cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
20903
Views
10
Helpful
29
Comments

How To: Cisco ISE Captive Portals with Aruba Wireless

Authors: Adam Hollifield, Brad Johnson

Introduction

Previous configurations for integrating Cisco ISE portals and Aruba Wireless used a static external captive portal URL to redirect clients to an ISE portal. This required the use of multiple authorization profiles and authorization rules per PSN. Aruba AOS 8.4 added support for the Aruba-Captive-Portal-URL Vendor Specific Attribute (VSA) which allows for dynamic URL redirection similar to what we see when configuring portal rules with Cisco network access devices (NADs). This will enable additional scale, posture flows, and ease of configuration when integrating Aruba wireless with Cisco Identity Services Engine.  

Prerequisites

Minimum Requirements

The minimum software requirements for this configuration:

  • Aruba AOS 8.4 or later
  • Cisco ISE 2.4 or later

 

Components Used

The information in this document is based on these software versions:

  • Aruba Wireless Controller with AOS 8.10.0.1
  • Cisco ISE 3.1 with Patch 3

 

Configuration

Aruba Wireless Controller

WLAN Creation

  1. Navigate to Configuration > Tasks > Create a new WLAN.Screenshot 2022-06-21 091706.png

  2. Fill in the SSID and select Guest as Primary usage.  Select AP groups and Forwarding mode as required by the wireless deployment.  Click Next.Screenshot 2022-06-21 091814.png
    NOTE: it is best practice to broadcast WLANs only on specified AP groups and not use the default group.
     

     

  3. Select the VLAN and click NextScreenshot 2022-06-21 091850.png

  4. Set Security to Internal Captive Portal, no auth or registration and click NextScreenshot 2022-06-21 091932.png
    The Internal Captive Portal will not be used here and will be overridden by the captive portal URL supplied by ISE through the Aruba-Captive-Portal-URL VSA.  However, the Aruba Mobility Controller requires some form of Captive Portal to be enabled on the WLAN to successfully redirect clients.
  5. Click Next and Finish.
  6. Click Pending Changes in the top right and click Deploy changes to deploy the configuration to the Mobility Controller.Screenshot 2022-06-21 092056.pngScreenshot 2022-06-21 092216.png

 

Authentication Configuration

  1. Navigate to Configuration > Authentication > Auth Servers.  Click the + button under All Servers.  Fill in name, select type as RADIUS, and fill in the IP address/hostname of the ISE PSN.  Click Submit.  Repeat for each of the ISE PSNs.  Screenshot 2022-06-21 092146.png

  2. Select the newly created RADIUS Server definition. Enter the Shared Key and click Submit.  Repeat for each of the ISE PSN RADIUS Server definitions.Screenshot 2022-06-21 092342.png

  3. Click the + button under All Servers. Change type to Dynamic Authorization and enter the IP address of the ISE PSN. Click Submit. Repeat for each of the ISE PSNs.Screenshot 2022-06-21 092429.png

  4. Select the newly created RFC 3576 definition and enter the Key. Click Submit.  Repeat for each of the ISE PSN RFC 3576 definitions.Screenshot 2022-06-21 092504.png

  5. Click the + button under Server Groups. Enter a name. Click Submit.Screenshot 2022-06-21 092702.png

  6. Select the newly created Server Group and click the + button.  Choose Add existing server and select the ISE PSN RADIUS Server definition.  Click Submit.  Repeat for the rest of the ISE PSN RADIUS Server definitions. Screenshot 2022-06-21 100346.png

  7. Navigate to Configuration > Authentication > AAA Profiles.  Select the AAA profile for the newly created WLAN, [SSID]_aaa_prof.  Enable RADIUS Interim Accounting. Click Submit.Screenshot 2022-06-21 093311.png

  8. Select MAC Authentication. Change MAC Authentication Profile to Default. Click Submit.Screenshot 2022-06-21 093413.png

  9. Select MAC Authentication Server Group. Change Server Group to the ISE Server Group created previously.  Click Submit.Screenshot 2022-06-21 093602.png

  10. Select RADIUS Accounting Server Group. Change Server Group to the ISE Server Group created previously.  Click Submit.Screenshot 2022-06-21 093630.png

  11. Select RFC 3576 Server.  Click the + button and select the ISE PSN from the drop down.  Click Submit.  Repeat for each of the ISE PSN RFC 3576 server definitions. Screenshot 2022-06-21 093720.png

  12. Click Pending Changes in the top right and click Deploy changes to deploy the configuration to the Mobility Controller.Screenshot 2022-06-21 092216.png

 

Role & Policy Configuration

  1. Navigate to Configuration > Roles & Policies > Policies and click the + button.Screenshot 2022-06-21 094024.png

  2. Set Policy Type to Session, enter a Policy Name, and an optional description.  Click Submit.Screenshot 2022-06-21 094501.png
  3. Select the newly created policy and click the + button.  Select Access Control and click OK. Create a new forwarding rule allowing captive portal traffic to the ISE PSNs.  Click SubmitScreenshot 2022-06-21 094753.png
    NOTE: This Policy enforces what traffic from the guest WLAN will be allowed BEFORE the guest authenticates to the portal.  This Policy can and should be customized for the individual network environment and security requirements.  At a minimum, the captive portal ports (typically 8443) must be allowed from the guest users to the ISE PSNs during the redirect phase. 
  4. Navigate to Configuration > Roles & Policies > Roles and click the + button to create a new role.  Give the Role a Name and click Submit.Screenshot 2022-06-21 100719.png

