06-22-2022 06:23 PM - edited 05-21-2024 07:33 AM
How To: Cisco ISE Captive Portals with Aruba Wireless
Authors: Adam Hollifield, Brad Johnson
Previous configurations for integrating Cisco ISE portals and Aruba Wireless used a static external captive portal URL to redirect clients to an ISE portal. This required the use of multiple authorization profiles and authorization rules per PSN. Aruba AOS 8.4 added support for the Aruba-Captive-Portal-URL Vendor Specific Attribute (VSA) which allows for dynamic URL redirection similar to what we see when configuring portal rules with Cisco network access devices (NADs). This will enable additional scale, posture flows, and ease of configuration when integrating Aruba wireless with Cisco Identity Services Engine.
The minimum software requirements for this configuration:
The information in this document is based on these software versions:
You may also wish to create a custom role for the guest users once the user successfully authenticates to the Captive Portal. In this example, the Aruba default guest Role is used for this purpose.
The default Aruba RADIUS dictionary in Cisco ISE does not contain the RADIUS VSA Aruba-Captive-Portal-URL. This must be manually created before configuring the network device profile.
The default Aruba Network Device Profile in Cisco ISE does not support URL redirection via RADIUS VSA. A custom Network Device Profile for Aruba AOS controllers has been created and is attached to this article.
Navigate to Operations > RADIUS > Live Logs. From bottom to top in the screenshot below, the Live Logs should first show the Aruba Guest Redirect authz profile. Followed by the Change of Authorization (CoA) once the user logs into the captive portal. Finally, the endpoint re-authenticating to the wireless network and receiving the Aruba Guest Permit authz profile.
The endpoint should also be a member of the GuestEndpoints Group within Context Visibility > Endpoints after logging into the captive portal.
Navigate to Dashboard > Overview and click on the clients view. Before authentication to the captive portal, the client should be assigned the guest-redirect role.
After authentication to the captive portal, the client should be assigned the guest role.
Hi Bradjohnson,
Thanks for your reply on this. Actually, I haven't collected packet capture on this. But I've collected the tcpdump on ISE side. The attribute "Aruba-Captive-Portal-URL" was shown unknown attribute in the packet which it was sent from ISE to controller.
Did you create the Aruba-Captive-Portal-URL dictionary entry in the Aruba RADIUS attributes within ISE?
Yes, it's done.
Hi,
Is it possible to add another attribute to authorization profile to change VLAN assignment of guest after completing self registeration ? If yes, any additional change in Aruba WLC ? Thank you.
Aruba Attribute: Aruba-User-Vlan
Authorization Profile:
Access Type = ACCESS_ACCEPT
Aruba-User-Role = XXX
Aruba-User-Vlan = XXX
You should be able to utilize VLAN under Common Tasks. If not, simply create a custom attribute under Advanced Attribute Settings. Nothing needs to change on the network device profile since the profile also uses the Aruba dictionary.
Here's the problem, though. How will the endpoint know the VLAN changed, therefore pulling a new IP, after they authenticate? Endpoints don't see a VLAN change on the backend without a connection bounce (disconnect and reconnect). It would be better to change the VLAN on the initial connection and keep them there through the process and post authentication.
Thanks for your reply, bradjohnson
After configuring the VLAN under common task and advanced attributes settings, some unknown attributes was added as well.
May I know what's these unknon attributes ? Additionally, that's my question of how the endpoints know the VLAN changed after completing COA. I will validate and post the result in next week.
Access Type = ACCESS_ACCEPT
Tunnel-Private-Group-ID = 1:2022 (Unknow attribute)
Tunnel-Type = 1:13 (Unknow attribute)
Tunnel-Medium-Type = 1:6 (Unknow attribute)
Aruba-User-Role = XXX
Aruba-User-Vlan = 2022
Thank you, ahollifield.
After many attempts, it takes long time to change the VLAN information of endpoints (suppose COA has completed, I can see the result in Radius Livelog) after inputting the configuraiton in the "Authorization Profile". Do you have any idea of how to address this issue ?
Access Type = ACCESS_ACCEPT
Tunnel-Private-Group-ID = 1:2022 (Unknow attribute)
Tunnel-Type = 1:13 (Unknow attribute)
Tunnel-Medium-Type = 1:6 (Unknow attribute)
Aruba-User-Role = XXX
Aruba-User-Vlan = 2022
That is precisely why you should put the VLAN within the Aruba User Role on the controller rather than relying on CoA and additional RADIUS attributes. Any reason why you are not putting VLAN 2022 as an attribute within the XXX role itself on the Mobility Controller configuration?
Both "Authorization Profile" and "User Role" are set to VLAN 2022. But it's randomly failed to change the attribute of VLAN.
Thank you, ahollifield.
But it's failed to change the attribute of VLAN for the endpoint if I only leave the VLAN tag within the user role. The endpoint just got the invalid IP "169.254.x.x".
Yes, the VLAN is trunked to the controllers. The SSID is running in "Tunnel" node. The same VLAN on a different SSID with PSK is working fine without captive portal. Possibly, I fogot to assign the DHCP policy to the user role. Let me modify the user role and test again.
Hi, I have the same problem with the attribute Aruba-Captive-Portal-URL, ISE sent to the AP the attribute like unknown
did you solve this?
I have a ISE 2.X no 3.1 like the guide, can this be the source of the issue?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: