Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
22502
Views
10
Helpful
29
Comments

How To: Cisco ISE Captive Portals with Aruba Wireless

ahollifield
VIP
VIP

on ‎06-22-2022 06:23 PM - edited on ‎06-22-2022 06:50 PM by Cisco Employee

How To: Cisco ISE Captive Portals with Aruba Wireless

Authors: Adam Hollifield, Brad Johnson

Introduction

Previous configurations for integrating Cisco ISE portals and Aruba Wireless used a static external captive portal URL to redirect clients to an ISE portal. This required the use of multiple authorization profiles and authorization rules per PSN. Aruba AOS 8.4 added support for the Aruba-Captive-Portal-URL Vendor Specific Attribute (VSA) which allows for dynamic URL redirection similar to what we see when configuring portal rules with Cisco network access devices (NADs). This will enable additional scale, posture flows, and ease of configuration when integrating Aruba wireless with Cisco Identity Services Engine.  

Prerequisites

Minimum Requirements

The minimum software requirements for this configuration:

  • Aruba AOS 8.4 or later
  • Cisco ISE 2.4 or later

 

Components Used

The information in this document is based on these software versions:

  • Aruba Wireless Controller with AOS 8.10.0.1
  • Cisco ISE 3.1 with Patch 3

 

Configuration

Aruba Wireless Controller

WLAN Creation

  1. Navigate to Configuration > Tasks > Create a new WLAN.Screenshot 2022-06-21 091706.png

  2. Fill in the SSID and select Guest as Primary usage.  Select AP groups and Forwarding mode as required by the wireless deployment.  Click Next.Screenshot 2022-06-21 091814.png
    NOTE: it is best practice to broadcast WLANs only on specified AP groups and not use the default group.
     

     

  3. Select the VLAN and click NextScreenshot 2022-06-21 091850.png

  4. Set Security to Internal Captive Portal, no auth or registration and click NextScreenshot 2022-06-21 091932.png
    The Internal Captive Portal will not be used here and will be overridden by the captive portal URL supplied by ISE through the Aruba-Captive-Portal-URL VSA.  However, the Aruba Mobility Controller requires some form of Captive Portal to be enabled on the WLAN to successfully redirect clients.
  5. Click Next and Finish.
  6. Click Pending Changes in the top right and click Deploy changes to deploy the configuration to the Mobility Controller.Screenshot 2022-06-21 092056.pngScreenshot 2022-06-21 092216.png

 

Authentication Configuration

  1. Navigate to Configuration > Authentication > Auth Servers.  Click the + button under All Servers.  Fill in name, select type as RADIUS, and fill in the IP address/hostname of the ISE PSN.  Click Submit.  Repeat for each of the ISE PSNs.  Screenshot 2022-06-21 092146.png

  2. Select the newly created RADIUS Server definition. Enter the Shared Key and click Submit.  Repeat for each of the ISE PSN RADIUS Server definitions.Screenshot 2022-06-21 092342.png

  3. Click the + button under All Servers. Change type to Dynamic Authorization and enter the IP address of the ISE PSN. Click Submit. Repeat for each of the ISE PSNs.Screenshot 2022-06-21 092429.png

  4. Select the newly created RFC 3576 definition and enter the Key. Click Submit.  Repeat for each of the ISE PSN RFC 3576 definitions.Screenshot 2022-06-21 092504.png

  5. Click the + button under Server Groups. Enter a name. Click Submit.Screenshot 2022-06-21 092702.png

  6. Select the newly created Server Group and click the + button.  Choose Add existing server and select the ISE PSN RADIUS Server definition.  Click Submit.  Repeat for the rest of the ISE PSN RADIUS Server definitions. Screenshot 2022-06-21 100346.png

  7. Navigate to Configuration > Authentication > AAA Profiles.  Select the AAA profile for the newly created WLAN, [SSID]_aaa_prof.  Enable RADIUS Interim Accounting. Click Submit.Screenshot 2022-06-21 093311.png

  8. Select MAC Authentication. Change MAC Authentication Profile to Default. Click Submit.Screenshot 2022-06-21 093413.png

  9. Select MAC Authentication Server Group. Change Server Group to the ISE Server Group created previously.  Click Submit.Screenshot 2022-06-21 093602.png

  10. Select RADIUS Accounting Server Group. Change Server Group to the ISE Server Group created previously.  Click Submit.Screenshot 2022-06-21 093630.png

  11. Select RFC 3576 Server.  Click the + button and select the ISE PSN from the drop down.  Click Submit.  Repeat for each of the ISE PSN RFC 3576 server definitions. Screenshot 2022-06-21 093720.png

  12. Click Pending Changes in the top right and click Deploy changes to deploy the configuration to the Mobility Controller.Screenshot 2022-06-21 092216.png

 

Role & Policy Configuration

  1. Navigate to Configuration > Roles & Policies > Policies and click the + button.Screenshot 2022-06-21 094024.png

  2. Set Policy Type to Session, enter a Policy Name, and an optional description.  Click Submit.Screenshot 2022-06-21 094501.png
  3. Select the newly created policy and click the + button.  Select Access Control and click OK. Create a new forwarding rule allowing captive portal traffic to the ISE PSNs.  Click SubmitScreenshot 2022-06-21 094753.png
    NOTE: This Policy enforces what traffic from the guest WLAN will be allowed BEFORE the guest authenticates to the portal.  This Policy can and should be customized for the individual network environment and security requirements.  At a minimum, the captive portal ports (typically 8443) must be allowed from the guest users to the ISE PSNs during the redirect phase. 
  4. Navigate to Configuration > Roles & Policies > Roles and click the + button to create a new role.  Give the Role a Name and click Submit.Screenshot 2022-06-21 100719.png

  5. Select the newly created Role from the list.  Click Show Advanced ViewScreenshot 2022-06-21 100902.png

  6. Click the + button within Policies. Select Add an existing policy. Select type Session and select the policy created in the previous step.  Click Submit.Screenshot 2022-06-21 101000.png

  7. Repeat this procedure again adding the logon-control and captiveportal Policies to this Role.  Screenshot 2022-06-21 101224.png

  8. Re-order the policies so that the Policy created previously is listed between logon-control and captiveportal.Screenshot 2022-06-21 101312.png

  9. Select the Captive Portal tab.  Move slider to Internal Captive Portal, no auth or registrationScreenshot 2022-06-21 101436.pngThe Internal Captive Portal will not be used here and will be overridden by the captive portal URL supplied by ISE through the Aruba-Captive-Portal-URL VSA.  However, the Aruba Mobility Controller requires some form of Captive Portal to be enabled on the Role to successfully redirect clients.
  10. Click Submit.
  11. Click Pending Changes in the top right and click Deploy changes to deploy the configuration to the Mobility Controller.Screenshot 2022-06-21 092216.png

You may also wish to create a custom role for the guest users once the user successfully authenticates to the Captive Portal.  In this example, the Aruba default guest Role is used for this purpose.

 

Cisco ISE

Aruba RADIUS Dictionary Addition

The default Aruba RADIUS dictionary in Cisco ISE does not contain the RADIUS VSA Aruba-Captive-Portal-URL. This must be manually created before configuring the network device profile.

  1. Navigate to Policy > Policy Elements > Dictionaries.
  2. Expand System > RADIUS > RADIUS Vendors and click on the Aruba entry.
    iseRADIUSdictionary1.png

  3. Click Dictionary Attributes and then Add.
    iseRADIUS1.png

  4. Fill in the information as follows:
    Attribute Name: Aruba-Captive-Portal-URL
    Description: [optional]
    Data Type: STRING
    ID: 43
    iseRADIUS2.png

  5. Click Submit and verify the new attribute shows up under the Dictionary Attributes menu.
    iseRADIUS3.png

 

Aruba Network Device Profile

The default Aruba Network Device Profile in Cisco ISE does not support URL redirection via RADIUS VSA.  A custom Network Device Profile for Aruba AOS controllers has been created and is attached to this article.

  1. Navigate to Administration > Network Resources > Network Device Profiles. Click the Import button.  Browse the Aruba_AOS.xml file and click Import.Screenshot 2022-06-21 110007.png

  2. Navigate to Administration > Network Resources > Network Devices and click the +Add button.
  3. Add an entry for the Aruba Mobility Controller ensuring to select the custom Aruba_AOS Network Device Profile imported in the previous step.  Specify the IP Address of the Mobility Controller and the RADIUS Shared Secret.Screenshot 2022-06-21 110526.png

  4. Click Save.

 

Aruba Authorization Profiles

  1. Navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles.
  2. Click the +Add button.
    • This authorization (authz) profile will be for redirecting the unknown guest user.
  3. Give the authz profile a name, select Aruba_AOS as the Network Device Profile.Screenshot 2022-06-21 101926.png
  4. Within Common Tasks click the checkbox for ACL and specify the name of the Role created for the redirect on the Aruba Mobility Controller.  NOTE: these names much match exactly. Screenshot 2022-06-21 101953.png
  5. Check the box for Web Redirection and specify the corresponding portal type and portal.  Click Save.Screenshot 2022-06-21 102021.pngThis guide does not cover the creation of a portal on ISE.  For this example, the Default Hostspot Guest Portal is used.  
  6. Click the +Add button again.
    • This authorization profile is for the authenticated guest.
  7. Give the authz profile a name, select Aruba_AOS as the Network Device Profile.Screenshot 2022-06-21 102109.png
  8. Within Common Tasks click the checkbox for ACL and specify the name of the Role for the guest users on the Aruba Mobility Controller.  Screenshot 2022-06-21 102145.pngNOTE: these names much match exactly. You may also wish to create a custom role for the guest users once the user successfully authenticates to the Captive Portal. In this example, the Aruba default guest role is used for this purpose.

 

Authentication Allowed Protocols Configuration

  1. Navigate to Policy > Policy Elements > Results > Authentication > Allowed Protocols. Click the +Add button to create a new Allowed Protocols Service.  
  2. Give the Allowed Protocols Service a name and optional description.  Disable all other protocols except for Process Host Lookup  and PAP/ASCII.  Click Save.Screenshot 2022-06-21 102326.png

 

Policy Set Configuration

  1. Navigate to Policy > Policy Sets and click the button to create a new policy set.
  2. Give the policy set a name and within conditions, specify Aruba-Aruba-Essid-Name CONTAINS [SSID].
    • Replace [SSID] with the name of the SSID configured on the Mobility Controller.
      Screenshot 2022-06-21 105413.png
  3. For Allowed Protocols/Server Sequence, select the MAB allowed protocols created in the previous section.
  4. Click Save and then click the greater than sign (>) on the far right of the policy set to open the new Policy Set.
  5. Expand Authentication Policy and specify Internal Endpoints in the Use column of the Default authc policy.
  6. Change If User not found within Options to Continue.Screenshot 2022-06-22 093131.png

  7. Expand Authorization Policy and click the plus (+) button to create a new authz policy.
  8. Specify a name for the policy and for Conditions specify IdentityGroup-Name EQUALS Endpoint Identity Groups:GuestEndpoints.
    • This guide is using the Remember Me guest flow so if the endpoint MAC address exists in the specified endpoint group they will automatically be granted guest access.
  9. Specify the Aruba Guest Permit authorization profile in the Results column.
  10. Specify the Aruba Guest Redirect authorization profile in the Results column for the Default authz policy. Screenshot 2022-06-22 093504.png
  11. Click Save.

 

Verification

ISE RADIUS Live Logs

Navigate to Operations > RADIUS > Live Logs.  From bottom to top in the screenshot below, the Live Logs should first show the Aruba Guest Redirect authz profile.  Followed by the Change of Authorization (CoA) once the user logs into the captive portal.  Finally, the endpoint re-authenticating to the wireless network and receiving the Aruba Guest Permit authz profile.Screenshot 2022-06-21 103859.png

 

The endpoint should also be a member of the GuestEndpoints Group within Context Visibility > Endpoints after logging into the captive portal.Screenshot 2022-06-21 104452.png

 

Aruba Mobility Controller 

Navigate to Dashboard > Overview and click on the clients view.  Before authentication to the captive portal, the client should be assigned the guest-redirect role.Screenshot 2022-06-21 105034.png

After authentication to the captive portal, the client should be assigned the guest role.Screenshot 2022-06-21 104624.png

 

Aruba_AOS.zip
Comments
tonyang
Level 1
Level 1
‎08-16-2022 07:00 PM

Hi Bradjohnson,

Thanks for your reply on this. Actually, I haven't collected packet capture on this. But I've collected the tcpdump on ISE side. The attribute "Aruba-Captive-Portal-URL" was shown unknown attribute in the packet which it was sent from ISE to controller.