  5. Select the newly created Role from the list.  Click Show Advanced ViewScreenshot 2022-06-21 100902.png

  6. Click the + button within Policies. Select Add an existing policy. Select type Session and select the policy created in the previous step.  Click Submit.Screenshot 2022-06-21 101000.png

  7. Repeat this procedure again adding the logon-control and captiveportal Policies to this Role.  Screenshot 2022-06-21 101224.png

  8. Re-order the policies so that the Policy created previously is listed between logon-control and captiveportal.Screenshot 2022-06-21 101312.png

  9. Select the Captive Portal tab.  Move slider to Internal Captive Portal, no auth or registrationScreenshot 2022-06-21 101436.pngThe Internal Captive Portal will not be used here and will be overridden by the captive portal URL supplied by ISE through the Aruba-Captive-Portal-URL VSA.  However, the Aruba Mobility Controller requires some form of Captive Portal to be enabled on the Role to successfully redirect clients.
  10. Click Submit.
  11. Click Pending Changes in the top right and click Deploy changes to deploy the configuration to the Mobility Controller.Screenshot 2022-06-21 092216.png

You may also wish to create a custom role for the guest users once the user successfully authenticates to the Captive Portal.  In this example, the Aruba default guest Role is used for this purpose.

 

Cisco ISE

Aruba RADIUS Dictionary Addition

The default Aruba RADIUS dictionary in Cisco ISE does not contain the RADIUS VSA Aruba-Captive-Portal-URL. This must be manually created before configuring the network device profile.

  1. Navigate to Policy > Policy Elements > Dictionaries.
  2. Expand System > RADIUS > RADIUS Vendors and click on the Aruba entry.
    iseRADIUSdictionary1.png

  3. Click Dictionary Attributes and then Add.
    iseRADIUS1.png

  4. Fill in the information as follows:
    Attribute Name: Aruba-Captive-Portal-URL
    Description: [optional]
    Data Type: STRING
    ID: 43
    iseRADIUS2.png

  5. Click Submit and verify the new attribute shows up under the Dictionary Attributes menu.
    iseRADIUS3.png

 

Aruba Network Device Profile

The default Aruba Network Device Profile in Cisco ISE does not support URL redirection via RADIUS VSA.  A custom Network Device Profile for Aruba AOS controllers has been created and is attached to this article.

  1. Navigate to Administration > Network Resources > Network Device Profiles. Click the Import button.  Browse the Aruba_AOS.xml file and click Import.Screenshot 2022-06-21 110007.png

  2. Navigate to Administration > Network Resources > Network Devices and click the +Add button.
  3. Add an entry for the Aruba Mobility Controller ensuring to select the custom Aruba_AOS Network Device Profile imported in the previous step.  Specify the IP Address of the Mobility Controller and the RADIUS Shared Secret.Screenshot 2022-06-21 110526.png

  4. Click Save.

 

Aruba Authorization Profiles

  1. Navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles.
  2. Click the +Add button.
    • This authorization (authz) profile will be for redirecting the unknown guest user.
  3. Give the authz profile a name, select Aruba_AOS as the Network Device Profile.Screenshot 2022-06-21 101926.png
  4. Within Common Tasks click the checkbox for ACL and specify the name of the Role created for the redirect on the Aruba Mobility Controller.  NOTE: these names much match exactly. Screenshot 2022-06-21 101953.png
  5. Check the box for Web Redirection and specify the corresponding portal type and portal.  Click Save.Screenshot 2022-06-21 102021.pngThis guide does not cover the creation of a portal on ISE.  For this example, the Default Hostspot Guest Portal is used.  
  6. Click the +Add button again.
    • This authorization profile is for the authenticated guest.
  7. Give the authz profile a name, select Aruba_AOS as the Network Device Profile.Screenshot 2022-06-21 102109.png
  8. Within Common Tasks click the checkbox for ACL and specify the name of the Role for the guest users on the Aruba Mobility Controller.  Screenshot 2022-06-21 102145.pngNOTE: these names much match exactly. You may also wish to create a custom role for the guest users once the user successfully authenticates to the Captive Portal. In this example, the Aruba default guest role is used for this purpose.

