Have a Question?
< All Topics
Print

Configure Captive Portal for Guest with Aruba Instant AP

Posted
Updated
ByYongKW

Steps on how to configure Captive Portal for Guest with Aruba Instant AP

Captive Portal for Guest with Internal – Acknowledged

Guest users are required to accept the terms and conditions to access the Internet.

Configure a new SSID Profile (Network)

  • vlan guest – Virtual Controller Managed VLAN – Dynamic IP Address of 172.31.98.0/23 or the IP information configured manually in internal DHCP will be assigned to client
  • vlan x – VLAN x is assigned and VLAN tagging need to be configured on uplink port
  • deny-inter-user-bridging – Isolated individual guest user to prevent them from accessing to each other
IAP315 (config) # wlan ssid-profile GUEST
IAP315 (SSID Profile "GUEST") # enable
IAP315 (SSID Profile "GUEST") # type guest
IAP315 (SSID Profile "GUEST") # essid GUEST
IAP315 (SSID Profile "GUEST") # captive-portal internal 
IAP315 (SSID Profile "GUEST") # vlan guest
IAP315 (SSID Profile "GUEST") # deny-inter-user-bridging

Logon Role and Access Rules

Create an access rules for SSID PROFILE = GUEST with Full Access

IAP315 (config) # wlan access-rule GUEST
IAP315 (Access Rule "GUEST") # rule any any match any any any permit

Customize Rule to deny SSH (Port 22) to 192.168.1.238 for reference

rule <DESTINATION IP> <SUBNET MASK> match 6 <START-PORT> <END-PORT> <ACTION> log

IAP315 (Access Rule "GUEST") # rule 192.168.1.238 255.255.255.255 match 6 22 22 deny log

Check the log with show log security 10 (For the last 10 events only)

IAP315# show log security 10

Mar 18 16:07:48  stm[5552]: <124006> <WARN> |AP [email protected] stm|  TCP srcip=192.168.1.132 srcport=53644 dstip=192.168.1.238 dstport=22, action=deny

To customize internal captive portal splash page

Refer to link here to found out the Decimal value of color code for background-color & banner-color

IAP315 (config) # wlan captive-portal
IAP315 (Captive Portal) # background-color 13487359
IAP315 (Captive Portal) # banner-color 0
IAP315 (Captive Portal) # redirect-url "https://aventistech.com"
IAP315 (Captive Portal) # banner-text "Welcome to Guest Network"
IAP315 (Captive Portal) # terms-of-use "This network is not secure, and use is at your own risk"
IAP315 (Captive Portal) # use-policy "Please read terms and conditions before using Guest Network"

To upload a logo to portal

IAP315 # copy config tftp <ip-address> <filename> portal logo

Replace the Default SSL Certificate for Captive Portal to avoid guest users to see the certification error message

Guest users will be redirected to the page below when they are connecting to GUEST WIFI

Captive Portal for Guest with Aruba

Disconnect users from Aruba AP

List all connected users, and disconnect user based on their MAC Address

IAP315# show datapath user
Datapath User Table Entries
---------------------------
Flags: P - Permanent
       R - ProxyARP to User, N - VPN, L - local, I - Intercept, D - Deny local routing
       M - User Media Classified, K - OS known
FM(Forward Mode): S - Split, B - Bridge, N - N/A

       IP              MAC           ACLs      Contract   Location  Age    Sessions   Flags     Vlan  FM  MediaSessCnt
---------------  -----------------  ---------  ---------  --------  -----  ---------  -----     ----  --  ------------
192.168.1.240    A8:BD:27:C1:7B:F8  105/0/0       0/0     0         0        0/65535  P           1   B          0
0.0.0.0          A8:BD:27:C1:7B:F8  105/0/0       0/0     0         0        0/65535  P           1   B          0
172.16.10.1      A8:BD:27:C1:7B:F8  105/0/0       0/0     0         0        0/65535  P        3333   B          0
0.0.0.0          DC:FB:48:65:9E:97  155/0/0       0/0     0         0        0/65535  PK          1   B          0
192.168.1.132    DC:FB:48:65:9E:97  155/0/0       0/0     0         0        8/65535  K           1   B          0
192.168.1.125    A8:BD:27:C1:7B:F8  105/0/0       0/0     0         0        7/65535  P           1   B          0

IAP315# disconnect-user mac DC:FB:48:65:9E:97

Captive Portal for Guest with Internal Authenticated

Guest users are required to authenticate in the captive portal page to access the Internet

Create some local user account for guest

IAP315 (config) # user guest1 P@ssw0rd

Create a new SSID-Profile

Enable Authentication with auth-server InternalServer with local Database

IAP315 (config) # wlan ssid-profile GUEST
IAP315 (SSID Profile "GUEST") # enable
IAP315 (SSID Profile "GUEST") # type guest
IAP315 (SSID Profile "GUEST") # essid GUEST
IAP315 (SSID Profile "GUEST") # captive-portal internal 
IAP315 (SSID Profile "GUEST") # vlan guest
IAP315 (SSID Profile "GUEST") # auth-server InternalServer

Logon Role and Access Rules

Reuse the previously configured Access Rule GUEST

IAP315 (config) # wlan access-rule GUEST
IAP315 (Access Rule "GUEST") # rule any any match any any any permit

Enable Authentication in Captive Portal

wlan captive-portal
 background-color 13487359
 banner-color 0
 redirect-url "https://aventistech.com"
 banner-text "Welcome to Guest Network"
 terms-of-use "This network is not secure, and use is at your own risk"
 use-policy "Please read terms and conditions before using Guest Network"
 authenticated

Guest users will be redirected to the authentication page below when they are connecting to GUEST WIFI

Facebook Wi-Fi

Create a Page in Facebook by following this link

Change the existing GUEST SSID to use Facebook and commit the changes

IAP315 (config) # wlan ssid-profile GUEST
IAP315 (SSID Profile "GUEST") # captive-portal facebook
IAP315 # commit apply

Click Facebook Configuration in the WebUI to configure Facebook-WIFI

Login with Facebook account and select the page created previously

Select A link to skip check-in or WIFI Code for user to enter to skip Facebook check-in

Select the Session Length to limit how long guest can access WIFI during each session

Guest users will be prompted to login using thier Facebook ID or WI-FI Code when they are connecting to GUEST SSID

Reference Links

Table of Contents
Scroll to Top