Capture.JPG

bradjohnson
Cisco Employee
Cisco Employee
‎08-16-2022 07:15 PM

Did you create the Aruba-Captive-Portal-URL dictionary entry in the Aruba RADIUS attributes within ISE?

tonyang
Level 1
Level 1
‎08-16-2022 07:32 PM

Yes, it's done.

tonyang
Level 1
Level 1
‎08-27-2022 08:46 AM

Hi,

Is it possible to add another attribute to authorization profile to change VLAN assignment of guest after completing self registeration ? If yes, any additional change in Aruba WLC ? Thank you.

Aruba Attribute: Aruba-User-Vlan

Authorization Profile:

Access Type = ACCESS_ACCEPT
Aruba-User-Role = XXX
Aruba-User-Vlan = XXX 

 

bradjohnson
Cisco Employee
Cisco Employee
‎08-27-2022 09:01 AM

You should be able to utilize VLAN under Common Tasks. If not, simply create a custom attribute under Advanced Attribute Settings. Nothing needs to change on the network device profile since the profile also uses the Aruba dictionary.

aruba_user_vlan.png

Here's the problem, though. How will the endpoint know the VLAN changed, therefore pulling a new IP, after they authenticate? Endpoints don't see a VLAN change on the backend without a connection bounce (disconnect and reconnect). It would be better to change the VLAN on the initial connection and keep them there through the process and post authentication.

 

tonyang
Level 1
Level 1
‎08-27-2022 09:22 AM

Thanks for your reply,  bradjohnson

After configuring the VLAN under common task and advanced attributes settings, some unknown attributes was added as well.

May I know what's these unknon attributes ? Additionally, that's my question of how the endpoints know the VLAN changed after completing COA. I will validate and post the result in next week.

 

Access Type = ACCESS_ACCEPT
Tunnel-Private-Group-ID = 1:2022 (Unknow attribute)
Tunnel-Type = 1:13 (Unknow attribute)
Tunnel-Medium-Type = 1:6 (Unknow attribute)
Aruba-User-Role = XXX
Aruba-User-Vlan = 2022

ahollifield
VIP
VIP
‎08-27-2022 09:36 AM
You could also specify the VLAN as part of the Role itself on the MC.
tonyang
Level 1
Level 1
‎08-31-2022 07:43 AM

Thank you, ahollifield.

After many attempts, it takes long time to change the VLAN information of endpoints (suppose COA has completed, I can see the result in Radius Livelog) after inputting the configuraiton in the "Authorization Profile". Do you have any idea of how to address this issue ?

 

Access Type = ACCESS_ACCEPT
Tunnel-Private-Group-ID = 1:2022 (Unknow attribute)
Tunnel-Type = 1:13 (Unknow attribute)
Tunnel-Medium-Type = 1:6 (Unknow attribute)
Aruba-User-Role = XXX
Aruba-User-Vlan = 2022

ahollifield
VIP
VIP
‎09-01-2022 04:03 AM

That is precisely why you should put the VLAN within the Aruba User Role on the controller rather than relying on CoA and additional RADIUS attributes.  Any reason why you are not putting VLAN 2022 as an attribute within the XXX role itself on the Mobility Controller configuration?

tonyang
Level 1
Level 1
‎09-05-2022 01:56 AM

Both "Authorization Profile" and "User Role" are set to VLAN 2022. But it's randomly failed to change the attribute of VLAN.

 

tonyang_0-1662367998478.png

 

tonyang_1-1662368164022.png

 

 

ahollifield
VIP
VIP
‎09-05-2022 06:07 AM
You should only be assigning the VLAN in one of those places, not both. I would remove the VLAN assignment from ISE and only leave the VLAN tag within the role.
tonyang
Level 1
Level 1
‎09-05-2022 06:23 AM

Thank you, ahollifield.

But it's failed to change the attribute of VLAN for the endpoint if I only leave the VLAN tag within the user role. The endpoint just got the invalid IP "169.254.x.x".

ahollifield
VIP
VIP
‎09-05-2022 07:30 AM
Are you sure the VLAN is trunked correctly to the controller? What mode are the SSID/APs running in? As a test, what if you place that same VLAN on a different SSID just with a PSK? Do you get a valid IP?
tonyang
Level 1
Level 1
‎09-05-2022 08:32 AM

Yes, the VLAN is trunked to the controllers. The SSID is running in "Tunnel" node. The same VLAN on a different SSID with PSK is working fine without captive portal. Possibly, I fogot to assign the DHCP policy to the user role. Let me modify the user role and test again.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents