Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
40485
Views
10
Helpful
49
Comments

How To: Cisco ISE Captive Portals with Aruba Wireless

ahollifield
VIP
VIP

‎06-22-2022 06:23 PM - edited ‎05-21-2024 07:33 AM

How To: Cisco ISE Captive Portals with Aruba Wireless

Authors: Adam Hollifield, Brad Johnson

Introduction

Previous configurations for integrating Cisco ISE portals and Aruba Wireless used a static external captive portal URL to redirect clients to an ISE portal. This required the use of multiple authorization profiles and authorization rules per PSN. Aruba AOS 8.4 added support for the Aruba-Captive-Portal-URL Vendor Specific Attribute (VSA) which allows for dynamic URL redirection similar to what we see when configuring portal rules with Cisco network access devices (NADs). This will enable additional scale, posture flows, and ease of configuration when integrating Aruba wireless with Cisco Identity Services Engine.  

Prerequisites

Minimum Requirements

The minimum software requirements for this configuration:

  • Aruba AOS 8.4 or later (NOTE: based on various community feedback this configuration does not work with Aruba Instant Mode APs.  Aruba Instant Mode does not have support for the Aruba-Captive-Portal-URL VSA)
  • Cisco ISE 2.4 or later

 

Components Used

The information in this document is based on these software versions:

  • Aruba Wireless Controller with AOS 8.10.0.1
  • Cisco ISE 3.1 with Patch 3

 

Configuration

Aruba Wireless Controller

WLAN Creation

  1. Navigate to Configuration > Tasks > Create a new WLAN.Screenshot 2022-06-21 091706.png

  2. Fill in the SSID and select Guest as Primary usage.  Select AP groups and Forwarding mode as required by the wireless deployment.  Click Next.Screenshot 2022-06-21 091814.png
    NOTE: it is best practice to broadcast WLANs only on specified AP groups and not use the default group.
     

     

  3. Select the VLAN and click NextScreenshot 2022-06-21 091850.png

  4. Set Security to Internal Captive Portal, no auth or registration and click NextScreenshot 2022-06-21 091932.png
    The Internal Captive Portal will not be used here and will be overridden by the captive portal URL supplied by ISE through the Aruba-Captive-Portal-URL VSA.  However, the Aruba Mobility Controller requires some form of Captive Portal to be enabled on the WLAN to successfully redirect clients.
  5. Click Next and Finish.
  6. Click Pending Changes in the top right and click Deploy changes to deploy the configuration to the Mobility Controller.Screenshot 2022-06-21 092056.pngScreenshot 2022-06-21 092216.png

 

Authentication Configuration

  1. Navigate to Configuration > Authentication > Auth Servers.  Click the + button under All Servers.  Fill in name, select type as RADIUS, and fill in the IP address/hostname of the ISE PSN.  Click Submit.  Repeat for each of the ISE PSNs.  Screenshot 2022-06-21 092146.png

  2. Select the newly created RADIUS Server definition. Enter the Shared Key and click Submit.  Repeat for each of the ISE PSN RADIUS Server definitions.Screenshot 2022-06-21 092342.png

  3. Click the + button under All Servers. Change type to Dynamic Authorization and enter the IP address of the ISE PSN. Click Submit. Repeat for each of the ISE PSNs.Screenshot 2022-06-21 092429.png

  4. Select the newly created RFC 3576 definition and enter the Key. Click Submit.  Repeat for each of the ISE PSN RFC 3576 definitions.Screenshot 2022-06-21 092504.png

  5. Click the + button under Server Groups. Enter a name. Click Submit.Screenshot 2022-06-21 092702.png

  6. Select the newly created Server Group and click the + button.  Choose Add existing server and select the ISE PSN RADIUS Server definition.  Click Submit.  Repeat for the rest of the ISE PSN RADIUS Server definitions. Screenshot 2022-06-21 100346.png

  7. Navigate to Configuration > Authentication > AAA Profiles.  Select the AAA profile for the newly created WLAN, [SSID]_aaa_prof.  Enable RADIUS Interim Accounting. Click Submit.Screenshot 2022-06-21 093311.png

  8. Select MAC Authentication. Change MAC Authentication Profile to Default. Click Submit.Screenshot 2022-06-21 093413.png

  9. Select MAC Authentication Server Group. Change Server Group to the ISE Server Group created previously.  Click Submit.Screenshot 2022-06-21 093602.png

  10. Select RADIUS Accounting Server Group. Change Server Group to the ISE Server Group created previously.  Click Submit.Screenshot 2022-06-21 093630.png

  11. Select RFC 3576 Server.  Click the + button and select the ISE PSN from the drop down.  Click Submit.  Repeat for each of the ISE PSN RFC 3576 server definitions. Screenshot 2022-06-21 093720.png

  12. Click Pending Changes in the top right and click Deploy changes to deploy the configuration to the Mobility Controller.Screenshot 2022-06-21 092216.png

 

Role & Policy Configuration

  1. Navigate to Configuration > Roles & Policies > Policies and click the + button.Screenshot 2022-06-21 094024.png

  2. Set Policy Type to Session, enter a Policy Name, and an optional description.  Click Submit.Screenshot 2022-06-21 094501.png
  3. Select the newly created policy and click the + button.  Select Access Control and click OK. Create a new forwarding rule allowing captive portal traffic to the ISE PSNs.  Click SubmitScreenshot 2022-06-21 094753.png
    NOTE: This Policy enforces what traffic from the guest WLAN will be allowed BEFORE the guest authenticates to the portal.  This Policy can and should be customized for the individual network environment and security requirements.  At a minimum, the captive portal ports (typically 8443) must be allowed from the guest users to the ISE PSNs during the redirect phase. 
  4. Navigate to Configuration > Roles & Policies > Roles and click the + button to create a new role.  Give the Role a Name and click Submit.Screenshot 2022-06-21 100719.png

  5. Select the newly created Role from the list.  Click Show Advanced ViewScreenshot 2022-06-21 100902.png

  6. Click the + button within Policies. Select Add an existing policy. Select type Session and select the policy created in the previous step.  Click Submit.Screenshot 2022-06-21 101000.png

  7. Repeat this procedure again adding the logon-control and captiveportal Policies to this Role.  Screenshot 2022-06-21 101224.png

  8. Re-order the policies so that the Policy created previously is listed between logon-control and captiveportal.Screenshot 2022-06-21 101312.png

  9. Select the Captive Portal tab.  Move slider to Internal Captive Portal, no auth or registrationScreenshot 2022-06-21 101436.pngThe Internal Captive Portal will not be used here and will be overridden by the captive portal URL supplied by ISE through the Aruba-Captive-Portal-URL VSA.  However, the Aruba Mobility Controller requires some form of Captive Portal to be enabled on the Role to successfully redirect clients.
  10. Click Submit.
  11. Click Pending Changes in the top right and click Deploy changes to deploy the configuration to the Mobility Controller.Screenshot 2022-06-21 092216.png

You may also wish to create a custom role for the guest users once the user successfully authenticates to the Captive Portal.  In this example, the Aruba default guest Role is used for this purpose.

 

Cisco ISE

Aruba RADIUS Dictionary Addition

The default Aruba RADIUS dictionary in Cisco ISE does not contain the RADIUS VSA Aruba-Captive-Portal-URL. This must be manually created before configuring the network device profile.

  1. Navigate to Policy > Policy Elements > Dictionaries.
  2. Expand System > RADIUS > RADIUS Vendors and click on the Aruba entry.
    iseRADIUSdictionary1.png

  3. Click Dictionary Attributes and then Add.
    iseRADIUS1.png

  4. Fill in the information as follows:
    Attribute Name: Aruba-Captive-Portal-URL
    Description: [optional]
    Data Type: STRING
    ID: 43
    iseRADIUS2.png

  5. Click Submit and verify the new attribute shows up under the Dictionary Attributes menu.
    iseRADIUS3.png

 

Aruba Network Device Profile

The default Aruba Network Device Profile in Cisco ISE does not support URL redirection via RADIUS VSA.  A custom Network Device Profile for Aruba AOS controllers has been created and is attached to this article.

  1. Navigate to Administration > Network Resources > Network Device Profiles. Click the Import button.  Browse the Aruba_AOS.xml file and click Import.Screenshot 2022-06-21 110007.png

  2. Navigate to Administration > Network Resources > Network Devices and click the +Add button.
  3. Add an entry for the Aruba Mobility Controller ensuring to select the custom Aruba_AOS Network Device Profile imported in the previous step.  Specify the IP Address of the Mobility Controller and the RADIUS Shared Secret.Screenshot 2022-06-21 110526.png

  4. Click Save.

 

Aruba Authorization Profiles

  1. Navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles.
  2. Click the +Add button.
    • This authorization (authz) profile will be for redirecting the unknown guest user.
  3. Give the authz profile a name, select Aruba_AOS as the Network Device Profile.Screenshot 2022-06-21 101926.png
  4. Within Common Tasks click the checkbox for ACL and specify the name of the Role created for the redirect on the Aruba Mobility Controller.  NOTE: these names much match exactly. Screenshot 2022-06-21 101953.png
  5. Check the box for Web Redirection and specify the corresponding portal type and portal.  Click Save.Screenshot 2022-06-21 102021.pngThis guide does not cover the creation of a portal on ISE.  For this example, the Default Hostspot Guest Portal is used.  
  6. Click the +Add button again.
    • This authorization profile is for the authenticated guest.
  7. Give the authz profile a name, select Aruba_AOS as the Network Device Profile.Screenshot 2022-06-21 102109.png
  8. Within Common Tasks click the checkbox for ACL and specify the name of the Role for the guest users on the Aruba Mobility Controller.  Screenshot 2022-06-21 102145.pngNOTE: these names much match exactly. You may also wish to create a custom role for the guest users once the user successfully authenticates to the Captive Portal. In this example, the Aruba default guest role is used for this purpose.

 

Authentication Allowed Protocols Configuration

  1. Navigate to Policy > Policy Elements > Results > Authentication > Allowed Protocols. Click the +Add button to create a new Allowed Protocols Service.  
  2. Give the Allowed Protocols Service a name and optional description.  Disable all other protocols except for Process Host Lookup  and PAP/ASCII.  Click Save.Screenshot 2022-06-21 102326.png

 

Policy Set Configuration

  1. Navigate to Policy > Policy Sets and click the button to create a new policy set.
  2. Give the policy set a name and within conditions, specify Aruba-Aruba-Essid-Name CONTAINS [SSID].
    • Replace [SSID] with the name of the SSID configured on the Mobility Controller.
      Screenshot 2022-06-21 105413.png
  3. For Allowed Protocols/Server Sequence, select the MAB allowed protocols created in the previous section.
  4. Click Save and then click the greater than sign (>) on the far right of the policy set to open the new Policy Set.
  5. Expand Authentication Policy and specify Internal Endpoints in the Use column of the Default authc policy.
  6. Change If User not found within Options to Continue.Screenshot 2022-06-22 093131.png

  7. Expand Authorization Policy and click the plus (+) button to create a new authz policy.
  8. Specify a name for the policy and for Conditions specify IdentityGroup-Name EQUALS Endpoint Identity Groups:GuestEndpoints.
    • This guide is using the Remember Me guest flow so if the endpoint MAC address exists in the specified endpoint group they will automatically be granted guest access.
  9. Specify the Aruba Guest Permit authorization profile in the Results column.
  10. Specify the Aruba Guest Redirect authorization profile in the Results column for the Default authz policy. Screenshot 2022-06-22 093504.png
  11. Click Save.

 

Verification

ISE RADIUS Live Logs

Navigate to Operations > RADIUS > Live Logs.  From bottom to top in the screenshot below, the Live Logs should first show the Aruba Guest Redirect authz profile.  Followed by the Change of Authorization (CoA) once the user logs into the captive portal.  Finally, the endpoint re-authenticating to the wireless network and receiving the Aruba Guest Permit authz profile.Screenshot 2022-06-21 103859.png

 

The endpoint should also be a member of the GuestEndpoints Group within Context Visibility > Endpoints after logging into the captive portal.Screenshot 2022-06-21 104452.png

 

Aruba Mobility Controller 

Navigate to Dashboard > Overview and click on the clients view.  Before authentication to the captive portal, the client should be assigned the guest-redirect role.Screenshot 2022-06-21 105034.png

After authentication to the captive portal, the client should be assigned the guest role.Screenshot 2022-06-21 104624.png

 

Aruba_AOS.zip
Comments
ahollifield
VIP
VIP
‎05-06-2024 09:20 AM
No, although ISE 2.X is EOL and should no longer be used. What is the Aruba NAD? Controller? IAP? AOS 10?
orrep
Level 1
Level 1
‎05-06-2024 09:28 AM

Is a IAP running 8.11, this is the capture

orrep_0-1715012673900.png

I had all the ISE step in this guide, the "Aruba-user-role" attribute  arrives well, but the Aruba-Captive-Portal-URL said unknown

 

 

ahollifield
VIP
VIP
‎05-06-2024 09:41 AM
I have received the same feedback from several others that this doesn’t work with IAP. Unfortunately at the time I only had a mobility controller to test with. Can you upgrade that IAP to AOS10 managed with Aruba Central and test again? I have heard that Aruba Central managed APs do not have an issue with this flow. But again not something I am able to test.
Hege
Level 1
Level 1
‎12-06-2024 02:34 AM

Although I use ClearPass server instead of ISE, I can confirm that AOS10 APs know the Aruba-Captive_Portal_URL attribute and they will redirect. One important thing is that in Aruba Central you have to set the captive portal access rule for the preauth role and for me it works if you set it to use external splash page type and default captive portal profile.

Hege_0-1733481067592.png

My only problem is that Aruba APs don't seem to understand or have CoA reauthenticate command just disconnect. I want to use reauthenticate and even though they support RFC 3576, they don't understand "Authorize Only" service type in CoA messages. How is it done with Cisco ISE? Using CoA disconnect?

 

ahollifield
VIP
VIP
‎12-06-2024 04:02 AM

Thanks for the test!  Yes, it's done with disconnect.  Same as the ClearPass Aruba_Wireless:Terminate Session CoA configuration.  The client should try to re-join automatically.

nnada
Cisco Employee
Cisco Employee
‎12-18-2024 04:37 AM

Hello, I am trying to integrate ISE 3.3.4 with an Aruba WLC for the guest portal access for a customer. We followed these exact steps multiple times and tried to troubleshoot with TAC, but nothing seems to work. Does anyone have any more resources on this?

ahollifield
VIP
VIP
‎12-18-2024 04:39 AM

What "Aruba WLC"?  What version of AOS?  What exactly isn't working?  What type of guest portal?  Do you have any more details you can provide?

nnada
Cisco Employee
Cisco Employee
‎12-18-2024 04:50 AM

They're using the Aruba 7030 and the controller version is AOS 8.11.2.2, the redirection is not working when the user connects to the SSID, we also don't see any logs on the ISE side. It is supposed to use a sponsored guest portal. 

The redirection only works when we use "ClearPass or other external Captive Portal" and include a static guest portal URL (including the session ID), but in this case the user sees the portal, authenticates, and is redirected back to the portal over and over.

bradjohnson
Cisco Employee
Cisco Employee
‎12-18-2024 05:00 AM
If you are not seeing logs on the ISE side, it sounds like ISE is not receiving the request outside of the static URL assignment. I would perform a packet capture both on ISE (narrow down which PSN should receive the request) and from the WLC (or close to it) to see if the WLC is sending the request at all and what, if any, response from ISE.


ahollifield
VIP
VIP
‎12-18-2024 05:04 AM

No logs on the ISE side sounds like a shared secret or other "base" AAA configuration issue.  You should at least see the initial MAB request.  All of that is before the redirect.  Have you done a PCAP on ISE?  Do you see the controller sending RADIUS packets to ISE?  Do you have any unknown NAD alarms within ISE?  How exactly is the SSID configured on the Aruba Mobility Controller?  Is MAC filtering enabled per the guide?  Do other AAA methods work from this controller to ISE?  Also, I hope the customer is considering AOS 10 moving forward?

zhaoliansheng
Level 1
Level 1
‎04-08-2025 02:38 AM

I have configured Aruba, Cisco ISE CWA, and Mac+portal authentication docking on my end. Currently, I have found that the portal cannot be automatically popped up and cannot be opened manually. However, the web port 8443 telnet is working

ahollifield
VIP
VIP
‎04-08-2025 03:37 AM
what is the Aruba NAD? Mobility controller? IAP? AOS10?
jacquesfumeron
Level 1
Level 1
‎04-09-2025 05:43 AM

Very interesting documentation, it seems that I'm in the same situation as tonyang. 
All tests indicate that network connection is good (DHCP, DNS resolution and direct connection to URL working)
From ISE live log, first step looks successfull and radius attribute Aruba-Captive-Portal-URL is being sent in response by ISE
But no redirection seems to happen
In a packet capture, I observe the same behaviour, as an unknown attribute, but I’m not sure it is a problem as the number for radius attribute is correct

MC is a 9420 in v8.10.0.8
ISE is in 3.1+, I don’t have the exact version but not ancien

Any insight about where to look ? or which command might help to understand where does the error come from ?

zhaoliansheng
Level 1
Level 1
‎04-09-2025 08:02 PM

The Aruba wireless controller we have configured here, model: aruba 7210 , edition: AOS8.10.0.14 , Independent mode deployment, AP model: 325, controller configured for tunnel forwarding mode, ISE version: 3.3,

ReFeeL
Level 1
Level 1
‎04-18-2025 01:38 AM

same issue with @jacquesfumeron 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents