DG WLAN Secure Guest Access ArubaOS25

WLAN Secure Guest Access
Configuring secure guest WLAN access

Practices
Abstract
This document describes a typical configuration for a guest access production
Aruba Networks infrastructure. This document is based on the Best Practices:
WLAN Base Configuration and picks up where it left off to add secure guest
access. The document demonstrates a typical configuration with complete step-
by-step instructions for configuring:
! Master mobility controller

! Guest access WLAN
Recommended Reading
The following pre-requisite documentation is highly recommended before reading
this document:
Best
! Best Practices: WLAN Base Configuration

! Best Practices: WLAN Scaling
! Best Practices: WLAN Performance
ArubaOS-2.5_v1.1_20050328 ArubaOS 2.5 ©2005-2006 Aruba Networks

Best Practices: WLAN Secure Guest Access
Table of Contents
WLAN SECURE GUEST ACCESS ...................................................................... 1
Design Summary ....................................................................................... 3
Design Guidelines...................................................................................... 5
Installation Procedure............................................................................... 9
Guest WLAN Configuration ...................................................................... 10
Configuring the Guest VLAN .................................................................... 11
Configuring Guest DHCP .......................................................................... 12
Configuring Guest Authentication ........................................................... 13
Configuring the Guest SSID..................................................................... 16
Determining Guest Access Policies & Rights............................................ 17
Define Security Objects ........................................................................... 19
Define Guest Access Scope...................................................................... 22
Configuring Guest Access Policies ........................................................... 24
Configuring the Captive Portal ................................................................ 33
Configuring the First Guest Client ........................................................... 35
Next Steps............................................................................................... 36
Advanced Design Considerations............................................................. 37
Layer 3 mobility ....................................................................................................................................................... 37
Common Troubleshooting Tasks.............................................................. 38
Installation Quick Start ........................................................................... 39
The fast procedure .................................................................................................................................................... 39
The really fast procedure.......................................................................................................................................... 40
Appendix A: Configuration Values ........................................................... 41
Base WLAN configuration values........................................................................................................................... 41
Guest WLAN configuration values......................................................................................................................... 42
2 © 2005-2006 Aruba Networks

Design Summary
Overview This section describes a typical secure guest access configuration for an
Aruba production network.
! Important: This document starts where the Best Practices: WLAN

Base Configuration document ends. It assumes the Aruba network
has already been configured for base connectivity according to
the WLAN base configuration document.
Features and The secure guest access configuration includes the following features
functionality and functionality:
! Simple, secure wireless guest user access via Captive Portal that
prevents wireless users from accessing internal resources
Topology The following network diagram shows the basic topology for this network
design:
Figure 1 - Base Configuration Reference Topology

Design Summary continued
Required licenses Valid licenses for the following software modules are required to
configure the reference network design:
! ArubaOS (standard with all mobility controllers)

• Note: this design requires ArubaOS version 2.5.0 or
higher
! Policy Enforcement Firewall module -(allows us to define user
roles, firewall ACL policies, IP NAT pools, Captive Portal
configuration, role derivation rules. This module is an additional cost
and requires licensing beyond the base software.
Required hardware At least one Aruba mobility controller is required to manage and control
the mobility domain and the Aruba APs.
Scaling notes The reference design allows for a separate master controller and AP
manager controller. However, these functions may be combined within
the same controller.
For more information on determining the right number and disposition of

your mobility controllers, please see the Best Practices: WLAN Scaling
and Performance document for a detailed discussion.
Further reading Please see the Best Practices: WLAN Base Configuration for the pre-
cursor configuration of this reference network. Also, please see the
Aruba User Guide documentation for more information on installation,
features and advanced or alternate configuration.
For the impatient Want to just go ahead and get this configuration on a controller? Then
read the next section for a detailed description of what will be configured
1
as well as quick start instructions.
1
Estimated time to complete this configuration by following this document:

Design Guidelines
Overview This section describes how to design the reference secure guest access
configuration topology.
Network Each Aruba Mobility Controller in this reference design is configured with
configuration the following:
! Configuration from the WLAN base configuration reference topology

! Guest VLAN (VLAN 900)
The Aruba controller has two uplinks to a core router for redundancy.
Spanning tree is run to disable one link. The core router is responsible
for routing all traffic to and from the mobility controllers.
Figure 2 - Base Configuration IP Topology
The master controller is responsible for configuration and management

of the mobility domain and the local controllers.

