access After a user associates to the wireless network their device is assigned an IP address The user must start a web browser and pass an authentication check before access to the network is granted An example page is shown in Figure 1 a licc hieentllaemnebeslin Fill l nyu Bite network s amp s i Please login to the network using your amigopod username and password Username Password Terms J I accept the terms of use Log In required field Contact a staff member if you are experiencing difficulty logging in Figure 1 Amigopod captive portal page Captive portal authentication is the simplest form of authentication to use and it requires no software installation or configuration on the client The guest SSID is typically open and does not use any form of encryption The portal usually asks for some limited information such as a username and password and the exchange is encrypted using standard SSL encryption However portal authentication does not provide any form of encryption beyond the authentication process To ensure privacy of client data some form of link layer encryption such as WPA PSK or WPA2 PSK or higher level VPN such as IPsec or SSL should be used when sensitive data will be sent over the wireless network Aruba Networks Inc Ca
22. ba Custom Amigopod VRD Welcome page Guest WiFi Aruba_Wwelcome Default MC1i Sunnyvale 3600 Login Auto generated web login for NAS Login Aruba_login Default MC1 Sunnyvale 3600 Login MDPS Enrollment Employee Smartphone ee a Default Mobile Device Provisioning enrollment page and Tablet Registration P g 4 web logins O Reload 20 rows per page A Back to customization 2 Back to main Figure 33 RADIUS Web Logins page Aruba Networks Inc Amigopod Configuration 39 Amigopod and ArubaOS Integration Application Note As seen in the Page Name column in Figure 33 this web login page is hosted at the following address https 10 169 130 50 Aruba_welcome php This URL can be changed to suit each local deployment and the corresponding captive portal profile on the ArubaOS controller must be modified to match any changes made Figure 34 shows the sample welcome page developed for this guide This welcome page highlights the following integration points between the Amigopod and ArubaOS controllers e Detection of guest user name logged into the Aruba Wi Fi network e Ability to display and track usage of each guest session e Linking to a Terms of Use page or other relevant information to the deployment e Caching of the guest user s originally requested URL and providing an option to continue to that page e Hosting a Wi Fi Logout button to allow the guest user to initiate a logout of their session A https 10 169 130 50 Aruba_we
23. cal RADIUS server using these command links gt The RADIUS server is currently running a Restart RADIUS Server Restart the local RADIUS server QZ Debug RADIUS Server wo Run the local RADIUS server and see detailed log output d 9 Stop RADIUS Server Stop the local RADIUS server View Failed Authentications View a list of recent failed authentications i TI 87 Test RADIUS Authentication Check a username and password or verify the RADIUS attributes for a user role RADIUS Server Time The RADIUS server time is currently Tue Aug 30 16 31 42 2011 0700 RADIUS Log Snapshot The most recent entries in the RADIUS server log file are shown below Logged in as admin amigopod rde arubanetworks com amp Help Tue Aug 30 16 30 38 2011 Auth Login OK aruba guest from client LCl Sunnyvale 6000 port 0 cli 000000000000 Tue Aug 30 16 26 38 2011 Auth Login OK aruba guest from client LC2 Sunnyvale 6000 port 0 cli 000000000000 Tue Aug 30 16 23 59 2011 Info Ready to process requests Tue Aug 30 16 23 59 2011 Info Loaded virtual server lt default gt Figure 41 RADIUS log tail If you experience any issues with the authentication process the RADIUS debugger can be enabled from this page for more detailed analysis Aruba Networks Inc Integration Verification 45 Amigopod and ArubaOS Integration Application Note Test Login and Verify Successful RADIUS Transaction Now tha
24. d by browsing to Amigopod Administrator gt Plugin Manager gt Manage Subscriptions as shown in Figure 18 networks Home Guests Administrator Start Here Backup amp Restore gt High Availability Network Setup Operator Logins Plugin Manager Start Here gt Add New Plugin Manage Plugins Manage Subscriptions gt OS Updates gt Update Plugins Security Manager Server Time SMS Services System Control System Information Advertising Customization Aruba Networks Inc Logged in as admin amigopod localdomain Amigopod A subscription ID is a unique number used to identify your software license and any custom software modules that are part of your Help amigopod solution Amigopod Subscription Subscription ID You can provide more than one subscription identifier by placing each subscription ID on a different line P Save and Continue t Check for plugin updates 0 Configure automatic plugin update checks em Back to plugin manager Bp Back to administrator A Back to main Figure 18 Amigopod Subscription Manager Amigopod Configuration 28 Amigopod and ArubaOS Integration Application Note lf you click Check for plugin updates the software update process begins on the Amigopod appliance As shown in Figure 19 the system contacts the software distribution server and downloads any new updates to the Amigopod system any new licensed plugins and oth
25. e some of these deployment options a backup of a preconfigured sample welcome page has been made and published for download This backup file includes all the required graphics and configuration details to implement several of these additional features The backup of a previously created Amigopod web login page is available in zip file with this document To install this backup file browse to Administrator gt Backup amp Restore gt Configuration Restore Configuration Restore Step 1 Step 1 Specify the backup file you want to restore w Restore a backup from a URL If the backup file is larger than the maximum file upload size you must specify a URL for the backup file instead Size Limit Maximum file upload size 5 0 MB Users awl Downloads Amigopod_VRD_Welcome_Logout_pages c Browse Backup File Select the backup file to start the restore process w Continue required field ES Back to backup amp restore ES Back to administrator AA Back to main Figure 31 Restore backup configuration Enter the download link and click Continue to start the restore process Aruba Networks Inc Amigopod Configuration 38 Amigopod and ArubaOS Integration Application Note Configuration Restore Step 2 Step 2 Select the configuration items you want to restore Configuration Backup Backup Amigopod VRD Welcome Logout pages custom Configuration Item Restore Yv RADIUS Services s e A ne RADIUS Web L
26. e the Authentication Source aaa authentication captive portal guestnet server group Guest Amigopod Security gt Authentication gt L3 Authentication Servers AAA Profiles L2 Authentication L3 Authentication User Rules Advanced rag Portai Authentication Server Group gt Guest Amigopod Show Reference SaveAs Reset default Fail Through o E i Servers para Name Server Type trim FQDN Match Rule Actions igopod Amigopod Radius No Edit Delete a v New WISPr Authentication Profile Server Rules VPN Authentication Profile Priority Attribute Operation Operand Type Action Value Validated Actions New Stateful NTLM Authentication Profile VIA Authentication Profile VIA Connection Profile VIA Web Authentication Apply Figure 9 Configure the authentication source Aruba Networks Inc ArubaOS Configuration 20 Amigopod and ArubaOS Integration Modify the AAA Profile The AAA profiles define how users are authenticated The AAA profile determines the user role for unauthenticated clients initial role and the user role to be applied after successful authentication default role based on the authentication type The AAA profile also defines the server group that is used for RADIUS accounting and an RFC3576 server if present Application Note Begin with the existing AAA profile defined as part of the baseline for guest access i
27. er licensing updates Add New Plugins Your subscription has a total of 32 plugins New Plugins 1 new plugin is available for installation Updated Plugins 1 updated plugin is available for installation y Make default selections x Clear selection t Display all plugins y Erat AMG LIC 100 License 10 Not installed The software license authorizes access to the features of this web application M Install AMG LIC 100 License 4 3 1 0 dr amigopod Kernel 3 2 1 Update available The amigopod kernel provides the basic framework of this web application W Update amigopod Kernel 3 2 0 3 2 1 Show details i Back ow Finish Query for plugin updates again 9 Configure automatic plugin update checks Figure 19 Add new Amigopod plugins If updates are available they are listed and can be selected individually for installation To complete the installation of any new plugins or updates click Finish For the updates to take effect you must follow any prompted instruction to restart services after the installation of new or updated plugins Plugins must be updated to ensure that Amigopod has downloaded its correct commercial license and all purchased features have been unlocked and are ready to use lf an attempt to download the latest plugin fails with the error message shown in Figure 20 the Amigopod does not have direct access to the Internet Add New Plugins No plugins are available for installation at th
28. ess servers Y Back to RADIUS Figure 23 NAS server configuration Aruba Networks Inc Amigopod Configuration 31 Amigopod and ArubaOS Integration Application Note Click Create NAS Device and you are prompted to restart the RADIUS server as seen in Figure 24 You must restart the server because the RADIUS server within Amigopod rejects any request from the Aruba controller as unknown until the restart has been performed RADIUS Network Access Servers The local RADIUS server needs to be restarted to complete the changes made mi Restart RADIUS Server Each network access server that will use this RADIUS server for authentication or accounting purposes should be defined here Quick Help n Create a area Bi MC1 Sunnyvale 3600 10 169 130 6 aruba_3576 Login CF Edit Delete HE Ping GB Edit web Login A Launch Web Login The Network Access Server is responding to pings PING 10 169 130 6 10 169 130 6 56 64 bytes of data 64 bytes from 10 169 130 6 iomp_seg 1 tl 64 thme 20 8 ms 10 169 130 6 ping statistics 1 packets transmitted 1 received 0 packet loss time Oms mt min avg max mdev 20 820 20 820 20 820 0 000 ms 1 network access server O Reload _20 rows per page Figure 24 Restart the RADIUS server Aruba Networks Inc Amigopod Configuration 32 Amigopod and ArubaOS Integration Application Note Configure Web Login for Captive Portal Authentication If you clicked Create Web Log
29. expiry Amigopod returns a session timeout value of 7200 seconds Aruba Networks Inc Amigopod Configuration 37 Amigopod and ArubaOS Integration Application Note This RADIUS role is presented as a selection when creating new guest accounts via the Create User screens of the Amigopod Guest Manager or can be hard coded as a hidden field in the self registration pages to ensure that each user session gets managed appropriately on the Aruba controller Optional Import Sample Welcome Page As part of the Aruba controller configuration the captive portal profile defines a proposed welcome page of https 10 169 130 50 Aruba_welcome php This page is not installed by default on the Amigopod system and therefore it must be created if the installation requires a locally hosted welcome page Some deployments choose to configure the welcome page to point towards the corporate public website or other website of interest But many customers prefer to leverage the ability of Amigopod to host a welcome page locally and enable additional user experience options such as Integrated graphical Wi Fi Logout button Present an option for the guest user to continue to their originally request URL Display information regarding the terms of service Display a Summary of session statistics that could optionally include a time or quota countdown Leverage the welcome page as a branding platform for advertising or other information delivery To demonstrat
30. in in the previous step a newly created web login page can be seen in Customization gt Web Logins Figure 25 shows the automatically created web login but a new one can be created manually at a later stage Logged in as admin amigopod rde arubanetworks com ED 1 J Bt O ret Amigopod networks Home RADIUS Web Login Guests Administrator Use this form to make changes to the RADIUS Web Login MCi1 Sunnyvale 3600 Login amp Help Customization Start Here MC1 Sunnyvale 3600 Login Name Content Manager Enter a name for this web login page Email Receipt Aruba_login Fields Page Name Enter a page name for this web login Forms amp Views The web login will be accessible from page_name php Guest Manager Auto generated web login for NAS MCl Sunnyvale 3600 Login Guest Self Registration Description IP Phones Comments or descriptive text about the web login Mobile Devices Aruba Networks B Vendor Settings Select a predefined group of settings suitable for standard network configurations Print Templates SMS Receipt Adireig 10 169 130 6 2 i Enter the IP address or hostname of the vendor s product here Web Logins a ae Use vendor default Advertising Services Secure Login Select a security option to apply to the web login process PADEUS M The controller will send the IP to submit credentials Reporting Dynamic Address In multi controller deployments it is often
31. ion Application Note Check that RADIUS Accounting is Working as Expected lf RADIUS accounting traffic is not being received by Amigopod you will not find a corresponding entry in the Guests gt Active Sessions page shown in Figure 44 Given the Interim Accounting support in ArubaOS 6 1 this page displays live traffic statistics based on these updates If you also have configured RFC 3576 on your Aruba controller you can click any active session and click Disconnect to terminate that session on the Aruba controller The user is returned to the initial role that corresponds to the configured AAA profile Ar A Logged in as admin amigopod rde arubanetworks com a Biber AMIgGoOpoa networks Home 1 M Active Sessions Guests Start Here Use this list view to view and manage the active sessions on the server amp Help Active Sessions li Quick Hel 1 M Multipl g Filt E M O uick Help A Manage Multiple ilter 5 ore Options Create Account Create Device Filter Create Multiple Search all fields that have been configured for quick search Showing Active sessions only Username IP Address MAC Address i Session Start Session Session Edit Accounts Export Accounts Time Traffic Import Accounts i i aruba guest 192 168 200 252 00 26 08 f1 bi eb Guest LC1 Sunnyvale 6000 2011 08 30 16 33 19min 0 8 MB List Accounts miesa Showing 1 1of1 List Devices Sy Refresh 1 20 nemo B Administrator Customizatio
32. is time due to an error x Plugin query list failed with XMLRPC error CURL Error 7 couldn t connect to host Figure 20 Plugin server unreachable To troubleshoot the issue begin your investigations in these areas Firewall rules Upstream proxies Amigopod support proxy integration under the Administrator gt Network Setup section Correct default gateway for the Amigopod DNS resolution for the Amigopod Aruba Networks Inc Amigopod Configuration 29 Amigopod and ArubaOS Integration Application Note A useful diagnostic tool to verify that Amigopod has Internet connectivity via HTTP is available under Administrator gt Network Setup gt Network Diagnostics shown in Figure 21 Network Diagnostic Tools wv No network problems found Re run network test Use this form to test or diagnose any network setup i Address was accessed successfully Network Diagnostic Tools Diagnostic Ping URL http wew arubanetworks com URL The URL you wish to access Figure 21 Amigopod diagnostics required field Configure RADIUS NAS for an Aruba Controller For the Aruba controller to authenticate users it must be able to communicate with the Amigopod RADIUS instance In first step of the Aruba controller configuration a RADIUS server definition was defined This step configures the opposing Amigopod NAS definition for the Aruba controller as seen in Figure 22 For the RADIUS transactions to be successful the
33. ive portal are outside the scope of this integration document Detailed discussion on how to leverage the integrated firewall capabilities of the Aruba controller that are enabled by the PEF license are covered in the referenced VRD resources Table 1 lists the current software versions for this guide Table 1 Aruba Software Versions ArubaOS mobility controllers 6 1 AmigopodOS 3 3 Reference Material e This guide assumes a working knowledge of Aruba products This guide is based on the network detailed in the Aruba Campus Wireless Networks VAD and the Base Designs Lab Setup for Validated Reference Design These guides are available for free at http www arubanetworks com vrd The complete suite of Aruba technical documentation is available for download from the Aruba support site These documents present complete detailed feature and functionality explanations outside the scope of the VRD series The Aruba support site is located at ntips support arubanetworks com This site requires a user login and is for current Aruba customers with support contracts Aruba Networks Inc Introduction 5 Amigopod and ArubaOS Integration Application Note Chapter 2 Captive Portal Authentication Captive portals are the simplest form of authentication for users This section introduces the concepts behind the authentication and compares and contrasts Amigopod with the ArubaOS portal Captive Portal Overview Captive port
34. late code displayed before the login form lt p gt Contact a staff member if you are experiencing difficulty logging in lt p gt Footer HTML Insert content item re Insert self registration link aoa HTML template code displayed after the login form lt p gt Logging in please wait lt p gt Login Message Figure 28 Login page customization Aruba Networks Inc Amigopod Configuration 35 Amigopod and ArubaOS Integration Application Note The Title field allows you to customize the page title that is displayed in the browser The Header Footer and Login fields allow the administrator to add and modify the displayed text and content displayed on the web login page You can choose Insert Content to display content items that have been uploaded via Customization gt Content Manager You can also choose Insert self registration link which directly inserts the required HTML to display self registration links found under Customization gt Guest Self Registration The code at the top of the Header HTML field parses the redirect URL from the Aruba controller If an authentication error occurs the controller returns an NOTE error message in the errmsg variable You can set a login delay which pauses the login process at the point where the contents of the Login Message HTML is displayed This delay is useful for many reasons If you need to troubleshoot any captive portal issues this delay i
35. lcome php le Yahoo Google Maps YouTube Wikipedia News 114 Popular A TUA Amigopod Ww oOo F Welcome to Aruba Guest WIFI Hello aruba guest you are now logged into the WiFi network Your Usage i Your guest traffic is being logged aj So far today you have used 5 5 MB So far today you have used 6 minutes 35 seconds Terms of Use By logging in to the network you agree to the terms of use Continue browsing the web Please click on the button below to end your session Wi Fi Logout Figure 34 Captive portal welcome page Aruba Networks Inc Amigopod Configuration 40 Amigopod and ArubaOS Integration Application Note A logout page is also included in the sample backup file This page is linked to the Wi Fi Logout button on the previous welcome page and allows for further messaging to be displayed on the logout page As shown in Figure 35 the inclusion of this sample logout page allows for a consistent user experience and also another opportunity of branding or messaging to the guest Wi Fi user aoe You have been successfully Logged Out Amigopod alej IP https 10 169 130 50 Aruba_logout php Qr Google amp o 0O 8 Apple Yahoo Google Maps YouTube Wikipedia News 275 Popular AREA Amigopod You have been successfully Logged Out Thank you for using Aruba WiFi Login again Figure 35 Logout page Aruba Networks Inc Amigopod Configuration 41
36. me range NONE Mobile IP v Virtual AP profile oe o DoS Prevention E on association Corp App LC1 Sunnyvale 6000 Station Blacklisting v Blacklist Time 3600 sec Corp App LC2 Sunnyvale 6000 Dynamic Multicast Dynamic Multicast m See eee LJ Optimization DMO 6 Corp Employee LC1 Sunnyvale 6000 Optimization DMO Threshold Corp Employee LC2 Sunnyvale 6000 PEDRO Fee 5600 sec Multi Association z Blacklist Time Strict Compliance o VLAN Mobility o guestnet Preserve Client VLAN a Remote AP Operation standard H AAA Profile guestnet Drop Broadcast and Convert Broadcast ARP 802 11K Profile default Multicast requests to unicast Deny inter user traffic Band Steering v SSID Profile guestnet WMM Traffic Management Profile test rde tunne VIA Client WLAN Profile o AAA Profile Steering Mode _prefer 5ghz Apply Figure 16 Virtual AP configuration All the configurations from the previous steps have been applied to the campus VRD baseline so the Aruba controller should now be attempting to redirect guest users to the web login page that is hosted by Amigopod The next chapter describes how to set up the corresponding components on the Amigopod configuration Aruba Networks Inc ArubaOS Configuration 26 Amigopod and ArubaOS Integration Application Note Chapter 4 Amigopod Configuration Leveraging the baseline configurations in the campus VR
37. n 8 Back to guests Advertising Services Back to main RADIUS Reporting Support Logout Copyright 2011 Aruba Networks Inc All rights reserved Figure 44 Amigopod Active Sessions displays RADIUS accounting data Aruba Networks Inc Integration Verification 48 Amigopod and ArubaOS Integration Application Note Chapter 6 Troubleshooting Tips This chapter provides basic troubleshooting steps to use for specific issues If the test device is not being redirected to the Amigopod captive portal Check the DNS resolution because the client will not be redirected if it cannot resolve the initially requested webpage Command line tools such as nslookup and ping can be used Check the initial role that is assigned to the guest AAA profile and ensure that traffic is permitted to the Amigopod IP address for the redirect via HTTP or HTTPS via an appropriate policy Verify that the Amigopod has a route back to the address space of the test client Look at how NAT and the default gateway of Amigopod are referenced as part of your troubleshooting steps If the login process stalls and the logs show that no RADIUS request was received from the Aruba controller Check the web login page and ensure that the correct IP address for controller is configured Check the captive portal policy and ensure that traffic is permitted to the configured IP address of the controller lf you receive an error message in the RADIUS logs about an unknown client
38. n the campus VRD resource Then modify the guestnet AAA profile as follows The initial role remains as the guest logon role but it is modified in the next step to enable the new captive portal profile Optionally Enable RADIUS interim accounting to receive incremental updates on guest access usage Enable the RADIUS accounting server group to point to the Amigopod Enable the RFC3576 server to point to the Amigopod Modify AAA Profile RADIUS Settings aaa profile guestnet initial role guest logon radius interim accounting radius accounting Guest Amigopod Security gt Authentication gt Profiles Servers AAA Profiles Wwipropy corp employee default default cotLx default dotlx osk default mac auth default open default xmi apl guestnet MAC Authentication Profile MAC Authentication Server Group 802 1X Authentication Profile 802 1X Authentication Server Group RADIUS Accounting Server Group XML API server RFC 3576 server 10 169 130 50 L2 Authentication L3 Authentication User Rules AAA Profile gt guestnet _ guest D RADIUS Interim Accounting v Initial role guest logon 802 1X Authentication Default Role Wired to Wireless Roaming v Device Type Classification v Guest Amigopod Figure 10 Next enable RFC3576 support for the server group Aruba Networks Inc Advanced Show Refere
39. nce Save As Reset MAC Authentication Default quent rq Role L2 Authentication Fail Through User derivation rules NONE SIP authentication role _ NONE eq Enforce DHCP Apply Modify AAA profile RADIUS settings ArubaOS Configuration 21 Amigopod and ArubaOS Integration Application Note Enable 3576 Support aaa profile guestnet rfc 3576 server 10 169 130 50 ars AAA Profiles L2 Authentication L3 Authentication User Rules Advanced defautt RFC 3576 servers default dotlx 10 169 130 50 default dotlx psk default mac auth Add a profile NEW Oooo y O a default open default xml ap questnet ie H A H HH MAC Authentication Profile MAC Authentication Server Group 502 1x Authentication Profile Authentication server Group RADIUS Accounting Server Group XML API server ve Figure 11 Enabling RFC3576 support Aruba Networks Inc ArubaOS Configuration 22 Amigopod and ArubaOS Integration Application Note Define a Policy to Permit Traffic to Amigopod A new firewall policy must be created and assigned to the initial role allocated to unauthenticated guest users to allow the successful redirect to the captive portal page defined on Amigopod These policies can be simplified by using the existing network destination alias as defined in the Campus VRD baseline configuration Amigopod Netdestination Alias netdestination Amigopod host 10 169 130
40. nfiguration changes must be performed on each local controller using the local interface of the controller Aruba Networks Inc ArubaOS Configuration 14 Amigopod and ArubaOS Integration Application Note Modify RADIUS Client Settings ip radius nas ip 10 169 145 4 ip radius source interface vlan 145 Security gt Authentication gt Advanced AAA Prefiles L Authentication LI Authentication User Rules Aud vanced Authentication Timers User Idie Timenut Authentication Server Bead Time min Logon User Lifetime min User Interim stats frequency NAS IP Address 10 169 145 4 Source Interface 145 lt None wW DNS Query Interval DNS Query Interval min Commands View Commands Figure 5 Modify RADIUS client setting Add RADIUS Server to a Server Group A server group must be created to define which authentication server will be referenced during the authentication of visitor accounts This server group is then referenced in the subsequent captive profile configuration Make these configurations in the newly created server group definition Select the previously created Amigopod RADIUS server entry The remaining settings for server rules can be left as their defaults Aruba Networks Inc ArubaOS Configuration 15 Amigopod and ArubaOS Integration Application Note Adding a AAA Server Group aaa server group Guest Amigopod auth server Amigopod position 1 Security gt Authentication gt Servers
41. nt guest user session When the time has expired the controller terminates the session 11 When the session ends Session Timeout Idle Timeout User Logout Admin Disconnect the controller sends a RADIUS Accounting Stop message to close the session within the Amigopod accounting database This stop message includes the final update of the session statistics Aruba Networks Inc Captive Portal Authentication 11 Amigopod and ArubaOS Integration Application Note Chapter 3 ArubaOS Configuration Three phases make up the configuration of the ArubaOS controller to support external captive portal based authentication leveraging the RADIUS protocol 1 Base RADIUS configuration 2 Captive portal configuration 3 Enabling captive portal on existing guest WLAN Figure 3 summarizes the steps covered in this chapter to successfully complete the ArubaOS configuration that is needed to integrate with the Amigopod external captive portal and RADIUS server Create RADIUS Server Create Captive Portal Modify initial role for Profile Captive Portal Enable Captive RADIUS Portal Create Server Group Config Configure Captive Verify Guest Virtual AP Portal Authentication Captive Portal Create RFC 3576 Config Server Modify AAA Profile Create PEF policy allow Amigopod Figure 3 Workflow for ArubaOS configuration arun_0541 Creating a RADIUS Server Instance For the Aruba controller to successfully authenticate the guest users that
42. o auth guest Based on the local deployment security policy you must change the default 4 role of the captive portal profile to a role that includes appropriate firewall NOTE policies Aruba Networks Inc ArubaOS Configuration 18 Amigopod and ArubaOS Integration Application Note Captive Portal Profile Configuration aaa authentication captive portal guestnet default role auth guest redirect pause 3 no logout popup window login page https 10 169 130 50 Aruba_Login php welcome page https 10 169 130 50 Aruba_welcome php Switchip in redirection url Security gt Authentication gt L3 Authentication Servers AAA Profiles Captive Portal Authentication L2 Authentication L3 Authentication User Rules Captive Portal Authentication Profile gt guestnet Show Reference Save As Reset Profile default Default Role auth guest H Default Guest Role _ guest B guestnet Redirect Pause 3 sec User Login v POREN S paral Guest Login U Logout popup window _ Use HTTP for Logon wait minimum E a 5 sec authentication wait l WISPr Authentication Profile Logon wait maximum 10 logon wait CPU Ep wait nae utilization threshold VPN Authentication Profile Max E EE EERTE r E RS m failures rs Stateful NTLM Authentication Use CHAP Profile i i i non standard LJ Login page 130 50 Aruba_Login php VIA Authentication Profile VIA Connection Profile V
43. o customize the skin themselves with the requisite skills ArubaOS now allows for fully customized captive portal pages to be uploaded to the controller However this process requires a significant amount of web design and JavaScript experience to produce a professional result The integration of Amigopod with the mobility controller also leverages the ability of ArubaOS to define and reference external RADIUS servers for the authentication and accounting of visitor accounts In the standalone Aruba guest provisioning solution the local database in each controller stores user credentials which limits the solution to the scope of the local deployment With the introduction of Amigopod all visitor accounts are created authenticated and accounted for on the Amigopod internal RADIUS server Aruba Networks Inc Captive Portal Authentication 9 Amigopod and ArubaOS Integration Application Note Captive Portal Authentication Workflow Figure 2 shows the phases that a guest user passes through during a captive portal authentication process In the Aruba system the mobility controller acts as the network access server NAS and Amigopod acts as the RADIUS server Figure 2 details the captive portal authentication workflow Guest Mobility Controller NAS Amigopod VMA Associates 1 States Redirects Uresistered role Unauthorized Authenticating Browse to Landing page 2 Authorized Complete login form Submit form 3 Cd L
44. ogins xtY ne Amigopod VRD Logout x S ne Amigopod VRD Welcome x ov p ES Server Configuration x 4 A w Uploaded Files in Content Manager x 4 S Qay MOVE_banner jpg x S Qay wifi logout png x XM Unselect All 10 rows per page Select the items from this configuration backup to restore M Restore settings from backup Select this option to confirm the restore operation Caution This may overwrite your current settings Confirm Restore Configuration required field Back to step 1 ED Back to administrator A Back to main Figure 32 Restore welcome page To restore the customized welcome page check Restore settings from backup and click Restore Configuration When the restore is complete browse to Customize gt Web Logins and verify that the web login page has been successfully restored to the local deployment as seen in Figure 33 RADIUS Web Logins Many NAS devices support Web based authentication for visitors v Help By defining a web login page on the amigopod you are able to provide a customised graphical login page for visitors accessing the network through these NAS devices Use this list view to define new web login pages and to make changes to existing web login pages d Create a new web login page Name Page Title Page Name Page Skin Amigopod VRD Logout You have been Custom Amigopod VRD Logout page successfully Logged Out Aruba_fogout Defaumt Amigopod VRD Welcome Welcome to Aru
45. on Application Note Creating a Captive Portal Profile One of the key features of Amigopod is the ability to host the branded web login or captive portal pages on the Amigopod appliance With the captive portal profile you can configure the login and optional welcome pages to be hosted by Amigopod The captive portal authentication profile also defines several critical components of the working solution such as the security role that will be used to control visitors that successfully authenticate with Amigopod Another component that is defined is that the Amigopod RADIUS server should be referenced for this authentication traffic via the definition of the previous server group The captive portal profile definition is described in Table 3 Table 3 Captive Portal Profile Fields Login Page Yes Location of the login page on the server Default Role Yes Post authentication role Welcome Page Optional Post authentication page Logout Popup No Small window to allow the user to log out Redirect Pause No How long the user waits at the welcome page before continuing on to their original destination Switch P Optional The local IP of the controller in a multiswitch environment In this example the login and welcome page URLs are configured In a later step these URLs will be defined on the Amigopod as part of the web login configuration The redirect pause will be shortened to 3 seconds and no logout window is needed The default role will be set t
46. onfigured and is ready to be tested against the previous Aruba controller configurations Optional Customization of the Web Login Page Several Login Form options allow you to override the default login form and labels used to reference user and password fields These fields are shown in Figure 26 but typically they do not need to be changed Login Form Options for specifying the behaviour and content of the login form O Provide a custom login form Custom Form If selected you must supply your own HTML login form in the Header or Footer HTML areas Rip l O Override the default labels and error messages Custom Labels r If selected you will be able to alter labels and error messages for the current login form C Perform a local authentication check Pre Auth Check If checked the username and password will be checked locally before proceeding to the NAS authentication This option should not be selected if an external authentication server is in use iw Require a Terms and Conditions confirmation Terms If checked the user will be forced to accept a Terms and Conditions checkbox Figure 26 Login Form options The Pre Auth Check is required only for advanced configurations where you might need to ensure that the username and password pair is valid before the RADIUS transaction is initiated from the Aruba controller The web login and RADIUS database are hosted on the same appliance so a query can be performed locally befo
47. oon Message page a _ Web login Automated NAS login Access Request 5 E Authentication Access Accept 6 J Authorization Guest role 7 Accounting Request 8 Accounting Response y Accounting ani S Accounting Request 9 Accounting Response 9 5 Interim Accounting f Session timeout 10 Accounting Request 11 Accounting Response 5 Accounting arun_0540 Figure 2 Workflow for captive portal authentication 1 The guest user associates their Wi Fi device to the guest SSID In the baseline VRD configuration this SSID is Guest Network 2 The guest user opens a browser Based on the configured home page or requested web page the initial HTTP traffic is intercepted by the Aruba controller and redirected to the Amigopod web login page defined in the captive portal profile 3 The guest user enters their user credentials on the Amigopod web login page Amigopod performs any preauthorization checks that are required and displays the login message to the guest user Aruba Networks Inc Captive Portal Authentication 10 Amigopod and ArubaOS Integration Application Note 4 The login message instructs the guest user s browser to submit the user credentials directly to the Aruba controller as a HTTPS POST for authentication processing 5 When the Aruba controller receives the user credentials it creates a corresponding RADIUS session and sends an Access Request message to the defined Amigopod RADIUS
48. passwords will have 8 random digits SINOGA DEVIGI Create Guest Accounts Create Multiple Number of Accounts Edit Accounts Number of visitor accounts to create Export Accounts E Now Account Activation e f Import Accounts Select an option for changing the activation time of this account Account will not expire List Accounts Account Expiration Select an option for changing the expiration time of this account List Devices acanna CED ini ccoun etime Administrator The amount of time after the first login before the visitor account will expire and be deleted Customization Gun 3 Account Role Advertising Services Role to assign to this visitor account fr RADIUS G create Accounts Reporting 3 pa z required field Support Som Logout 8 Back to guests List quest accounts Back to main Copyright 2011 Aruba Networks Inc All rights reserved Figure 36 Create an Amigopod guest account Aruba Networks Inc Integration Verification 42 Amigopod and ArubaOS Integration Application Note The resulting account is created with random digits for both the username and password as shown in Figure 37 Finished Creating Guest Accounts Finished creating one quest account The details about each of the accounts created are shown below Account Details Q Username 22163841 Password 65657839 Role Guest Open print window using template lal Save list for scratch cards CSV file i E
49. pically these messages are used to change the context of the user session For ArubaOS this means changing the user role that the current session is assigned This feature enables many different business rules such as bandwidth throttling after a quota is exceeded Configuring an RFC3576 Server As part of the guest access solution addressed by this guide Amigopod serves as the RFC3576 server and can perform the disconnect and CoA functions Make these configurations in the RFC3576 server definition The name of the RFC3576 server definition must be the IP address of the Amigopod The Key must match the shared secret configuration that was defined for the RADIUS server Aruba Networks Inc ArubaOS Configuration 16 Amigopod and ArubaOS Integration RFC3576 Server Configuration aaa rfc 3576 server key wireless WL L6 130 50 Security gt Authentication gt Servers Servers AAA Profiles Server Group default Guest Amigopod internal NPS RADIUS Server Amigopod NPS1 LDAP Server Internal DB Tacacs Accounting Server TACACS Server XML API Server RFC 3576 Server 10 169 130 50 Windows Server Aruba Networks Inc L2 Authentication L3 Authentication User Rules Advanced RFC 3576 Server gt 10 169 130 50 Show Reference Figure 7 r eeeeeeee Retype RFC3576 server configuration Application Note ArubaOS Configuration 17 Amigopod and ArubaOS Integrati
50. plication Note svc http permit queue low svc https permit queue low User Roles System Roles Policies Time Ranges Guest Access Policy Name lamigopod Policy Type Session Rules IP Version Source Destination Service Action Log Mirror Queue Time Range Pause ARM Scanning BlackList IPved user Amigapod svc http permit low No No IPved user Amigapod svc https permit low No No Add Commands Figure 13 Amigopod access source NAT on VLAN example Source NAT per Application If you are using application based source NAT use this configuration Example of Source NAT per Application Policy 1p access list session amigopod alias user alias Amigopod svc http src nat queue low alias user alias Amigopod svc https src nat queue low Security gt Firewall Policies gt Add New Policy User Roles System Roles Policies Time Ranges Guest Access Policy Name amigopod Policy Type Session Rules IP Version Source Destination Service Action Log Mirror Queue Time Range Pause ARM Scanning BlackList IPv4 user Amigapod svc http src nat low No No IPve user Amigapod svc https src nat low No No Add Commands Figure 14 Aruba Networks Inc Example of source NAT per application policy ArubaOS Configuration 24 Amigopod and ArubaOS Integration Application Note Enable Captive Portal on Initial Role of Captive Portal Profile In the previous step the initial role for this captive portal authentication configuration is configured as gue
51. ptive Portal Authentication 6 Amigopod and ArubaOS Integration Application Note ArubaOS or Amigopod for Visitor Management ArubaOS supports two methods of guest access using just the mobility controller or using the mobility controller plus Amigopod ArubaOS supports basic guest management and captive portal functionality with guest access limited to a single master local cluster Aruba Amigopod extends the standard ArubaOS captive portal functionality by providing many advanced features including e A fully branded user interface e SMS integration for delivery of receipts e Bulk upload of visitors for conference management e Self provisioning of users for public space environments Table 2 Comparison of ArubaOS Captive Portal and Amigopod ArubaOS ArubaOS Plus Amigopod Not supported Limited support O Supported Captive Portal Customization Captive portal customization Oo Captive portal per SSID customization QO Anonymous logon One time tokens access codes Welcome page with session statistics and logout X Mobile browser aware captive portal pages Skins UI branding customization Guest Account Provisioning Single point of management for guest account and captive portal in multiple master controller deployments Non IT staff do not require IP access to master controller for provisioning guest accounts Guest provisioning operator role Customizable gues
52. re a RADIUS transaction is initiated Aruba Networks Inc Amigopod Configuration 34 Amigopod and ArubaOS Integration Application Note You can enable the display of an Accept Terms amp Conditions option on the login page This option refers to the default terms and conditions URL defined under Customization gt Guest Manager Settings as seen in Figure 27 external terms html The URL of a terms and conditions page If non blank this will enable a Terms Of Use URL terms of use checkbox on the create account page which must be checked in order to create a new account The URL here is specified as the terms of use and is opened in a new window Figure 27 Configuration of terms and conditions Amigopod Skins and Content Customization You can leverage the Amigopod skin technology to brand the captive portal that is displayed to the wireless and wired users These skins are available as a professional service as a purchasable SKU or custom and blank skins are available for customers who want to perform their own HTML and CSS style customization Figure 28 shows the login page customization screen Login Page Options for controlling the look and feel of the login page Aruba Networks Skin EZ Skin Choose the skin to use when this web login page is displayed Loal Title si The title to display on the web login page Header HTML Insert content item BE Insert self registration link aoa HTML temp
53. required to post credentials to different addresses made available as part of the original redirection The address above will be used whenever the parameter is not available or fails the requirements below 10 169 130 6 10 169 130 7 10 169 145 4 Allowed Dynamic 19 169 145 5 Support Logout Enter the IP addresses and networks from which dynamic addresses are permitted Denied Dynamic Enter the IP addresses and networks from which dynamic addresses are denied Figure 25 Automatically generated web login page The Page Name field defines the URL that is hosted on the Amigopod appliance For example in the Aruba controller configuration chapter of this document the Login Page entry of the captive portal profile was defined as the following URL https 10 169 130 50 Aruba_login php The Page Name field allows the administrator to customize what web page name is published at the root of the Amigopod web server Figure 25 shows that the Aruba_login name is defined to match the configuration of the captive portal profile on the Aruba controller You need not include the php extension because it is appended automatically NOTE The Address field should be set to the IP address of the Aruba controller That is this address needs to be available from the guest client device via the captiveportal policy on the controller Aruba Networks Inc Amigopod Configuration 33 Amigopod and ArubaOS Integration Application Note
54. roblem found in an Aruba product Validated Reference Design Contact and User Forum Validated Reference Designs http www arubanetworks com vrd VRD Contact Email referencedesign arubanetworks com AirHeads Online User Forum http airheads arubanetworks com Aruba Corporate 1 408 227 4500 FAX 1 408 227 4550 Support e United States 1 800 WI FI LAN 800 943 4526 e Universal Free Phone Service Numbers UIFN Australia Reach 1300 4 ARUBA 27822 m United States 1 800 9434526 1 650 3856589 E Canada 1 800 9434526 1 650 3856589 United Kingdom BT 0 825 494 34526 MCL 0 825 494 34526 Aruba Networks Inc Contacting Aruba Networks 50 Amigopod and ArubaOS Integration Application Note Telephone Support e Universal Free Phone Service Numbers UIFN Japan Korea Singapore Taiwan U Belgium Israel Ireland Hong Kong Germany France China P Saudi Arabia UAE Egypt India Aruba Networks Inc IDC 10 810 494 34526 Select fixed phones IDC 0061 010 812 494 34526 Any fixed mobile amp payphone KDD 10 813 494 34526 Select fixed phones JT 10 815 494 34526 Select fixed phones JT 0041 010 816 494 34526 Any fixed mobile amp payphone DACOM 2 819 494 34526 KT 1 820 494 34526 ONSE 8 821 494 34526 Singapore Telecom 1 822 494 34526 CHT I 0 824 494 34526 Belgacom
55. s 50 Contacting Aruba Networks 50 Aruba Networks Inc Table of Contents 4 Amigopod and ArubaOS Integration Application Note Chapter 1 Introduction Aruba supports advanced visitor management services through the combination of Aruba Mobility Controllers and APs running the ArubaOS software and Aruba Amigopod guest management software This guide describes the configuration process that must be performed on the Aruba Mobility Controllers and the Aruba Amigopod to create a fully integrated visitor management solution The solution leverages the captive portal functionality and RADIUS authentication authorization and accounting AAA functions that are built into ArubaOS This guide is based on the Aruba controller running the base OS image and the additional Policy Enforcement Firewall PEF license enabled The PEF license is needed to make the necessary changes to the default captive portal role to allow unauthenticated traffic to flow through to the Amigopod Web Login page The PEF license provides identity based security to wired and wireless clients through user roles and firewall rules You must purchase and install the PEF license on the mobility controller to use identity based security features Depending on whether the license is installed the captive portal functions work differently and you configure captive portal differently The detailed configuration steps of the PEF features that relate to the operation of a working capt
56. s a good time to obtain the contents of a view source in the client s browser Alternatively this delay can be used to display additional branding and messaging to the guest users during the login process Web Login Access Lists The web login page can be configured with access lists to allow or deny specific IP source address ranges You can select how you want the web server to behave when responding to an invalid request as seen in Figure 29 Network Login Access Controls access to the login page Allowed Access Enter the IP addresses and networks from which logins are permitted Denied Access Enter the IP addresses and networks that are denied login access Send HTTP 404 Not Found status Select the response of the system to a request that is not permitted Deny Behavior Save Changes Ty Save and Reload Figure 29 Network Login Access window Aruba Networks Inc Amigopod Configuration 36 Amigopod and ArubaOS Integration Application Note Configure the RADIUS User Role The RADIUS user role is a collection of one or many RADIUS standard or vendor specific attributes VSAs These attributes can be used to signal role based access control context back to the Aruba controller as shown in Figure 30 i Dr D A Logged in as admin amigopod rde arubanetworks com Amigopod Aetworks Home RADIUS User Role Definition Guests Administrator Use this form to make changes to the RADIUS User Role Guest wo Help
57. server 6 The Amigopod processes the Access Request message by referring to its local database and optionally any configured proxy authentication servers defined Any defined authorization rules are processed at this point 7 Based on the results of the authentication and authorization processing the Amigopod responds with either an Access Accept or Access Reject message If the authentication is successful the Access Accept message contains one or more RADIUS attributes to define the context of the guest user session These attributes can include but are not limited to the session duration of the guest login and the Aruba controller user role that defines the PEF policies and bandwidth contracts that could be applied to the session When the Aruba controller receives the Access Accept message it changes the role of the guest user session and their device is permitted access to the network 8 If RADIUS accounting has been configured correctly on the Aruba controller an Accounting Start packet is sent to the Amigopod which defines the beginning of the session statistics for the guest user 9 Based on the default interval of 600 seconds the Aruba controller will provide updates to these session statistics by sending Interim Accounting update messages to the Amigopod 10 Based on the Session Timeout received in the original Access Accept packet from Amigopod the Aruba controller counts down the remaining time that is valid for the curre
58. st logon This role must be modified to enable the newly created Amigopod captive portal profile If you forget this step the captive portal is not triggered when a new guest connects to the guest Wi Fi SSID Also the amigopod policy must be added to the initial role to ensure that traffic from the unauthenticated guest users can be redirected successfully to the Amigopod web login page If these policies are not in place the controller attempts to redirect the browser session to the Amigopod web login URL defined in your captive portal profile This attempt fails because the default captiveportal policy is matched for http traffic The session will consequently be redirected a second third and fourth time in an endless loop The result is a too many redirects error message or a browser that keeps flicking between the controller and Amigopod web login URL The amigopod policy must be placed in position 1 of the access list to ensure Sore that it is processed first Captive Portal Logon Role Configuration user role guest logon access list session amigopod position 1 access list session captiveportal position 2 access list session guest logon access position 3 access list session block internal access position 4 access list session v6 logon control position 5 access list session captiveportal6 position 6 captive portal guestnet Security gt User Roles gt Edit Role quest logon User Roles System Roles Polici Time
59. t everything is set up on the Amigopod and the Aruba controller attempt to connect a test wireless or wired client to the network The session should be redirected successfully to the Amigopod web login page 00 Login Amigopod alis 1P Adbtps 10 169 130 50 Aruba_login php cmd login amp mac 58 b0 35 85 7e 8a8ip 1 S Ha Apple Yahoo Google Maps YouTube Wikipedia News 275 Popular ARU network a Amigopod Login Please login to the network using your amigopod username and password Login Username fC Password Log In required field Contact a staff member if you are experiencing difficulty logging in Figure 42 Amigopod portal Page Aruba Networks Inc Integration Verification 46 Amigopod and ArubaOS Integration Application Note After you enter the test user account credentials and click Log In a successful end to end RADIUS transaction should be the result You can verify by referring to the end of the RADIUS log as shown in Figure 43 Note that the client MAC address is now visible in the RADIUS log entry because it was driven by the captive portal authentication process on the controller Aruba Networks Inc a rO ARURA etwo r Home Guests Administrator Customization Advertising Services RADIUS Start Here Authentication Database List Dictionary NAS List Server Control Ser
60. t provisioning operator role External servers for operator logins Provisioning of nonguest user roles by operators Limit operators to view only the account they created Self registration workflow with automated login Sponsor approved self registration Time zone support for guest access in distributed deployments X Bulk provisioning of guest accounts CSV import and automatic generation Oo Aruba Networks Inc Captive Portal Authentication 7 Amigopod and ArubaOS Integration Application Note Table 2 Comparison of ArubaOS Captive Portal and Amigopod Continued ArubaOS ArubaOS Plus Amigopod Q Q Q OQ Q Q O OQ O OQ Q OQ O Q Export import of user database Mandatory and nonmandatory fields Guest password complexity requirements Guest account information printing via templates Guest credential delivery through email and SMS Force password change on first login Delete and or disable guest accounts on expiration Guest Session Management Time and day policy Guest access expiry timer starts on first login Limit access based on total session time across multiple logins Limit guest session data total bytes Limit guest session bandwidth Mb s eo0000 O00000 Limit guest session to single concurrent login Hotspot and Hospitality Features Walled garden Plug and play clients any IP VPN NAT static NAT per client using public IP Credit card billing Surveys and feedb
61. terial Captive Portal Authentication Captive Portal Overview ArubaOS or Amigopod for Visitor Management Captive Portal Authentication Workflow ArubaOS Configuration Creating a RADIUS Server Instance Modify NAS ID for Master Local Deployments Add RADIUS Server to a Server Group Creating an RFC3576 Server Instance Creating a Captive Portal Profile Configure Authentication for Captive Portal Profile Modify the AAA Profile Define a Policy to Permit Traffic to Amigopod Enable Captive Portal on Initial Role of Captive Portal Profile Verify Virtual AP Configuration Amigopod Configuration Check for Updated Amigopod Plugins Configure RADIUS NAS for an Aruba Controller Configure Web Login for Captive Portal Authentication Optional Customization of the Web Login Page Amigopod Skins and Content Customization Web Login Access Lists Configure the RADIUS User Role Optional Import Sample Welcome Page Integration Verification Create a Test Account Within Amigopod Guest Manager Testing RADIUS Test Basic RADIUS Transactions Test Login and Verify Successful RADIUS Transaction Check that RADIUS Accounting is Working as Expected Aruba Networks Inc Application Note 10 12 12 14 15 16 18 20 21 23 25 26 27 27 30 33 34 35 36 37 38 42 42 44 44 46 48 Table of Contents 3 Amigopod and ArubaOS Integration Application Note Chapter 6 Troubleshooting Tips 49 Appendix A Contacting Aruba Network
62. ver Configuration User Roles Reporting Support Logout Figure 43 Amigopod Logged in as admin amigopod rde RADIUS Server Control Control the local RADIUS server using these command links gt The RADIUS server is currently running A Restart RADIUS Server Restart the local RADIUS server 97 Stop RADIUS Server B Stop the local RADIUS server Q to QZ Debug RADIUS Server Run the local RADIUS server and see detailed log output 9 View a list of recent failed authentications 8 View Failed Authentications t i Check a username and password or verify the RADIUS a Test RADIUS Authentication attributes for a user role RADIUS Server Time The RADIUS server time is currently Tue Aug 30 16 35 02 2011 0700 RADIUS Log Snapshot The most recent entries in the RADIUS server log file are shown below Tue Aug 30 16 33 35 2011 Auth Login OK aruba guest from client LC1 Sunnyvale 6000 port 0 cli 002608F1B1EB Tue Aug 30 16 30 38 2011 Auth Login OK aruba guest from client LC1 Sunnyvale 6000 port 0 cli 000000000000 Tue Aug 30 16 26 38 2011 Auth Login OK aruba guest from client LC2 Sunnyvale 6000 port 0 cli 000000000000 Tue Aug 30 16 23 59 2011 Info Ready to process requests Tue Aug 30 16 23 59 2011 Info Loaded virtual server lt default gt Successful RADIUS log entry on Amigopod arubanetworks com amp Help Integration Verification 47 Amigopod and ArubaOS Integrat
Download Pdf Manuals
Related Search