 

Authentication Allowed Protocols Configuration

  1. Navigate to Policy > Policy Elements > Results > Authentication > Allowed Protocols. Click the +Add button to create a new Allowed Protocols Service.  
  2. Give the Allowed Protocols Service a name and optional description.  Disable all other protocols except for Process Host Lookup  and PAP/ASCII.  Click Save.Screenshot 2022-06-21 102326.png

 

Policy Set Configuration

  1. Navigate to Policy > Policy Sets and click the button to create a new policy set.
  2. Give the policy set a name and within conditions, specify Aruba-Aruba-Essid-Name CONTAINS [SSID].
    • Replace [SSID] with the name of the SSID configured on the Mobility Controller.
      Screenshot 2022-06-21 105413.png
  3. For Allowed Protocols/Server Sequence, select the MAB allowed protocols created in the previous section.
  4. Click Save and then click the greater than sign (>) on the far right of the policy set to open the new Policy Set.
  5. Expand Authentication Policy and specify Internal Endpoints in the Use column of the Default authc policy.
  6. Change If User not found within Options to Continue.Screenshot 2022-06-22 093131.png

  7. Expand Authorization Policy and click the plus (+) button to create a new authz policy.
  8. Specify a name for the policy and for Conditions specify IdentityGroup-Name EQUALS Endpoint Identity Groups:GuestEndpoints.
    • This guide is using the Remember Me guest flow so if the endpoint MAC address exists in the specified endpoint group they will automatically be granted guest access.
  9. Specify the Aruba Guest Permit authorization profile in the Results column.
  10. Specify the Aruba Guest Redirect authorization profile in the Results column for the Default authz policy. Screenshot 2022-06-22 093504.png
  11. Click Save.

 

Verification

ISE RADIUS Live Logs

Navigate to Operations > RADIUS > Live Logs.  From bottom to top in the screenshot below, the Live Logs should first show the Aruba Guest Redirect authz profile.  Followed by the Change of Authorization (CoA) once the user logs into the captive portal.  Finally, the endpoint re-authenticating to the wireless network and receiving the Aruba Guest Permit authz profile.Screenshot 2022-06-21 103859.png

 

The endpoint should also be a member of the GuestEndpoints Group within Context Visibility > Endpoints after logging into the captive portal.Screenshot 2022-06-21 104452.png

 

Aruba Mobility Controller 

Navigate to Dashboard > Overview and click on the clients view.  Before authentication to the captive portal, the client should be assigned the guest-redirect role.Screenshot 2022-06-21 105034.png

After authentication to the captive portal, the client should be assigned the guest role.Screenshot 2022-06-21 104624.png

 

Comments
Leo Laohoo
Hall of Fame
Hall of Fame

@ahollifield

Do you have this in PDF form, please?

bradjohnson
Cisco Employee
Cisco Employee

You can generate a printer friendly version by going to the top-right of the page, click Options > Printer Friendly Page.

printerFriendly.png

From there you can print to PDF.

Leo Laohoo
Hall of Fame
Hall of Fame

Thanks, @bradjohnson.

rrrsseta
Level 1
Level 1

Hi,

Is it possibile to make setup like this but using built-in "Guest_Flow" condition instead of relying on GuestEndpoints group?

Will ISE recognize "Guest_Flow" for third party NAD like Aruba?

Magret
Level 1
Level 1

Dear,

May I know where to download "Aruba_AOS.XML" file? 

 

bradjohnson
Cisco Employee
Cisco Employee

@Magret It is at the bottom of the article.

download.png

 

Magret
Level 1
Level 1

Thanks @bradjohnson 

tonyang
Level 1
Level 1

Hi,

First, thank you for the sharing. But I have a quesiton for you. 

For the "initial role" and "mac authentication defaul role" in "guest_aaa_prof", it's "guest-guest-logon".But the user role defined is "guest-redirect". May I confirm with you if the "initial role" and "mac authentication defaul role" is "guest-redirect" in "guest_aaa_prof" ?

Looking forward to your early reply.

The initial role and mac-auth-default roles actually do not matter since we are overriding the role value from the RADIUS response from ISE using the Aruba-User-Role VSA. They can technically be set to anything since they will never be used in this flow. For the example and How To doc, I just left them at the Aruba default values.
tonyang
Level 1
Level 1

Thanks for your reply. May I know whether the defined user role "guest-redirect" will be associated with aaa profile ?

It does not.  The role just must be defined on the controller and the name must match EXACTLY with what is pushed in the VSA from ISE.

tonyang
Level 1
Level 1

Thank you. I completed the configuratin and met the issue that the redirect URL didn't work on the client side. From the tcpdump packet, the attribute "Aruba-Captive-Portal-URL" was shown unknon attribute in the radius. Do you have any idea of this ?

 

 

 

 

Did you import the XML Network Device Profile into your ISE deployment?  Did you assign that Network Device Profile to the definition for your Mobility Controller?  What version of AOS?

tonyang
Level 1
Level 1

Yes, the XML was imported and associated to network devices (Aruba Controllers). The AOS is version 8.6.0.9. I am not sure if  the XLM file can support AOS 8.6.0.9 ? I saw the testing environment is running on AOS 8.10.0.1.

bradjohnson
Cisco Employee
Cisco Employee

That shouldn't matter as the RADIUS VSA Aruba-Captive-Portal-URL was added to ArubaOS 8.4. That's why we noted in the XML that it was for ArubaOS 8.4+. On your wireless controller, is it showing the VSA as unknown and rejected or rejecting because it contains invalid information?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: