Professional Documents
Culture Documents
DG WLAN Secure Guest Access ArubaOS25
DG WLAN Secure Guest Access ArubaOS25
Recommended Reading
The following pre-requisite documentation is highly recommended before reading
this document:
Best
Table of Contents
WLAN SECURE GUEST ACCESS ...................................................................... 1
Design Summary ....................................................................................... 3
Design Guidelines...................................................................................... 5
Installation Procedure............................................................................... 9
Guest WLAN Configuration ...................................................................... 10
Configuring the Guest VLAN .................................................................... 11
Configuring Guest DHCP .......................................................................... 12
Configuring Guest Authentication ........................................................... 13
Configuring the Guest SSID..................................................................... 16
Determining Guest Access Policies & Rights............................................ 17
Define Security Objects ........................................................................... 19
Define Guest Access Scope...................................................................... 22
Configuring Guest Access Policies ........................................................... 24
Configuring the Captive Portal ................................................................ 33
Configuring the First Guest Client ........................................................... 35
Next Steps............................................................................................... 36
Advanced Design Considerations............................................................. 37
Layer 3 mobility ....................................................................................................................................................... 37
Common Troubleshooting Tasks.............................................................. 38
Installation Quick Start ........................................................................... 39
The fast procedure .................................................................................................................................................... 39
The really fast procedure.......................................................................................................................................... 40
Appendix A: Configuration Values ........................................................... 41
Base WLAN configuration values........................................................................................................................... 41
Guest WLAN configuration values......................................................................................................................... 42
Design Summary
Overview This section describes a typical secure guest access configuration for an
Aruba production network.
Features and The secure guest access configuration includes the following features
functionality and functionality:
! Simple, secure wireless guest user access via Captive Portal that
prevents wireless users from accessing internal resources
Topology The following network diagram shows the basic topology for this network
design:
Required licenses Valid licenses for the following software modules are required to
configure the reference network design:
Required hardware At least one Aruba mobility controller is required to manage and control
the mobility domain and the Aruba APs.
Scaling notes The reference design allows for a separate master controller and AP
manager controller. However, these functions may be combined within
the same controller.
Further reading Please see the Best Practices: WLAN Base Configuration for the pre-
cursor configuration of this reference network. Also, please see the
Aruba User Guide documentation for more information on installation,
features and advanced or alternate configuration.
For the impatient Want to just go ahead and get this configuration on a controller? Then
read the next section for a detailed description of what will be configured
1
as well as quick start instructions.
1
Estimated time to complete this configuration by following this document:
Design Guidelines
Overview This section describes how to design the reference secure guest access
configuration topology.
Network Each Aruba Mobility Controller in this reference design is configured with
configuration the following:
The Aruba controller has two uplinks to a core router for redundancy.
Spanning tree is run to disable one link. The core router is responsible
for routing all traffic to and from the mobility controllers.
The master controller manages the Aruba APs – the AP will get its
configuration from whichever controller it terminates to. Each Aruba AP
is connected to the wired network (VLAN 8 in this example) and acquires
an IP address via DHCP from an external server located in the data
center. The APs auto-discover the master controller by querying DNS for
Aruba-master. Once they have found the master, the APs download their
configuration and create a tunnel to their local management system
(LMS) – in this case, the Aruba master controller.
WLANs and SSIDs The wireless LAN (WLAN) is comprised of two SSIDs – one for
employees called corpnet and one for guests and guests called
guestnet. This document shows how to configure the guestnet WLAN.
Guest The guestnet SSID is an open wireless LAN that allows any wireless
authentication client to easily associate. The client is placed into VLAN 900 and
receives an IP address from the corporate DHCP server. However, the
user has no access to network resources beyond DHCP and DNS until
they open a web browser and log in with a registered guest account via
the Captive Portal. All traffic to the internet is source-NATed.
AAA servers Guests are required to authenticate before they are given network
access. Thus, AAA (Authentication Authorization and Accounting)
servers are also required. This design reference example uses the
following configuration:
Guest AAA server Although guests do not have user accounts in the corporate Active
Directory server, for security purposes, they are still required to
authenticate. Temporary guest accounts are created in the local
authentication database of the Aruba-master. These accounts may be
managed and assigned by the corporate receptionist when a guest first
signs in.
Once a guest has been assigned an account, they can enter their
information into the Captive Portal login screen on their browser. This will
grant them guest access.
Policy enforcement All client devices are subject to policy rules and restrictions that limit
& access control what they may do. This policy enforcement is enacted automatically by
the policy-enforcement engine of the Aruba mobility controller.
Guest access Guests are only granted access to the wireless network during business
policies hours (08:00 to 18:00). Any guest access outside these hours is
prohibited.
Guests are also subject to a bandwidth contract that limits all guests to a
single 1Mbps bandwidth pool.
Transparent Layer 3 Although the design reference shows employees and guests each on a
mobility single VLAN throughout the entire enterprise, there is no reason why
multiple VLANs cannot be supported. Thus, a client device that
associates on one AP may be assigned VLAN 10 and then move to an
AP in another building that normally places clients into VLAN 11. In this
case, the user will keep their original IP address and transparently roam
without needing to drop their IP address and acquire a new one.
ARM/RF All Aruba APs are configured to run the Adaptive Radio Management
management (ARM) algorithm. This allows the AP to automatically scan the RF
environment and do the following:
AP deployment The number of APs and their deployment locations were determined
using the Aruba RF Plan tool. The floor plans for all buildings that require
coverage were first imported along with information on the building
dimensions and the amount of coverage required.
Air Monitors (AMs) may also be configured at this time. Any Aruba AP
automatically provides monitoring when it is not busy servicing clients.
For the impatient The rest of this document provides a detailed description of how to
configure the reference design. If you want to simply load this
configuration on a controller, please see the section Installation Quick
Start.
Installation Procedure
Overview This section describes the overall steps involved in configuring a network
according to the reference network design described in the previous
section.
Procedure steps Here are the steps required and the order to perform them:
Overview This section describes how to add secure guest access to the base
reference network topology, as described by the Best Practices: WLAN
Base Configuration document
Guest WLAN We are ready to configure the guest WLAN! This will include the
configuration following actions:
Overview This section describes how to configure a VLAN for guest users on the
Aruba mobility controller.
Overview This section describes how to configure DHCP services for guest users
on the Aruba mobility controller.
Guest DHCP Scope In our reference design, guests using the WLAN are given IP addresses
via DHCP from the Aruba controller. These addresses are not routable
in the core network, which adds an additional layer of security to the
design by hiding the IP addressing scheme used in the core network
from guests and users who accidentally associate with the WLAN. To
configure a DHCP scope for guest users, do the following:
1 On the top level menu bar, click Configuration. Make sure that
the advanced option is selected.
2 On the left –hand option menu, click General under the Switch
heading.
3 Click the DHCP Server Tab
4 Check the Enable DHCP Server box
5 Under Pool Configuration, click the Add button.
6 Under Pool Name, enter guestpool
7 In the Add DHCP Pool screen, enter the following information:
Default Router 192.168.200.20
DNS Servers 64.151.103.120
216.87.84.209
Lease 0 Days 4 Hours 0
Minutes
Network 192.168.200.0
Netmask 255.255.255.0
Guest AAA server In our reference design, guests are prompted to authenticate before they
are allowed Internet access. These accounts are stored on a simple
(non-Radius) local authentication database of the Aruba controller. The
local authentication DB is configured by default. All that is required is to
simply create accounts for guest use.
Creating a guest In order to create a user role that only has rights to access guest
account accounts, follow these steps:
administrator role
1 On the top-level menu bar, click Configuration. Make sure the
advanced option is selected.
2 On the left-hand option menu, under Switch click management
3 Click the Access Control tab
4 Under the Management Users section, click the Add button
5 Under user name, enter addguests
6 Under password, enter pl@yd0h
7 Under confirm password, enter pl@yd0h
8 Make sure the role pull down is set to guest-provisioning
9 Click the Apply button
Guest accounts Here is the procedure to configure guest accounts on the internal DB:
1 Log the admin user out of the Aruba controller by clicking the
logout button in the upper right section of the top menu bar
2 Log in to the controller using the addguests account created in
the previous section.
3 A restricted menu bar appears. Only the Security->Internal
User Database section appears, with only the Internal DB tab.
4 Click the Add User button
5 In the Add User screen, enter the following information:
User Name guest100
Password GoAruba
Role Guest
Enable box checked
Expiration Set Expiry Time to
240 mins
! Note: The guest user accounts that are created can be set to not
expire, have a set time in minutes, or a set end date before they
expire.
Authentication successful
Overview This section describes how to configure the SSID for the guest network.
Guest SSID In our design reference, there is a separate SSID for guests. Since the
guest SSID will use a different (and lower) grade of security, it is
important to not mix this with the stronger employee security keys as
they could be compromised. Here is the procedure to configure the guest
SSID:
Note
When entering the default VLAN, make sure you click the ! button to
enter the value before you click the Apply button.
At this point you can now test and ensure the Aruba APs correctly
establish a connection and advertise the correct SSIDs. To check this,
activate the wireless adapter on the test PC and verify it sees the SSID.
Overview This section describes how to determine appropriate guest access rights,
roles and policies. The design reference in this document is based on
real-world policies and examples.
Guest access According to our reference design, guests must authenticate via the
policies Captive Portal web login before they are granted network access. Once
authenticated, they are only allowed to access the Internet via HTTP/S
(ports 80 and 443) - all other network access is prohibited. They are also
only allowed to access the guest WLAN during business hours and must
share a 1Mbps pool of bandwidth.
We will create the firewall policies first and then attach them to the guest
user role with the other restrictions.
Design Note
Because guest users are allowed to associate to the WLAN before they
authenticate, we will create two sets of firewall policies. The first (called
Guest-Logon-Access) will be applied to anyone who associates to the
guestnet SSID and is extremely restrictive. The second (called Guest-
Access) will be applied after authentication and will allow Internet
access.
Netdestination The guest access policies shown are very restrictive – the goal is to only
aliases allow access to the devices that must be reachable and to deny all
others. To make the firewall policies easier to write and read, we will
create some aliases first that we will use to:
Once these are created, we may use the alias name wherever we would
type several IP addresses or networks.
Overview This section describes how to determine and define the resources
(networks, servers) that a guest will be restricted or allowed to use. We
call these security objects since they are not actually security policies.
Instead, these are definitions or aliases that will be used by the policies
later in this document.
Strictly speaking, these aliases are not required. However they are
extremely and make configurations much cleaner and easier to
understand and use. Because of this, they are included in standard best
practice implementations.
Security objects we Here are the following security objects we will define for use in our
will use policies:
Internal networks Here is the procedure to create a destination alias for all internal
netdestination alias networks:
Public DNS alias The public DNS alias is a netdestination alias that allows us to specify all
of the DNS servers a guest may use. In our reference network design,
these are all public, external machines that are outside the corporate
network.
Overview This section describes how to determine and define the scope of guest
access. Scope typically defines when and how a guest is allowed to
access the WLAN and resources.
Guest access In this reference design, two scope limitations are imposed on guests:
scopes
1 Guests may only access the WLAN during business hours
2 Guests must share a restricted amount of bandwidth
Business hours To configure the time-based scope, we will create a time range that
time range defines business hours. This will be used by the guest user role to
restrict access during non-business hours. Any guest who tries to use
the wireless network outside of business hours will be blocked.
Bandwidth contract Lastly, we’ll set up a bandwidth contract to limit the amount of traffic the
for guests users can consume. This will also be used by the guest user role. We
will use this contract to create a “pool” of available bandwidth which all
guest users must share.
Overview This section describes how to configure guest access policies utilizing
the definitions and scopes we created previously.
Guest-Logon- Now we will build the Guest-Logon firewall policy. This will be used to
access policy limit what guests may do before they authenticate.
Guest-Logon- 11 In the policy statement, create a rule that will only allow the
access policy DNS protocol between the user and public DNS servers
(Public-DNS alias) during business hours. This traffic will be
source NAT’d using the IP interface of the controller for the
VLAN. Create the policy by entering the following information:
Source User
Destination Alias
Alias Public-DNS
Service Svc-dns
Action Src-nat
Time Range Business-Hours
2
Mswitch is a built-in alias that refers to the loopback IP address on an Aruba mobility controller
Guest-Access Now let’s create the firewall policy for guest users once they have
firewall policy authenticated. Here is the procedure to create the Guest-Access firewall
policy:
11 In the policy statement, create a rule that will only allow the
DNS protocol between the user and public DNS servers
(Public-DNS alias) during business hours. This traffic will be
source NAT’d using the IP interface of the controller for the
VLAN. Create the policy by entering the following information:
Source User
Destination Alias
Alias Public-DNS
Service Svc-dns
Action Src-nat
Time Range Business-Hours
Block-Internal- This policy denies access to anything on the internal corporate network.
Networks firewall Here is the procedure to create the Block-Internal-Networks firewall
policy policy:
Drop-And-Log We will create one final firewall policy. This policy denies everything,
firewall policy drops the traffic and logs the attempted network access to the system
log. This is very useful as a final statement for a user to log any
attempted access beyond what was provisioned. Here is the procedure
to create the Drop-And-Log firewall policy:
3
Remember, we created the Internal-Networks alias earlier to represent all of our internal
networks.
Guest-Logon user Now that we have the firewall policy configured, let’s create a user role
role for the guest users before they log on and authenticate.
Guest-Logon-Access 2
Block-Internal-Networks 3
Guest user role Now let’s create a user role for guest users after they have been
authenticated.
Guest-Logon-Access 2
Block-Internal-Networks 3
Guest-Access 4
Drop-And-Log 5
Apply guest user Now that the AuthGuest role has been created, it needs to be applied to
role to guest users the guest user in the internal database.
Overview This section describes how to configure the Captive Portal on the Aruba
mobility controller.
Configuring
authentication Now that the user roles and access rights are defined, we can configure
methods the authentication method for guests. This will allow a guest user to
associate to an SSID, authenticate and gain network access.
Guest To enable guest authentication, we will do two things. First, for security
authentication reasons, we will move any device that associates to the guestnet SSID
to the more secure Guest-Logon user role instead of the default logon
user role that all wireless/untrusted devices are normally placed in at
association time. This is called a derivation rule. Derivation rules are
rules applied to a device that can change the user role or VLAN of the
device.
Guest SSID Here is the procedure to move devices that associate to the guestnet
derivation rule SSID to a new user role:
Captive Portal Here is the procedure to Captive Portal authentication for guest users:
Configuring the first We can now configure and test the first guest client device as well. The
guest client guest client requires no additional software installation. The guest
client’s wireless adapter should be configured with the following
information:
Parameter Value
Network Name (SSID) guestnet
Association Mode Open
Encryption Method None
Once the client device has associated to the guest network, open a web
browser and query for a web site. The browser will be redirected
automatically the Captive Portal login page. Once redirected to the login
page, use the following guest account that we created earlier:
Next Steps
Overview This section provides recommendations for next steps in the installation
of an Aruba mobility infrastructure.
Backup the Once you have a working configuration, it is an excellent idea to save
controller and backup the controller configuration and databases.
! Important: Before you can copy a backup file from the controller, you
must have a working TFTP or FTP server.
Other tasks There are many other configuration tasks that might also be configured
as part of the mobility infrastructure. These include:
For more information on these tasks, please see the appropriate best
practices guide.
Overview This section discusses more advanced design topics. These design
considerations may or may not be relevant to a given network design. If
unsure, please discuss with your Aruba technical representative.
Although the reference design in this guide only has one VLAN for each
Layer 3 mobility SSID or type of user, this is not always the case. Very large deployments
may have a different VLAN for multiple buildings or even every floor of
each building. So although the SSID stays the same when a user roams,
the IP network changes.
Guest does not get The most common issue with Captive Portal is when redirects do not
redirected to the occur. In most cases it is caused by one or more of the following:
Captive Portal web
page ! Client device does not have DNS and/or IP configured
! Client browser does not have auto-detect configured (this
requirement is browser and browser version dependent)
! The loopback address of the controller hosting the Captive Portal is
not reachable, typically due to restrictive firewall policies
Overview For those who wish to quickly load the configuration for this reference
topology onto their controller, this section describes two very fast
procedures.
Information you will To do either of these procedures, you will need the information described
need in Appendix A: Configuration Values.
One way to quickly get through this document is to edit it such that the
The fast procedure instructions show the correct configuration information for your particular
installation: VLANs, IP addresses, SSIDs, etc. Once these changes have
been made, you can simply enter all instructions as shown.
1 Obtain the Word version of this document and save it under a new
name, e.g. My_WLAN_Base_Configuration.doc
1. From the Edit menu, select Find…
2. In the Find and Replace dialogue box, click the
Replace tab
3. In the Find what: box, enter each of the values in the
“Documented Value’ column of the table in Appendix
A
4. In the Replace with: box, enter the new value
5. Click the More button
6. Under Search Options, select the “Match case” and
“Find whole words only” options
7. Click the Replace All button
8. Check and accept all replacements
9. Save the document again to ensure the changes are
not lost
Congratulations! When the controller has reloaded, it will run the new
configuration file. You may now test your new configuration.
4
Uploading a configuration file is done via TFTP, which requires IP connectivity. There is no
specific actual IP addressing required here – anything will do. These changes will be overwritten
by the new configuration file
5
This action requires a TFTP server be installed on the PC
The following table shows the parameters and their values as used in
Base WLAN this document for the base WLAN:
configuration values
Base WLAN
configuration values
continued
The following table shows the parameters and their values as used in
Guest WLAN this document for the secure guest access portion of the WLAN:
configuration values
Guest WLAN
configuration values
continued