background image

Aruba Networks, Inc.

Table of Contents

|

3

 

Amigopod and ArubaOS Integration

Application Note

Table of Contents

Chapter 1:

Introduction

5

Reference Material

5

Chapter 2:

Captive Portal Authentication

6

Captive Portal Overview

6

ArubaOS or Amigopod for Visitor Management

7

Captive Portal Authentication Workflow

10

Chapter 3:

ArubaOS Configuration

12

Creating a RADIUS Server Instance

12

Modify NAS ID for Master Local Deployments

14

Add RADIUS Server to a Server Group

15

Creating an RFC3576 Server Instance

16

Creating a Captive Portal Profile

18

Configure Authentication for Captive Portal Profile

20

Modify the AAA Profile

21

Define a Policy to Permit Traffic to Amigopod

23

Enable Captive Portal on Initial Role of Captive Portal Profile

25

Verify Virtual AP Configuration

26

Chapter 4:

Amigopod Configuration

27

Check for Updated Amigopod Plugins

27

Configure RADIUS NAS for an Aruba Controller

30

Configure Web Login for Captive Portal Authentication

33

Optional Customization of the Web Login Page

34

Amigopod Skins and Content Customization

35

Web Login Access Lists

36

Configure the RADIUS User Role

37

(Optional) Import Sample Welcome Page

38

Chapter 5:

Integration Verification

42

Create a Test Account Within Amigopod Guest Manager

42

Testing RADIUS

44

Test Basic RADIUS Transactions

44

Test Login and Verify Successful RADIUS Transaction

46

Check that RADIUS Accounting is Working as Expected

48

Summary of Contents for AMIGOPODOS 3.3

Page 1: ...Amigopod and ArubaOS Integration Version 1 0...

Page 2: ...MS ANY AND ALL OTHER REPRESENTATIONS AND WARRANTIES WEATHER EXPRESS IMPLIED OR STATUTORY INCLUDING WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE TITLE NONINFRINGEMENT ACCURACY AND QUE...

Page 3: ...ify the AAA Profile 21 Define a Policy to Permit Traffic to Amigopod 23 Enable Captive Portal on Initial Role of Captive Portal Profile 25 Verify Virtual AP Configuration 26 Chapter 4 Amigopod Configu...

Page 4: ...Aruba Networks Inc Table of Contents 4 Amigopod and ArubaOS Integration Application Note Chapter 6 Troubleshooting Tips 49 Appendix A Contacting Aruba Networks 50 Contacting Aruba Networks 50...

Page 5: ...entity based security features Depending on whether the license is installed the captive portal functions work differently and you configure captive portal differently The detailed configuration steps...

Page 6: ...web browser and pass an authentication check before access to the network is granted An example page is shown in Figure 1 Figure 1 Amigopod captive portal page Captive portal authentication is the si...

Page 7: ...OS Plus Amigopod Not supported Limited support Supported Captive Portal Customization Captive portal customization Captive portal per SSID customization Anonymous logon One time tokens access codes We...

Page 8: ...session time across multiple logins Limit guest session data total bytes Limit guest session bandwidth Mb s Limit guest session to single concurrent login Hotspot and Hospitality Features Walled garde...

Page 9: ...the scope of the local deployment With the introduction of Amigopod all visitor accounts are created authenticated and accounted for on the Amigopod internal RADIUS server Enterprise Features and Scal...

Page 10: ...sted web page the initial HTTP traffic is intercepted by the Aruba controller and redirected to the Amigopod web login page defined in the captive portal profile 3 The guest user enters their user cre...

Page 11: ...duration of the guest login and the Aruba controller user role that defines the PEF policies and bandwidth contracts that could be applied to the session When the Aruba controller receives the Access...

Page 12: ...S server definition requires that the following fields be configured Host should be configured to the Amigopod IP address Key is the shared secret that is needed to secure RADIUS communications Amigop...

Page 13: ...ng a RADIUS Server aaa authentication server radius Amigopod host 10 169 130 50 key Figure 4 Adding a RADIUS server N O T E Ensure that the key is recorded because you will need this shared secret for...

Page 14: ...e 10 169 145 0 24 network VLAN 145 This network is used to send the RADIUS transactions toward the Amigopod deployed on 10 169 130 50 Based on the VLAN numbering in the VRD Local Controller deployment...

Page 15: ...rver to a Server Group A server group must be created to define which authentication server will be referenced during the authentication of visitor accounts This server group is then referenced in the...

Page 16: ...ifies the user session to be terminated by inclusion of the session identification attributes Change of Authorization CoA messages CoA request packets contain information for dynamically changing sess...

Page 17: ...a Networks Inc ArubaOS Configuration 17 Amigopod and ArubaOS Integration Application Note RFC3576 Server Configuration aaa rfc 3576 server 10 169 130 50 key wireless Figure 7 RFC3576 server configurat...

Page 18: ...ve portal profile definition is described in Table 3 In this example the login and welcome page URLs are configured In a later step these URLs will be defined on the Amigopod as part of the web login...

Page 19: ...edirect URLs for the login and welcome pages Based on this configuration the best practice is to install a trusted server certificate on the Amigopod and the controller s web server components of the...

Page 20: ...tive Portal Profile Now that the new captive portal profile has been created you must select the server group for the Amigopod RADIUS definition as the authentication source Configure the Authenticati...

Page 21: ...ofile defined as part of the baseline for guest access in the campus VRD resource Then modify the guestnet AAA profile as follows The initial role remains as the guest logon role but it is modified in...

Page 22: ...Aruba Networks Inc ArubaOS Configuration 22 Amigopod and ArubaOS Integration Application Note Enable 3576 Support aaa profile guestnet rfc 3576 server 10 169 130 50 Figure 11 Enabling RFC3576 support...

Page 23: ...he nature of the captive portal traffic HTTP and HTTPS traffic are permitted through this policy to the Amigopod IP address Depending on the routing topology in place at each customer environment Netw...

Page 24: ...Amigopod svc https permit queue low Figure 13 Amigopod access source NAT on VLAN example Source NAT per Application If you are using application based source NAT use this configuration Example of Sou...

Page 25: ...browser session to the Amigopod web login URL defined in your captive portal profile This attempt fails because the default captiveportal policy is matched for http traffic The session will consequen...

Page 26: ...profile applied Virtual AP Configuration wlan virtual ap guestnet ssid profile guestnet aaa profile guestnet Figure 16 Virtual AP configuration All the configurations from the previous steps have bee...

Page 27: ...opod Plugins Aruba publishes regular updates for the Amigopod solution via the online software distribution server which is accessible from a standard Internet connection via the HTTPS protocol Each A...

Page 28: ...8 Amigopod and ArubaOS Integration Application Note A correctly configured subscription ID can be verified by browsing to Amigopod Administrator Plugin Manager Manage Subscriptions as shown in Figure...

Page 29: ...tes click Finish For the updates to take effect you must follow any prompted instruction to restart services after the installation of new or updated plugins Plugins must be updated to ensure that Ami...

Page 30: ...troller to authenticate users it must be able to communicate with the Amigopod RADIUS instance In first step of the Aruba controller configuration a RADIUS server definition was defined This step conf...

Page 31: ...r The NAS Type should be set to Aruba Networks RFC3576 support The Shared Secret called the Key in the first Aruba controller step must be configured and confirmed Check Create a RADIUS Web Login page...

Page 32: ...Click Create NAS Device and you are prompted to restart the RADIUS server as seen in Figure 24 You must restart the server because the RADIUS server within Amigopod rejects any request from the Aruba...

Page 33: ...the Aruba controller configuration chapter of this document the Login Page entry of the captive portal profile was defined as the following URL https 10 169 130 50 Aruba_login php The Page Name field...

Page 34: ...additional security measure prevents modification of the redirect URL by individuals that might attempt to extract user credentials by spoofing the form submission to a device in their control If the...

Page 35: ...igure 27 Figure 27 Configuration of terms and conditions Amigopod Skins and Content Customization You can leverage the Amigopod skin technology to brand the captive portal that is displayed to the wir...

Page 36: ...ocess at the point where the contents of the Login Message HTML is displayed This delay is useful for many reasons If you need to troubleshoot any captive portal issues this delay is a good time to ob...

Page 37: ...user role definition The Aruba User Role is an example of an Aruba VSA that allows a RADIUS authentication session to automatically have a user role applied The example of auth guest is a user role th...

Page 38: ...ers prefer to leverage the ability of Amigopod to host a welcome page locally and enable additional user experience options such as Integrated graphical Wi Fi Logout button Present an option for the g...

Page 39: ...me page To restore the customized welcome page check Restore settings from backup and click Restore Configuration When the restore is complete browse to Customize Web Logins and verify that the web lo...

Page 40: ...gure 34 shows the sample welcome page developed for this guide This welcome page highlights the following integration points between the Amigopod and ArubaOS controllers Detection of guest user name l...

Page 41: ...le This page is linked to the Wi Fi Logout button on the previous welcome page and allows for further messaging to be displayed on the logout page As shown in Figure 35 the inclusion of this sample lo...

Page 42: ...ents are in place and are working as expected Create a Test Account Within Amigopod Guest Manager To start testing the guest access functionality an account must be created in the Amigopod local datab...

Page 43: ...wn in Figure 37 Figure 37 Completed guest account If numeric user credentials will be challenging during your testing phase these credentials can be edited easily by clicking the List guest accounts o...

Page 44: ...ge as shown in Figure 39 Figure 39 Updated guest account Testing RADIUS This section shows how RADIUS transactions with the Amigopod server can be tested to confirm that the configuration is correct T...

Page 45: ...te On the Amigopod side you can also look at the end of the RADIUS log to verify that the transactions are executing on that side Figure 41 RADIUS log tail If you experience any issues with the authen...

Page 46: ...Test Login and Verify Successful RADIUS Transaction Now that everything is set up on the Amigopod and the Aruba controller attempt to connect a test wireless or wired client to the network The session...

Page 47: ...Log In a successful end to end RADIUS transaction should be the result You can verify by referring to the end of the RADIUS log as shown in Figure 43 Note that the client MAC address is now visible in...

Page 48: ...Sessions page shown in Figure 44 Given the Interim Accounting support in ArubaOS 6 1 this page displays live traffic statistics based on these updates If you also have configured RFC 3576 on your Aru...

Page 49: ...eceived from the Aruba controller Check the web login page and ensure that the correct IP address for controller is configured Check the captive portal policy and ensure that traffic is permitted to t...

Page 50: ...emea_support arubanetworks com WSIRT Email Please email details of any security problem found in an Aruba product wsirt arubanetworks com Validated Reference Design Contact and User Forum Validated Re...

Page 51: ...4 34526 KT 1 820 494 34526 ONSE 8 821 494 34526 Singapore Singapore Telecom 1 822 494 34526 Taiwan U CHT I 0 824 494 34526 Belgium Belgacom 0 827 494 34526 Israel Bezeq 14 807 494 34526 Barack ITC 13...

Reviews: