ArubaOS 8.6.0.0Help Center
You are here: Home > Captive Portal Authentication > Captive Portal in the Base ArubaOS

Configuring Captive Portal in the Base Operating System

The base operating system (ArubaOSwithout any licenses) allows full network access to all users who connect to anESSID扩展Service Set Identifier. ESSID refers to the ID used for identifying an extended service set., both guest and registered users. In the base operating system, you cannot configure or customize user roles; this function is only available by installing thePEFNGPolicy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel.license.Captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.allows you to control or identify who has access to network resources.

When you create acaptive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.profile in the base operating system, an implicit user role is automatically created in the stand-alone controller and in the MasterControllerMode with same name as thecaptive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.profile. This implicit user role allows onlyDNSDomain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element.andDHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.traffic between the client and network and directs allHTTPHypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands.orHTTPSHypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection.requests to thecaptive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.. You cannot directly modify the implicit user role or its rules. Upon authentication,captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.clients are allowed full access to their assignedVLAN虚拟局域网。在计算机网络, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

In aMobility Master-managed devicetopology,Mobility Masterdoes not have the configuration which are related toPEFNGPolicy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel.license, therefore the role is not created on theMobility Master.

TheWLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection.Wizard within theArubaOSWebUI allows for basiccaptive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.configuration forWLANsWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection.associated with the “default” ap-group:Configuration > WLAN Wizard. Follow the steps in the workflow pane within the wizard and refer to the help tab for assistance.

Following are the tasks for configuringcaptive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.in the baseArubaOS:

1.Create the Server Group name. In this example, the server group name iscp-srv.

If you are configuringcaptive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.for registered users, configure the server(s) and create the server group. For more information about configuring authentication servers and server groups, seeAuthentication Servers.

2.CreateCaptive PortalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.Authentication Profile. In this example, the profile name isc-portal.

Create and configure an instance of thecaptive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.authentication profile. Creating thecaptive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.profile automatically creates an implicit user role andACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port.with the same name. Creating thec-portalprofile creates an implicit user role calledc-portal. That user role allows onlyDNSDomain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element.andDHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.traffic between the client and network and directs allHTTPHypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands.orHTTPSHypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection.requests to thecaptive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users..

3.Create aAAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption.Profile. In this example, the profile name isaaa_c-portal.

Create and configure an instance of theAAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption.profile. For the initial role, enter the implicit user role that was created. The initial role in the profileaaa_c-portalmust be set toc-portal.

4.CreateSSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.Profile. In this example, the profile name isssid_c-portal.

Create and configure an instance of the virtual AP profile which you apply to an AP group or AP name. Specify theAAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption.profile created.

5.Create a Virtual AP Profile. In this example, the profile name isvp_c-portal.

Create and configure an instance of theSSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.profile for the virtual AP.

The following sections present the procedure for configuring thecaptive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.authentication profile, theAAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption.profile, and the virtual AP profile using the WebUI or theCLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.. Configuring theVLAN虚拟局域网。在计算机网络, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.and authentication servers and server groups are described elsewhere in this document.

The following procedure describes how to configurecaptive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.in the base operating system:

1.Login to theMobility Master.

2.In theManaged Networknode hierarchy, navigate to theConfiguration > Authentication > L3 Authenticationtab. SelectCaptive Portal Authentication.

a.Click+inCaptive Portal Authentication Profile: New Profile, enter aProfile Name(for example,c-portal).

b.You can enable user login and guest login, and configure othercaptive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.profile parameters as described inConfiguring Captive Portal Authentication Profiles.

c.ClickSubmit.

3.To specify authentication servers, selectServer Groupunder thecaptive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.authentication profile you just configured.

a.Select the server group (for example,cp-srv) from the drop-down list.

b.ClickSubmit.

4.Select theAAA Profilestab.

a.ExpandAAA Profiles, click+inAAA Profile: New Profileto add a new profile. Enter aProfile Name(for example,aaa_c-portal), then clickSubmit.

b.Select theAAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption.profile you just created.

c.For Initial Role, select thecaptive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.authentication profile (for example,c-portal) you created previously for stand-alonecontroller和掌握ControllerMode.

The Initial Role must be exactly the same as the name of thecaptive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.authentication profile you created.

d.ClickSubmit.

5.Navigate to theConfiguration > System > Profiles taband under Profiles, selectWireless LAN, then selectVirtual AP.

6.To create a new virtual AP profile, Click + inVirtual AP profile: New Profile.

7.Enter the name for the virtual AP profile (for example,vp_c-portal). Make sureVirtual AP enableis selected.

8.ForVLAN, enter the ID of theVLAN虚拟局域网。在计算机网络, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.in whichcaptive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.用户放置(例如,VLAN虚拟局域网。在计算机网络, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.20). ClickSubmit.

a.In theProfile Detailsentry for the new virtual AP profile (guestnet), select theAAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption.profile you previously configured from theAAA Profiledrop-down list and clickSubmit.

b.In theProfile Detailsentry for the new virtual AP profile (guestnet), select theSSID profileand select aSSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.profile from theSSIDprofile drop-down list.

c.Enter the name for theESSIDprofile (for example,essid_c-portal).

d.ForEncryption, selectopensystem.

e.At the bottom of the Profile Details page, clickSubmit.

9.Navigate to theConfiguration > AP Groupspage.

10.Select an AP Group and ClickWLANstab in the AP group window.

11.Click+under theWLANsWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection.tab and select the newly create virtual AP profile (guestnet) from theVirtual-apdrop-down list.

12.ClickSubmit.

13.ClickPending Changes.

14.In thePending Changeswindow, select the check box and clickDeploy changes.

The followingCLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.commands configurecaptive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.in the base operating system:

(host) [md] (config) #aaa authentication captive-portal c-portal

server-group cp-srv

(host) [md] (config) #aaa profile aaa_c-portal

initial-role c-portal

(host) [md] (config) #wlan ssid-profile ssid_c-portal

essid c-portal-ap

(host) [md] (config) #wlan virtual-ap vp_c-portal

aaa-profile aaa_c-portal

ssid-profile ssid_c-portal
vlan 20

Related Topics

Configuring Captive Portal with a PEFNG License

Sample Authentication with Captive Portal

Configuring Captive Portal Authentication Profiles

/*]]>*/
Baidu