Aruba Clearpass
Aruba Clearpass
Aruba Clearpass
Overview
The principle of captive portal is that the user to start with is approved unconditionally, but it is at
first http request that the authorization actually begins. The approval is done with a captive portal
where the user must enter a login. If login is approved the user can use the wireless network. After
approval there are several options with the time frame for access to the wireless network.
MAC caching can be permanent or with a time frame, and it depends on the setup.
URL = /guest/login.php
10.100.200.78
DNS for www.dr.dk
http://www.dr.dk
Redirect = https://10.100.200.78/guest/login.php
Aruba Clearpass
Get = https://10.100.200.78/guest/login.php
Post = https://10.100.200.78/guest/login.php
Option
Pre-check
Post = https://securelogin.arubanetworks.com
IP = 172.31.98.1
Authentication
Aruba Clearpass Win-AD
source for
172.31.98.1 application service
http://www.dr.dk
The purpose of captive portal between Aruba Instant AP and Aruba ClearPass is:
There are three parameters to the captive portal that are important to clarify the use of external
weblogin when Aruba ClearPass is the external web server.
Login as http or https for the captive portal web page. It is important that the certificate to Aruba
ClearPass HTTPS service is a SAN certificate, where the IP address is included. The setup for captive
portal on the AP can be an IP address or FQDN. If the FQDN is used, the certificate common name
has to match the FQDN, and the user's endpoint must be able to resolve the FQDN.
Pre-check
The user's login to captive portal can be checked by the web application. The essence of this option
is that in Aruba ClearPass must always create a service rule for the web applicationen with an
authentication source. In practice pre-check is recommended and here a successful login from the
web application results in a RADIUS request from the AP. If pre-check is deselected the web
application just returns the login credentials from captive portal and the browser sends a HTTP Post
to securelogin.arubanetworks.com and this is followed by a RADIUS request from the AP.
Aruba Securelogin
The user's login from captive portal is sent as an HTTP Post to securelogin.arubanetworks.com, and
the AP will spoof DNS query in order to receive the comming login. It is possible to use http or https,
where the certificate for https is provided by AP and this certificate is issued by Geotrust DV SSL CA.
Aruba Instant AP
This example creates an SSID named Ford and Aruba ClearPass is the RADIUS with an external
captive portal to the IP address 10.100.200.78. Note that there is always created a role with the
same name as the SSID, and in this example the role of Ford is granted to authorized guest users.
RADIUS server
Captive portal
URL must always begin with /guest and then the name of weblogin with .php as extension.
Roles
In this example the role Guest_logon and Ford is used to grant access to the network before and
after login via captive portal. The role Ford is created automatically when you create an SSID with
this name. By default network access for this role is set to all destinations.
The role Guest_logon is here limited to access the captive portal website, DNS and DHCP.
Create SSID
New
Next step is to create an external website for captive portal with the URL /guest/login.php.
From the above example the name login sets the URL to /guest/login.php
Use of pre-check (default is that the web application checks login from captive portal)
1. The user connects to the SSID and gets an IP address with the settings for DNS.
2. AP (here Aruba Instant) is set to use external captive portal and not MAC authentication.
3. The first time the user tries to access a webpage, the user is sent to the captive portal.
4. The user enters the guest login (the web application service).
5. For pre-check the user login is validated before sending a RADIUS request from the AP.
6. AP sends a RADIUS request with login from captive portal (securelogin.arubanetworks.com).
7. Aruba ClearPass approves the access with a RADIUS accept where the Session-Timeout value sets
the time frame before the user must re-enter login using the captive portal.
Web application
http/https
Service
”Ford-APPL-service”
Enforcement policy
”Ford-APPL-enforcement”
Day-of-Week: Monday-Sunday
Enforcement profile
”[Allow Application Access Profile]”
RADIUS
Authentication method
PAP
NAS-Port-Type = Wireless-802.11
AP Service-Type = Login-User Service
(NAD) ”Ford user auth service”
Aruba-Essid-Name = Ford
Guest User Repository
Important: The setting for MAC authentication on the AP must be deselected (disabled).
Enforcement policy
Enforcement policy
Enforcement profile
Verification
The principle is called MAC caching and in order to remember the settings and status through
RADIUS request, we need some extra parameters for the MAC address that belongs to the user's
endpoint. The extra parameters are:
Example from an endpoint that is approved and ready for MAC caching:
Additionally the status as Known or Unknown is used to determine whether the user should be sent
to the captive portal or use network as Guest, Employee or Contractor role.
The values for the Status, Guest Role ID, MAC-Auth Expiry and Username is added and set with a
Post_Authentication profile, when the guest user is authenticated via captive portal.
The wizard creates in total 3x service rule, 3x enforcement policy and 8x enforcement profile and 2x
role mapping. Run the wizard for:
Important: The setting for MAC authentication on the AP must be selected (enabled).
2. Select the name of the captive portal (Web Logins from ClearPass Guest) from the list.
4. Click Add Service, and the service rule "Ford Guest Access - Web Login" is created.
3. Accept the default settings for what happens when the guest account expires. The expire date is
determined by the creation date of the guest user plus the duration (1 day, 1 week etc.).
6. Click Add Service and the service rule "Ford MAC Authentication" and "Ford User Authentication
with MAC Caching" is created.
Purpose: The user gets a captive portal and enter login. The pre-check validates the login and a
wrong login is referred to the same webpage again in order to re-enter a new login. Approved login
(only for pre-check) or simply login credentials (if pre-check is deselected) is returned to the user's
browser, and the browser will automatically send login to securelogin.arubanetworks.com as a HTTP
Post command.
Service Application Name = WebLogin
Application:Clearpass Page-Name = login
Authentication Guest User Repository
Roles [Guest Roles] 1 = Contractor
2 = Guest
3 = Employee
Enforcement Date: Day-of-Week Monday - Sunday
Purpose: AP sends a RADIUS request when the user has entered a login from captive portal. The
RADIUS request is the user's login with user-name and encrypted password. If login approved then
the MAC address of the endpoint is set to the status Known and adds three additional parameters to
authorize access based on the MAC address (guest user re-connect to the wireless network).
Service Radius:IETF Calling-Station-Id Exists
Connection Client-Mac-Address != %{Radius:IETF:User-Name}
Radius:Aruba Aruba-Essid-name = Ford
Authentication Authentication Methods PAP, MSCHAP, CHAP
Authentication Sources [Guest User Repository]
Authorization Authorization Sources [Endpoint Repository]
[Time Source]
Roles Ford User Authentication with GuestUser:Role ID = 1 then [Contractor]
MAC Caching Role Mapping GuestUser:Role ID = 2 then [Guest]
GuestUser:Role ID = 3 then [Employee]
Enforcement Role = Guest and Ford MAC Caching Timeout
Date: Day-of-Week = Mon-Sun Ford MAC Caching Bandwidth Limit
Ford MAC Caching Session Limit
Ford MAC Caching Do Expire
Ford MAC Caching Expire Post Login
Ford Guest Profile
Ford Guest MAC Caching
[Update Endpoint Known]
Purpose: If the MAC address of the RADIUS request is found in the endpoint database, and the
account is still active, then access is granted with the Aruba role of "Ford". If the MAC address has
the status Unknown a RADIUS reject is send from Aruba ClearPass. This gives HTTP-redirect via AP.
Service Client-Mac-Address = %{Radius:IETF:User-Name}
Aruba-Essid-Name = Ford
Authentication Authentication Methods [MAC AUTH]
Authentication Sources [Endpoint Repository]
Authorization Authorization Sources [Endpoint Repository]
[Time Source]
Roles Time Source Now DT < %{Endpoint:MAC-Auth-Expiry} &&
Guest User Repository AccountExpired = false &&
Guest User Repository AccountEnabled = true then [MAC Caching]
Guest Role ID If 1 then [Contracor]
If 2 then [Guest]
If 3 then [Employee]
Enforcement Role = [MAC Caching] && [Allow Access Profile]
[Guest] && [User Authenticated] Ford Guest Profile
Two profiles have a special significance: "Ford Captive Portal Profile" and "Ford Guest Profile".
Aruba role before the user is authenticated and the role after the user is authenticated:
Verification
The endpoint has the MAC address 00:13:E8:80:F5:C5
Before approval