Design Guidelines continued
The master controller manages the Aruba APs – the AP will get its
configuration from whichever controller it terminates to. Each Aruba AP
is connected to the wired network (VLAN 8 in this example) and acquires
an IP address via DHCP from an external server located in the data
center. The APs auto-discover the master controller by querying DNS for
Aruba-master. Once they have found the master, the APs download their
configuration and create a tunnel to their local management system
(LMS) – in this case, the Aruba master controller.
WLANs and SSIDs The wireless LAN (WLAN) is comprised of two SSIDs – one for
employees called corpnet and one for guests and guests called
guestnet. This document shows how to configure the guestnet WLAN.
Guest The guestnet SSID is an open wireless LAN that allows any wireless
authentication client to easily associate. The client is placed into VLAN 900 and
receives an IP address from the corporate DHCP server. However, the
user has no access to network resources beyond DHCP and DNS until
they open a web browser and log in with a registered guest account via
the Captive Portal. All traffic to the internet is source-NATed.
AAA servers Guests are required to authenticate before they are given network
access. Thus, AAA (Authentication Authorization and Accounting)
servers are also required. This design reference example uses the
following configuration:
Guest AAA server Although guests do not have user accounts in the corporate Active
Directory server, for security purposes, they are still required to
authenticate. Temporary guest accounts are created in the local
authentication database of the Aruba-master. These accounts may be
managed and assigned by the corporate receptionist when a guest first
signs in.
Once a guest has been assigned an account, they can enter their
information into the Captive Portal login screen on their browser. This will
grant them guest access.

Policy enforcement All client devices are subject to policy rules and restrictions that limit
& access control what they may do. This policy enforcement is enacted automatically by
the policy-enforcement engine of the Aruba mobility controller.
Guest access Guests are only granted access to the wireless network during business
policies hours (08:00 to 18:00). Any guest access outside these hours is
prohibited.
During business hours, successfully authenticated guests are only

granted access to the Internet for HTTP and HTTPS traffic. All other
traffic, including wireless to wireless communications or access to
internal corporate resources is denied.
Guests are also subject to a bandwidth contract that limits all guests to a
single 1Mbps bandwidth pool.
Transparent Layer 3 Although the design reference shows employees and guests each on a
mobility single VLAN throughout the entire enterprise, there is no reason why
multiple VLANs cannot be supported. Thus, a client device that
associates on one AP may be assigned VLAN 10 and then move to an
AP in another building that normally places clients into VLAN 11. In this
case, the user will keep their original IP address and transparently roam
without needing to drop their IP address and acquire a new one.
ARM/RF All Aruba APs are configured to run the Adaptive Radio Management
management (ARM) algorithm. This allows the AP to automatically scan the RF
environment and do the following:
! Proactively manage AP power and channel settings for optimal

performance
! Scan for channel interference
! Build RF heat maps
In addition, the APs are also configured to automatically self-heal in the

event of an AP failure and to detect coverage holes.

AP deployment The number of APs and their deployment locations were determined
using the Aruba RF Plan tool. The floor plans for all buildings that require
coverage were first imported along with information on the building
dimensions and the amount of coverage required.
Air Monitors (AMs) may also be configured at this time. Any Aruba AP
automatically provides monitoring when it is not busy servicing clients.
Although not required, AMs are highly recommended in environments

where monitoring or monitoring-based applications such as location
tracking and high-resolution heat maps are critical.
For the impatient The rest of this document provides a detailed description of how to
configure the reference design. If you want to simply load this
configuration on a controller, please see the section Installation Quick
Start.

Installation Procedure
Overview This section describes the overall steps involved in configuring a network
according to the reference network design described in the previous
section.
Procedure steps Here are the steps required and the order to perform them:
Guest WLAN configuration

1 Configure guest VLAN
2 Setup guest AAA server
3 Configure guest accounts
4 Configure guest DHCP services
5 Configure guest SSID
6 Determine guest access policies and rights
7 Define security objects
8 Define guest access scope
9 Configure guest access policies
10 Configure guest user roles
11 Configure guest authentication
12 Configure the first guest laptop
Backing up the system

13 Backup the controller

Guest WLAN Configuration
Overview This section describes how to add secure guest access to the base
reference network topology, as described by the Best Practices: WLAN
Base Configuration document
Guest WLAN We are ready to configure the guest WLAN! This will include the
configuration following actions:
! Configure guest VLAN

! Setup guest AAA server
! Configure guest accounts
! Configure DHCP services
! Configure guest SSID
! Determine guest access policies and rights
! Define security objects
! Define guest access scope
! Configure guest access policies
! Configure guest user roles
! Configure guest authentication
! Configure the first guest laptop

Configuring the Guest VLAN
Overview This section describes how to configure a VLAN for guest users on the
Aruba mobility controller.
Guest VLAN Here is the procedure to configure the guest VLAN:
1 On the top-level menu bar, click Configuration. Be sure to

select the advanced mode.
2 Click the VLAN tab
3 Click the Add button
4 In the Add New VLAN screen, enter the following information:
VLAN ID 900
IP Address 192.168.200.20
Net Mask 255.255.255.0
5 Click the Apply button

6 On the top-level menu bar, click Save Configuration
Test & Validate

Test and verify the Aruba controller is reachable using the new local
network interfaces, i.e. 172.16.200.20. An administrator can access the
GUI or the command-line (via SSH) from any part of the network and
from different subnets.

Configuring Guest DHCP
Overview This section describes how to configure DHCP services for guest users
on the Aruba mobility controller.
Guest DHCP Scope In our reference design, guests using the WLAN are given IP addresses
via DHCP from the Aruba controller. These addresses are not routable
in the core network, which adds an additional layer of security to the
design by hiding the IP addressing scheme used in the core network
from guests and users who accidentally associate with the WLAN. To
configure a DHCP scope for guest users, do the following:
1 On the top level menu bar, click Configuration. Make sure that
the advanced option is selected.
2 On the left –hand option menu, click General under the Switch
heading.
3 Click the DHCP Server Tab
4 Check the Enable DHCP Server box
5 Under Pool Configuration, click the Add button.
6 Under Pool Name, enter guestpool
7 In the Add DHCP Pool screen, enter the following information:
Default Router 192.168.200.20
DNS Servers 64.151.103.120
216.87.84.209
Lease 0 Days 4 Hours 0
Minutes
Network 192.168.200.0
Netmask 255.255.255.0

9 In the Excluded Address Range box, click the Add button
10 In the Add Excluded Address box, enter 172.16.200.1 in the
first box and 172.16.20.25 in the second box.
13 On the top level menu bar, click Save Configuration

Configuring Guest Authentication
Overview This section describes how to configure an authentication server for

guest users on the Aruba mobility controller.
Guest AAA server In our reference design, guests are prompted to authenticate before they
are allowed Internet access. These accounts are stored on a simple
(non-Radius) local authentication database of the Aruba controller. The
local authentication DB is configured by default. All that is required is to
simply create accounts for guest use.
A special user account can be created on the Aruba controller to allow

the creation of guest accounts, but no configuration of the switch is
allowed. This user account is useful for front desk receptionists and
others who typically sign guests in.
Creating a guest In order to create a user role that only has rights to access guest
account accounts, follow these steps:
administrator role
1 On the top-level menu bar, click Configuration. Make sure the
advanced option is selected.
2 On the left-hand option menu, under Switch click management
3 Click the Access Control tab
4 Under the Management Users section, click the Add button
5 Under user name, enter addguests
6 Under password, enter pl@yd0h
7 Under confirm password, enter pl@yd0h
8 Make sure the role pull down is set to guest-provisioning

Configuring Guest Authentication continued
Guest accounts Here is the procedure to configure guest accounts on the internal DB:
1 Log the admin user out of the Aruba controller by clicking the
logout button in the upper right section of the top menu bar
2 Log in to the controller using the addguests account created in
the previous section.
3 A restricted menu bar appears. Only the Security->Internal
User Database section appears, with only the Internal DB tab.
4 Click the Add User button
5 In the Add User screen, enter the following information:
User Name guest100
Password GoAruba
Role Guest
Enable box checked
Expiration Set Expiry Time to
240 mins
! Note: The guest user accounts that are created can be set to not
expire, have a set time in minutes, or a set end date before they
expire.

Configuring Guest Authentication continued
Test & Validate

You can test the internal authentication server in the same way you
tested the Radius server.
Here is the procedure to test AAA communications with the internal

authentication database:
1 SSH to the controller and login

2 Enter the following commands:
(Aruba-master) #show aaa auth-server
Auth Server Table

Pri Name Type IP addr AuthPort Status Inservice
Applied match-essid match-FQDN trim-FQDN
--- ---- ---- ------- -------- ------ --------- -----
-- ----------- ---------- ---------
1 Internal Local 10.3.22.220 n/a Enabled Yes
SecureID
2 Radius01 Radius 10.3.22.253 1812 Enabled Yes
(Aruba-master) #aaa test-server Internal guest100 GoAruba
Authentication successful
Checkpoint! We now have an operational master Aruba controller that is configured

with:
" Guest VLAN " Working AAA server guests

Configuring the Guest SSID
Overview This section describes how to configure the SSID for the guest network.
Guest SSID In our design reference, there is a separate SSID for guests. Since the
guest SSID will use a different (and lower) grade of security, it is
important to not mix this with the stronger employee security keys as
they could be compromised. Here is the procedure to configure the guest
SSID:
1 Log on to the GUI using the admin account.

2 On the top-level menu bar, click Configuration. Make sure that
the advanced mode is selected.
3 On the left-hand option menu, under WLAN click Network
4 Click the SSID tab
6 In the Edit SSID screen, enter the following information:
SSID guestnet
Radio Type 802.11 a/b/g
SSID Default VLAN 900
Encryption Type NULL

Note
When entering the default VLAN, make sure you click the ! button to
enter the value before you click the Apply button.

with:
" Operational loopback address " Working Radius server for
and default gateway employee authentication
" Core, employee & guest " Working Internal DB for guest
VLANs authentication
" Employee & guest SSIDs
" Correct time & date
" System logging
At this point you can now test and ensure the Aruba APs correctly
establish a connection and advertise the correct SSIDs. To check this,
activate the wireless adapter on the test PC and verify it sees the SSID.

Determining Guest Access Policies & Rights
Overview This section describes how to determine appropriate guest access rights,
roles and policies. The design reference in this document is based on
real-world policies and examples.
Guest access According to our reference design, guests must authenticate via the
policies Captive Portal web login before they are granted network access. Once
authenticated, they are only allowed to access the Internet via HTTP/S
(ports 80 and 443) - all other network access is prohibited. They are also
only allowed to access the guest WLAN during business hours and must
share a 1Mbps pool of bandwidth.
We will create the firewall policies first and then attach them to the guest
user role with the other restrictions.
Design Note
Because guest users are allowed to associate to the WLAN before they
authenticate, we will create two sets of firewall policies. The first (called
Guest-Logon-Access) will be applied to anyone who associates to the
guestnet SSID and is extremely restrictive. The second (called Guest-
Access) will be applied after authentication and will allow Internet
access.
The following diagram illustrates how a guest would connect to the

guestnet wireless network, authenticate, and gain Internet access:

Determining Guest Access Policies & Rights continued
Figure 3 - Guest Association & Authentication
Netdestination The guest access policies shown are very restrictive – the goal is to only
aliases allow access to the devices that must be reachable and to deny all
others. To make the firewall policies easier to write and read, we will
create some aliases first that we will use to:
! Identify internal networks that guests should not be able to access

! Identify a block of public DNS servers that guests may use
Once these are created, we may use the alias name wherever we would
type several IP addresses or networks.

Define Security Objects
Overview This section describes how to determine and define the resources
(networks, servers) that a guest will be restricted or allowed to use. We
call these security objects since they are not actually security policies.
Instead, these are definitions or aliases that will be used by the policies
later in this document.
Strictly speaking, these aliases are not required. However they are
extremely and make configurations much cleaner and easier to
understand and use. Because of this, they are included in standard best
practice implementations.
Security objects we Here are the following security objects we will define for use in our
will use policies:
Security Object Policy Usage

Internal networks Deny guest access
DNS alias Restrict guest access such that
they may only use a particular set
of DNS servers

Define Security Objects continued
Internal networks Here is the procedure to create a destination alias for all internal
netdestination alias networks:

advanced mode is selected.
2 On the left-hand option menu, under Security click Advanced
3 Click the Destinations tab
5 In the Destinations screen, enter the following information:
Destination Name Internal-Networks

7 Enter the following information:
Rule Type Network
IP Address 10.0.0.0
Network Mask 255.255.255.0
8 Click the Add button to add the rule

9 Click the Add button again to enter a new rule
Rule Type Network
IP Address 192.168.0.0

12 Click the Add button again to add a new rule
Rule Type Network
IP Address 172.16.0.0


Define Security Objects continued
Public DNS alias The public DNS alias is a netdestination alias that allows us to specify all
of the DNS servers a guest may use. In our reference network design,
these are all public, external machines that are outside the corporate
network.
Here is the procedure to create a destination alias for a block of public

DNS servers:

4 Click the Destinations tab
5 In the Destinations screen, enter the following information:
Destination Name Public-DNS

Rule Type Host
IP Address 64.151.103.120

Rule Type Host
IP Address 216.87.84.209

Rule Type Host
IP Address 217.115.138.24


Define Guest Access Scope
Overview This section describes how to determine and define the scope of guest
access. Scope typically defines when and how a guest is allowed to
access the WLAN and resources.
Guest access In this reference design, two scope limitations are imposed on guests:
scopes
1 Guests may only access the WLAN during business hours
2 Guests must share a restricted amount of bandwidth
Business hours To configure the time-based scope, we will create a time range that
time range defines business hours. This will be used by the guest user role to
restrict access during non-business hours. Any guest who tries to use
the wireless network outside of business hours will be blocked.
Here is the procedure to create a time range for business hours:

advanced mode is enabled.
3 Click the Time Range tab
5 In the Add Time Range screen, enter the following information:
Name Business-Hours
Type Periodic
6 Click the Add button to specify the period rules

7 In the Add Periodic Rule section, enter the following information:
Start Day Weekday
Monday
Start Time 08:00
End Time 18:00


Define Guest Access Scope continued
Bandwidth contract Lastly, we’ll set up a bandwidth contract to limit the amount of traffic the
for guests users can consume. This will also be used by the guest user role. We
will use this contract to create a “pool” of available bandwidth which all
guest users must share.
Here is the procedure to create a bandwidth contract:

3 Click the Bandwidth Contracts tab
5 In the Bandwidth Contracts screen, enter the following
information:
Contract Name Guest-Bandwidth
Bandwidth 1 Mbps


Configuring Guest Access Policies
Overview This section describes how to configure guest access policies utilizing
the definitions and scopes we created previously.
Guest-Logon- Now we will build the Guest-Logon firewall policy. This will be used to
access policy limit what guests may do before they authenticate.
Here is the procedure to create the Guest-Logon-Access firewall policy:

2 On the left-hand option menu, under Security click Policies
4 In the Add New Policy screen, enter the following information:
Policy Name Guest-Logon-Access
5 Under the Rules section, click the Add button

6 In the policy statement, create a rule that will only allow the
DHCP protocol between the user and the corporate DHCP
server (10.3.22.240) during business hours. Create a policy that
blocks other users from responding to DHCP requests by
entering the following information:
Source User
Destination Any
Service UDP 68
Action Drop

8 Click the Add button again to add a new rule. Now that we’ve
blocked other wireless users from responding to DHCP
requests we will then allow DHCP:
Source User
Destination Any
Service svc-dhcp
Action Permit
Time Range Business-Hours


Configuring Guest Access Policies continued
Guest-Logon- 11 In the policy statement, create a rule that will only allow the
access policy DNS protocol between the user and public DNS servers
(Public-DNS alias) during business hours. This traffic will be
source NAT’d using the IP interface of the controller for the
VLAN. Create the policy by entering the following information:
Source User
Destination Alias
Alias Public-DNS
Service Svc-dns
Action Src-nat

ICMP protocol between the user and the Aruba mobility
controller during business hours. We will allow this traffic purely
for troubleshooting purposes to determine guest client
connectivity. Create the policy by entering the following
information:
Source User
Destination Alias
2
Alias mswitch
Service Svc-icmp
Action permit

2
Mswitch is a built-in alias that refers to the loopback IP address on an Aruba mobility controller

Guest-Access Now let’s create the firewall policy for guest users once they have
firewall policy authenticated. Here is the procedure to create the Guest-Access firewall
policy:

Policy Name Guest-Access
DHCP protocol between the user and the corporate DHCP
server (10.3.22.240) during business hours. Create a policy that
blocks other users from responding to DHCP requests by
entering the following information:
Source User
Destination Any
Service UDP 68
Action Drop

8 Click the Add button again to add a new rule. Now that we’ve
blocked other wireless users from responding to DHCP
requests we will then allow DHCP:
Source User
Destination Any
Service svc-dhcp
Action Permit


DNS protocol between the user and public DNS servers
(Public-DNS alias) during business hours. This traffic will be
Source User
Destination Alias
Alias Public-DNS
Service Svc-dns
Action Src-nat

13 Click the Add button again
ICMP protocol between the user and the Aruba mobility
controller during business hours. We will allow this traffic purely
for troubleshooting purposes to determine guest client
connectivity. Create the policy by entering the following
information:
Source User
Destination mswitch
Service Svc-icmp
Action permit

17 In the policy statement, create a rule that will allow the HTTP
protocol from the user during business hours. This traffic will be
Source User
Destination Any
Service Svc-http
Action Src-nat


20 In the policy statement, create a rule that will allow the HTTPS
protocol from the user during business hours. This traffic will be
Source User
Destination Any
Service Svc-https
Action Src-nat


Block-Internal- This policy denies access to anything on the internal corporate network.
Networks firewall Here is the procedure to create the Block-Internal-Networks firewall
policy policy:

advanced mode is enabled.
Policy Name Block-Internal-Networks

6 In the policy statement, enter the following information:
Source User
Destination Alias
3
Alias Internal-Networks
Service Any
Action Drop
7 Click the Add button the add the rule

Drop-And-Log We will create one final firewall policy. This policy denies everything,
firewall policy drops the traffic and logs the attempted network access to the system
log. This is very useful as a final statement for a user to log any
attempted access beyond what was provisioned. Here is the procedure
to create the Drop-And-Log firewall policy:

Policy Name Drop-And-Log
3
Remember, we created the Internal-Networks alias earlier to represent all of our internal
networks.

6 In the policy statement, enter the following information:

Source User
Destination Any
Service Any
Action Drop
Log Yes

Guest-Logon user Now that we have the firewall policy configured, let’s create a user role
role for the guest users before they log on and authenticate.
Here is the procedure to create the Guest-Logon user role:

2 On the left-hand option menu, under Security click Roles
4 In the Edit User Role screen, enter the following information:
Role Name Guest-Logon
5 Under the Firewall Policies section, click the Add button

6 Select the radio button next to Choose from Configured Policies
7 Select the following firewall policies from the drop-down box:
Firewall Policy Order
captiveportal 1
Guest-Logon-Access 2
Block-Internal-Networks 3
8 Click the Done button after each policy selection

9 In the Re-authentication Interval section, enter the following
information:
Re-authentication Interval 480
10 Click the Change button


Guest user role Now let’s create a user role for guest users after they have been
authenticated.
Here is the procedure to create the AuthGuest user role:

2 On the left-hand option menu, under Security click Roles
4 In the Add New User Role screen, enter the following
information:
Role Name AuthGuest
5 Under the Firewall Policies section, click the Add button

6 Select the radio button next to Choose from Configured Policies
7 Select the following firewall policies from the drop-down box:
Firewall Policy Order
cplogout 1
Guest-Logon-Access 2
Block-Internal-Networks 3
Guest-Access 4
Drop-And-Log 5
8 Click the Done button after each policy selection

9 In the Re-authentication Interval section, enter the following
information:
Re-authentication Interval 480

11 In the Bandwidth Contract section, select Guest-Bandwidth from
the drop-down box

Apply guest user Now that the AuthGuest role has been created, it needs to be applied to
role to guest users the guest user in the internal database.
The following procedure will accomplish this:

1 On the top-level mneu bar, click Configuration. Make sure the
2 On the left-hand option menu, under Security click AAA
servers
3 Click the Internal DB tab
4 Under the Users section, for the user guest100 click the Modify
button
5 Under the role pull down menu, select AuthGuest
7 On the top level menu bar, click Save Configuration.

with:
" Operational loopback address " Working Internal DB for guest
and default gateway authentication
" Employee & guest VLANs " Employee & guest SSIDs
" Firewall polices for employees
& guests
" System logging " User roles for employees and
" Working Radius server for guests
employee authentication

Configuring the Captive Portal
Overview This section describes how to configure the Captive Portal on the Aruba
mobility controller.
Configuring
authentication Now that the user roles and access rights are defined, we can configure
methods the authentication method for guests. This will allow a guest user to
associate to an SSID, authenticate and gain network access.
Guest To enable guest authentication, we will do two things. First, for security
authentication reasons, we will move any device that associates to the guestnet SSID
to the more secure Guest-Logon user role instead of the default logon
user role that all wireless/untrusted devices are normally placed in at
association time. This is called a derivation rule. Derivation rules are
rules applied to a device that can change the user role or VLAN of the
device.
We will also configure Captive Portal, to redirect the guest user’s

HTTP/S requests to a web login screen for authentication and place the
authenticated guest into the correct role.
Guest SSID Here is the procedure to move devices that associate to the guestnet
derivation rule SSID to a new user role:

2 On the left-hand option menu, under Security click
Authentication Methods
3 Click on the SSID tab
5 In the Add screen, enter the following information:
Condition Equals
Value guestnet
Role Name Guest-Logon


Configuring the Captive Portal continued
Captive Portal Here is the procedure to Captive Portal authentication for guest users:

2 On the left-hand option menu, under Security click
Authentication Methods
3 Click on the Captive Portal tab
4 In the Captive Portal tab, enter the following information:
Default role AuthGuest
Enable Guest Logon No
Enable User Logon Yes
Redirect Pause 1
5 Under the Authentication Servers section, click the Add button

6 Select the Internal server from the drop-down list
7 Click the Add button to add the server

with:
" Operational loopback address " Employee & guest SSIDs
and default gateway " Firewall polices for employees
" Employee & guest VLANs & guests
" User roles for employees and
guests
" System logging " Restricted policy/access for
" Working Radius server for guests
employee authentication " 802.1x and WPA
" Working Internal DB for guest authentication
authentication " Captive Portal authentication

Configuring the First Guest Client
Overview This section describes how to configure a test PC as a guest client.
Configuring the first We can now configure and test the first guest client device as well. The
guest client guest client requires no additional software installation. The guest
client’s wireless adapter should be configured with the following
information:
Parameter Value
Network Name (SSID) guestnet
Association Mode Open
Encryption Method None
Once the client device has associated to the guest network, open a web
browser and query for a web site. The browser will be redirected
automatically the Captive Portal login page. Once redirected to the login
page, use the following guest account that we created earlier:
User name Password

guest100 GoAruba
Test & Validate

To test the guest network, simply open a web browser and log on.
For more information on troubleshooting Captive Portal clients please

refer to the troubleshooting section of this document.

with:
" Guest VLANs " User roles for guests
" Working Internal DB for guest " Restricted policy/access for
authentication guests
" Employee & guest SSIDs " Captive Portal authentication
" Firewall polices for guests " Working guest client

Next Steps
Overview This section provides recommendations for next steps in the installation
of an Aruba mobility infrastructure.
Backup the Once you have a working configuration, it is an excellent idea to save
controller and backup the controller configuration and databases.
Here is the procedure for backing up an Aruba mobility controller:
1 On the top-level menu bar, click Maintenance

2 In the File section, click Backup Flash
3 Click the Create Backup button to create the backup file
4 Once the backup file is created, click Copy Backup to create a
copy off of the controller, e.g. to a TFTP or FTP server
! Important: Before you can copy a backup file from the controller, you
must have a working TFTP or FTP server.
Other tasks There are many other configuration tasks that might also be configured
as part of the mobility infrastructure. These include:
! Scale the WLAN by installing additional controllers

! Remote access
For more information on these tasks, please see the appropriate best
practices guide.

Advanced Design Considerations
Overview This section discusses more advanced design topics. These design
considerations may or may not be relevant to a given network design. If
unsure, please discuss with your Aruba technical representative.
Although the reference design in this guide only has one VLAN for each
Layer 3 mobility SSID or type of user, this is not always the case. Very large deployments
may have a different VLAN for multiple buildings or even every floor of
each building. So although the SSID stays the same when a user roams,
the IP network changes.
If a wireless device roams and acquires a new IP address it can have

adverse affects on applications. The Aruba solution supports transparent
Layer 3 mobility. This allows a wireless device to keep its original IP
address regardless of where it roams. This functionality requires no
additional software or configuration of the client device.
Here is the procedure for enabling Layer 3 mobility:

2 Click on the General tab
3 In the Mobility Configuration section, select the checkbox next
to Enable Mobility
! Important: For optimal performance, it is strongly recommended that

this feature only be enabled when multi-VLAN roaming is required
and configured.
.

Common Troubleshooting Tasks
Overview This document discusses various troubleshooting tasks, hints and

techniques for use with Aruba APs and mobility controllers.
Guest does not get The most common issue with Captive Portal is when redirects do not
redirected to the occur. In most cases it is caused by one or more of the following:
Captive Portal web
page ! Client device does not have DNS and/or IP configured
! Client browser does not have auto-detect configured (this
requirement is browser and browser version dependent)
! The loopback address of the controller hosting the Captive Portal is
not reachable, typically due to restrictive firewall policies

Installation Quick Start
Overview For those who wish to quickly load the configuration for this reference
topology onto their controller, this section describes two very fast
procedures.
Information you will To do either of these procedures, you will need the information described
need in Appendix A: Configuration Values.
One way to quickly get through this document is to edit it such that the
The fast procedure instructions show the correct configuration information for your particular
installation: VLANs, IP addresses, SSIDs, etc. Once these changes have
been made, you can simply enter all instructions as shown.
Here’s how to edit this document to reflect a particular installation:
1 Obtain the Word version of this document and save it under a new
name, e.g. My_WLAN_Base_Configuration.doc
1. From the Edit menu, select Find…
2. In the Find and Replace dialogue box, click the
Replace tab
3. In the Find what: box, enter each of the values in the
“Documented Value’ column of the table in Appendix
A
4. In the Replace with: box, enter the new value
5. Click the More button
6. Under Search Options, select the “Match case” and
“Find whole words only” options
7. Click the Replace All button
8. Check and accept all replacements
9. Save the document again to ensure the changes are
not lost
Congratulations! You now have a version of this document that is

specially edited to reflect your installation.

Installation Quick Start continued
An even faster way to get going is to obtain a copy of the matching

The really fast configuration file that is available with this document and edit it directly.
procedure
! Important: Make sure the configuration file matches the controller
you plan to install it on: for example, the configuration file for a 6000
should only be installed on a 6000, etc.
Here is the procedure for editing the matching configuration file:
1 Open the configuration file in your favorite editor, such as Microsoft

WordPad
10. Search for each of the values in the “Documented
Value” column of the table in Appendix A and
replace it with the new value
11. Save the configuration file
12. In this document, follow the directions for the initial
master controller setup4
13. Configure a PC with an IP address and connect it
such that it can communicate with the controller
14. Upload the new configuration file from the PC to the
controller5
15. Gain access to the controller (via SSH, telnet or
HTTP/S)
16. Reload (reboot) the controller
Congratulations! When the controller has reloaded, it will run the new
configuration file. You may now test your new configuration.
4
Uploading a configuration file is done via TFTP, which requires IP connectivity. There is no
specific actual IP addressing required here – anything will do. These changes will be overwritten
by the new configuration file
5
This action requires a TFTP server be installed on the PC

Appendix A: Configuration Values
Overview This document discusses a reference topology that requires many

different values – IP addresses, VLANs, etc. This section describes each
of the key values used as part of the configuration in this document.
The following table shows the parameters and their values as used in
Base WLAN this document for the base WLAN:
configuration values
Configuration Description Documented

Parameter Value
Controller system The name of the Aruba controller Aruba-master
name
Core VLAN The VLAN (or VLANs) that contain the controller 5
uplink
Core VLAN subnet The IP subnet for the core VLAN 10.3.22.0
Core VLAN The netmask for the core VLAN 255.255.255.0
netmask
Core VLAN IP The IP address for the controller on the core 10.3.22.20
address VLAN
Loopback address The IP address for the controller loopback 10.3.22.220
interface
Employee VLAN The VLAN for authenticated employees 10
Employee VLAN The IP subnet for the employee VLAN 172.16.10.0
subnet
Employee VLAN The netmask for the employee VLAN 255.255.255.0
netmask
Employee VLAN IP The IP address for the controller on the employee 172.16.10.20
address VLAN
Default gateway The default gateway for the Aruba controller 10.3.22.1
Syslog server IP The IP address of the system log server 10.3.22.252
address
Test PC A test PC used for validating the configuration 10.3.22.10
Employee SSID The SSID for the employee WLAN corpnet
NTP server The IP address of an NTP server 131.216.22.9
AP Location ID The first ID used for AP provisioning 1.1.1

Appendix A: Configuration Values continued
Base WLAN
continued

Parameter Value
RADIUS server The name of the RADIUS server use for Radius01
employee authentication
RADIUS IP The IP address of the RADIUS server 10.3.22.253
address
RADIUS shared The shared secret that is configured on both the radius123
secret RADIUS server and the Aruba controller
RADIUS The authentication port used by the RADIUS 1812
authentication port server
RADIUS The port used by the RADIUS server accounting 1813
accounting port
The following table shows the parameters and their values as used in
Guest WLAN this document for the secure guest access portion of the WLAN:

Parameter Value
Guest VLAN The VLAN for guests 900
Guest VLAN The IP subnet for the guest VLAN 172.16.200.0
subnet
Guest VLAN The netmask for the guest VLAN 255.255.255.0
netmask
Guest VLAN IP The IP address for the controller on the guest 172.16.200.20
address VLAN
Guest SSID The SSID for the guest WLAN guestnet
Public DNS Public DNS server for guest use 64.151.103.120
server1
server2
server3
Excluded address The start of addresses excluded from the DHCP 172.16.200.1
range start server scope for guests
Excluded address The end of addresses excluded from the DHCP 172.16.200.25
range end server scope for guests

Appendix A: Configuration Values continued
Guest WLAN
continued

Parameter Value
Guest account The first account configured for guests to guest100
authenticate themselves via Captive Portal
Guest password The default password for the guest account GoAruba
Guest user role The user role granted guests who have AuthGuest
successfully authenticated
Guest creation The user account that can log on to the controller Addguest
account for the sole purpose of creating guest accounts
Guest creation The password for the guest creation account pl@yd0h
account password
Internal network 1 An internal network that will be denied to guests 10.0.0.0
Internal network 1 The netmask for the network 255.255.255.0
netmask
netmask
netmask
Business hours The first hour of business in a day 08:00
start time
Business hours The last hour of business in a day 18:00
end time
Guest bandwidth The amount of bandwidth available for use by all 1 Mbps
guests
Re-authentication The amount of time after which a guest user is 480
interval forced to authenticate again (in minutes)

DG WLAN Secure Guest Access ArubaOS25

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DG WLAN Secure Guest Access ArubaOS25

Uploaded by

Copyright:

Available Formats

WLAN Secure Guest Access

Configuring secure guest WLAN access

! Master mobility controller

! Best Practices: WLAN Base Configuration

ArubaOS-2.5_v1.1_20050328 ArubaOS 2.5 ©2005-2006 Aruba Networks

2 © 2005-2006 Aruba Networks

! Important: This document starts where the Best Practices: WLAN

Figure 1 - Base Configuration Reference Topology

3 © 2005-2006 Aruba Networks

Design Summary continued

! ArubaOS (standard with all mobility controllers)

For more information on determining the right number and disposition of

4 © 2005-2006 Aruba Networks

! Configuration from the WLAN base configuration reference topology

Figure 2 - Base Configuration IP Topology

The master controller is responsible for configuration and management

5 © 2005-2006 Aruba Networks

Design Guidelines continued

6 © 2005-2006 Aruba Networks

Design Guidelines continued

During business hours, successfully authenticated guests are only

! Proactively manage AP power and channel settings for optimal

In addition, the APs are also configured to automatically self-heal in the

7 © 2005-2006 Aruba Networks

Design Guidelines continued

Although not required, AMs are highly recommended in environments

8 © 2005-2006 Aruba Networks

Guest WLAN configuration

Backing up the system

9 © 2005-2006 Aruba Networks

Guest WLAN Configuration

! Configure guest VLAN

10 © 2005-2006 Aruba Networks

Configuring the Guest VLAN

Guest VLAN Here is the procedure to configure the guest VLAN:

1 On the top-level menu bar, click Configuration. Be sure to

5 Click the Apply button

Test & Validate

11 © 2005-2006 Aruba Networks

Configuring Guest DHCP

8 Click the Add button

12 © 2005-2006 Aruba Networks

Configuring Guest Authentication

Overview This section describes how to configure an authentication server for

A special user account can be created on the Aruba controller to allow

13 © 2005-2006 Aruba Networks

Configuring Guest Authentication continued

6 Click the Apply button

14 © 2005-2006 Aruba Networks

Configuring Guest Authentication continued

Test & Validate

Here is the procedure to test AAA communications with the internal

1 SSH to the controller and login

(Aruba-master) #show aaa auth-server

Auth Server Table

(Aruba-master) #aaa test-server Internal guest100 GoAruba

Checkpoint! We now have an operational master Aruba controller that is configured

15 © 2005-2006 Aruba Networks

Configuring the Guest SSID

1 Log on to the GUI using the admin account.

7 Click the Apply button

Checkpoint! We now have an operational master Aruba controller that is configured

16 © 2005-2006 Aruba Networks