AMIGOPOD PowerConnect W Clearpass 100 Software Integration Manual
Arubaos integration guide
Hide thumbs
Also See for PowerConnect W Clearpass 100 Software:
- Deployment manual (128 pages) ,
- Integration manual (52 pages) ,
- Release note (38 pages)
Table of Contents
Advertisement
Quick Links
Advertisement
Table of Contents
Related Manuals for AMIGOPOD PowerConnect W Clearpass 100 Software
Summary of Contents for AMIGOPOD PowerConnect W Clearpass 100 Software
- Page 1 Amigopod and ArubaOS Integration Version 1.0...
-
Page 2: Legal Notice
Amigopod and ArubaOS Integration Application Note Copyright © 2011 Aruba Networks, Inc. AirWave®, Aruba Networks®, Aruba Mobility Management System®, Bluescanner, For Wireless That Works®, Mobile Edge Architecture®, People Move. Networks Must Follow®, RFprotect®, The All Wireless Workplace Is Now Open For Business, Green Island, and The Mobile Edge Company®... -
Page 3: Table Of Contents
Amigopod and ArubaOS Integration Application Note Table of Contents Chapter 1: Introduction Reference Material Chapter 2: Captive Portal Authentication Captive Portal Overview ArubaOS or Amigopod for Visitor Management Captive Portal Authentication Workflow Chapter 3: ArubaOS Configuration Creating a RADIUS Server Instance Modify NAS ID for Master Local Deployments Add RADIUS Server to a Server Group Creating an RFC3576 Server Instance... -
Page 4: Table Of Contents
Amigopod and ArubaOS Integration Application Note Chapter 6: Troubleshooting Tips Appendix A: Contacting Aruba Networks Contacting Aruba Networks Aruba Networks, Inc. Table of Contents... -
Page 5: Chapter 1: Introduction
Amigopod and ArubaOS Integration Application Note Chapter 1: Introduction Aruba supports advanced visitor management services through the combination of Aruba Mobility Controllers and APs running the ArubaOS software, and Aruba Amigopod guest management software. This guide describes the configuration process that must be performed on the Aruba Mobility Controllers and the Aruba Amigopod to create a fully integrated visitor management solution. -
Page 6: Chapter 2: Captive Portal Authentication
Amigopod and ArubaOS Integration Application Note Chapter 2: Captive Portal Authentication Captive portals are the simplest form of authentication for users. This section introduces the concepts behind the authentication and compares and contrasts Amigopod with the ArubaOS portal. Captive Portal Overview Captive portal allows a wireless client to authenticate using a web-based portal page. -
Page 7: Arubaos Or Amigopod For Visitor Management
Amigopod and ArubaOS Integration Application Note ArubaOS or Amigopod for Visitor Management ArubaOS supports two methods of guest access: using just the mobility controller or using the mobility controller plus Amigopod. ArubaOS supports basic guest management and captive portal functionality, with guest access limited to a single master-local cluster. - Page 8 Amigopod and ArubaOS Integration Application Note Table 2 Comparison of ArubaOS Captive Portal and Amigopod (Continued) ArubaOS Plus Feature ArubaOS Amigopod Export/import of user database Mandatory and nonmandatory fields Guest password complexity requirements Guest account information printing via templates Guest credential delivery through email and SMS Force password change on first login Delete and/or disable guest accounts on expiration Guest Session Management...
- Page 9 Amigopod and ArubaOS Integration Application Note Table 2 Comparison of ArubaOS Captive Portal and Amigopod (Continued) ArubaOS Plus Feature ArubaOS Amigopod Enterprise Features and Scalability Managing 1000s of accounts High availability/redundancy Expandability (plug-in architecture) Although ArubaOS supports internal and external captive portal functionality, this guide focuses on external captive portal functionality.
-
Page 10: Captive Portal Authentication Workflow
Amigopod and ArubaOS Integration Application Note Captive Portal Authentication Workflow Figure 2 shows the phases that a guest user passes through during a captive portal authentication process. In the Aruba system, the mobility controller acts as the network access server (NAS) and Amigopod acts as the RADIUS server. - Page 11 Amigopod and ArubaOS Integration Application Note 4. The login message instructs the guest user’s browser to submit the user credentials directly to the Aruba controller as a HTTPS POST for authentication processing. 5. When the Aruba controller receives the user credentials, it creates a corresponding RADIUS session and sends an Access-Request message to the defined Amigopod RADIUS server.
-
Page 12: Chapter 3: Arubaos Configuration
Amigopod and ArubaOS Integration Application Note Chapter 3: ArubaOS Configuration Three phases make up the configuration of the ArubaOS controller to support external captive portal based authentication leveraging the RADIUS protocol: 1. Base RADIUS configuration 2. Captive portal configuration 3. Enabling captive portal on existing guest WLAN Figure 3 summarizes the steps covered in this chapter to successfully complete the ArubaOS configuration that is needed to integrate with the Amigopod external captive portal and RADIUS... - Page 13 Amigopod and ArubaOS Integration Application Note Adding a RADIUS Server aaa authentication-server radius "Amigopod" host 10.169.130.50 key ******* Figure 4 Adding a RADIUS server Ensure that the key is recorded, because you will need this shared secret for a later step in the Amigopod configuration. For security purposes, each NAS should have its own key.
-
Page 14: Modify Nas Id For Master Local Deployments
Amigopod and ArubaOS Integration Application Note Modify NAS ID for Master Local Deployments In an Aruba master local deployment, you must modify the NAS ID of the local controllers to ensure that the correct identifier is recorded in the RADIUS accounting traffic sourced from each local controller that is responsible terminating the APs. -
Page 15: Add Radius Server To A Server Group
Amigopod and ArubaOS Integration Application Note Modify RADIUS Client Settings ip radius nas-ip 10.169.145.4 ip radius source-interface vlan 145 Figure 5 Modify RADIUS client setting Add RADIUS Server to a Server Group A server group must be created to define which authentication server will be referenced during the authentication of visitor accounts. -
Page 16: Creating An Rfc3576 Server Instance
Amigopod and ArubaOS Integration Application Note Adding a AAA Server Group aaa server-group "Guest-Amigopod" auth-server "Amigopod" position 1 Figure 6 Adding a AAA server group Creating an RFC3576 Server Instance RFC3576 is an extension to the RADIUS standard that allows for a RADIUS server initiated control of an established RADIUS AAA session. - Page 17 Amigopod and ArubaOS Integration Application Note RFC3576 Server Configuration aaa rfc-3576-server "10.169.130.50" key wireless Figure 7 RFC3576 server configuration Aruba Networks, Inc. ArubaOS Configuration...
-
Page 18: Creating A Captive Portal Profile
Amigopod and ArubaOS Integration Application Note Creating a Captive Portal Profile One of the key features of Amigopod is the ability to host the branded web login or captive portal pages on the Amigopod appliance. With the captive portal profile, you can configure the login and optional welcome pages to be hosted by Amigopod. - Page 19 Amigopod and ArubaOS Integration Application Note Captive Portal Profile Configuration aaa authentication captive-portal "guestnet" default-role auth-guest redirect-pause 3 no logout-popup-window login-page https://10.169.130.50/Aruba_Login.php welcome-page https://10.169.130.50/Aruba_welcome.php switchip-in-redirection-url Figure 8 Captive portal profile configuration The example captive portal profile shows the use of HTTPS as the protocol for the redirect URLs for the login and welcome pages.
-
Page 20: Configure Authentication For Captive Portal Profile
Amigopod and ArubaOS Integration Application Note Configure Authentication for Captive Portal Profile Now that the new captive portal profile has been created, you must select the server group for the Amigopod RADIUS definition as the authentication source. Configure the Authentication Source aaa authentication captive-portal "guestnet"... -
Page 21: Modify The Aaa Profile
Amigopod and ArubaOS Integration Application Note Modify the AAA Profile The AAA profiles define how users are authenticated. The AAA profile determines the user role for unauthenticated clients (initial role) and the user role to be applied after successful authentication (default role) based on the authentication type. - Page 22 Amigopod and ArubaOS Integration Application Note Enable 3576 Support aaa profile "guestnet" rfc-3576-server "10.169.130.50" Figure 11 Enabling RFC3576 support Aruba Networks, Inc. ArubaOS Configuration...
-
Page 23: Define A Policy To Permit Traffic To Amigopod
Amigopod and ArubaOS Integration Application Note Define a Policy to Permit Traffic to Amigopod A new firewall policy must be created and assigned to the initial role allocated to unauthenticated guest users to allow the successful redirect to the captive portal page defined on Amigopod. These policies can be simplified by using the existing network destination alias as defined in the campus VRD baseline configuration. - Page 24 Amigopod and ArubaOS Integration Application Note Example of Source NAT on VLAN ip access-list session "amigopod" alias "user" alias "Amigopod" "svc-http" permit queue low alias "user" alias "Amigopod" "svc-https" permit queue low Figure 13 Amigopod access – source NAT on VLAN example Source NAT per Application If you are using application-based source NAT, use this configuration.
-
Page 25: Enable Captive Portal On Initial Role Of Captive Portal Profile
Amigopod and ArubaOS Integration Application Note Enable Captive Portal on Initial Role of Captive Portal Profile In the previous step, the initial role for this captive portal authentication configuration is configured as guest-logon. This role must be modified to enable the newly created Amigopod captive portal profile. If you forget this step, the captive portal is not triggered when a new guest connects to the guest Wi-Fi SSID. -
Page 26: Verify Virtual Ap Configuration
Amigopod and ArubaOS Integration Application Note Verify Virtual AP Configuration Based on the baseline configuration detailed in the campus VRD resource, the guest virtual AP should have the appropriate SSID and AAA profile applied. Virtual AP Configuration wlan virtual-ap "guestnet" ssid-profile "guestnet"... -
Page 27: Chapter 4: Amigopod Configuration
Amigopod and ArubaOS Integration Application Note Chapter 4: Amigopod Configuration Leveraging the baseline configurations in the campus VRD design, this guide assumes that the Amigopod appliance is installed and available on the network. The reference design has Amigopod installed on an IP address of 10.169.130.50 and the assumption is that there is Internet access available to this IP address. - Page 28 Amigopod and ArubaOS Integration Application Note A correctly configured subscription ID can be verified by browsing to Amigopod Administrator > Plugin Manager > Manage Subscriptions as shown in Figure Figure 18 Amigopod Subscription Manager Aruba Networks, Inc. Amigopod Configuration...
- Page 29 Amigopod and ArubaOS Integration Application Note If you click Check for plugin updates, the software update process begins on the Amigopod appliance. As shown in Figure 19, the system contacts the software distribution server and downloads any new updates to the Amigopod system, any new licensed plugins, and other licensing updates. Figure 19 Add new Amigopod plugins If updates are available, they are listed and can be selected individually for installation.
-
Page 30: Configure Radius Nas For An Aruba Controller
Amigopod and ArubaOS Integration Application Note A useful diagnostic tool to verify that Amigopod has Internet connectivity via HTTP is available under Administrator > Network Setup > Network Diagnostics shown in Figure Figure 21 Amigopod diagnostics Configure RADIUS NAS for an Aruba Controller For the Aruba controller to authenticate users, it must be able to communicate with the Amigopod RADIUS instance. - Page 31 Amigopod and ArubaOS Integration Application Note The following fields must be configured in the RADIUS NAS definition as seen in Figure Name the NAS entry to match the local controller naming convention (need not be present in DNS). Enter IP address of the Aruba controller. ...
- Page 32 Amigopod and ArubaOS Integration Application Note Click Create NAS Device, and you are prompted to restart the RADIUS server as seen in Figure You must restart the server, because the RADIUS server within Amigopod rejects any request from the Aruba controller as unknown until the restart has been performed. Figure 24 Restart the RADIUS server Aruba Networks, Inc.
-
Page 33: Configure Web Login For Captive Portal Authentication
Amigopod and ArubaOS Integration Application Note Configure Web Login for Captive Portal Authentication If you clicked Create Web Login in the previous step, a newly created web login page can be seen in Customization > Web Logins. Figure 25 shows the automatically created web login, but a new one can be created manually at a later stage. -
Page 34: Optional Customization Of The Web Login Page
Amigopod and ArubaOS Integration Application Note Alternatively, the switchip variable that is sent as part of the redirect URL can be parsed automatically and used as the IP address for the web login credential submission. This option should be selected in multicontroller environments so that the web login page dynamically is aware of which controller the guest user is currently connected to and therefore which controller must be part of the authentication transaction. -
Page 35: Amigopod Skins And Content Customization
Amigopod and ArubaOS Integration Application Note You can enable the display of an Accept Terms & Conditions option on the login page. This option refers to the default terms and conditions URL defined under Customization > Guest Manager Settings as seen in Figure Figure 27 Configuration of terms and conditions... -
Page 36: Web Login Access Lists
Amigopod and ArubaOS Integration Application Note The Title field allows you to customize the page title that is displayed in the browser. The Header, Footer, and Login fields allow the administrator to add and modify the displayed text and content displayed on the web login page. -
Page 37: Configure The Radius User Role
Amigopod and ArubaOS Integration Application Note Configure the RADIUS User Role The RADIUS user role is a collection of one or many RADIUS standard or vendor-specific attributes (VSAs). These attributes can be used to signal role-based access control context back to the Aruba controller as shown in Figure Figure 30... -
Page 38: (Optional) Import Sample Welcome Page
Amigopod and ArubaOS Integration Application Note This RADIUS role is presented as a selection when creating new guest accounts via the Create User screens of the Amigopod Guest Manager or can be hard coded as a hidden field in the self-registration pages to ensure that each user session gets managed appropriately on the Aruba controller. - Page 39 Amigopod and ArubaOS Integration Application Note Figure 32 Restore welcome page To restore the customized welcome page, check Restore settings from backup and click Restore Configuration. When the restore is complete, browse to Customize > Web Logins and verify that the web login page has been successfully restored to the local deployment, as seen in Figure Figure 33...
- Page 40 Amigopod and ArubaOS Integration Application Note As seen in the Page Name column in Figure 33, this web login page is hosted at the following address: Aruba_welcome https://10.169.130.50/ .php This URL can be changed to suit each local deployment and the corresponding captive portal profile on the ArubaOS controller must be modified to match any changes made.
- Page 41 Amigopod and ArubaOS Integration Application Note A logout page is also included in the sample backup file. This page is linked to the Wi-Fi Logout button on the previous welcome page and allows for further messaging to be displayed on the logout page. As shown in Figure 35, the inclusion of this sample logout page allows for a consistent user experience...
-
Page 42: Chapter 5: Integration Verification
Amigopod and ArubaOS Integration Application Note Chapter 5: Integration Verification If you complete the steps in Chapter 3: ArubaOS Configuration Chapter 4: Amigopod Configuration, you should have the base configuration for a functioning guest access solution that can be further customized to suit each local deployment. The chapter provides some simple verification tests that can be performed to ensure that all the functional components are in place and are working as expected. - Page 43 Amigopod and ArubaOS Integration Application Note The resulting account is created with random digits for both the username and password as shown in Figure Figure 37 Completed guest account If numeric user credentials will be challenging during your testing phase, these credentials can be edited easily by clicking the List guest accounts option.
-
Page 44: Testing Radius
Amigopod and ArubaOS Integration Application Note On the Edit screen, a new username and password can be defined manually to make any level of repetitive testing easier on the administrator. Click Update Account to display the confirmation page as shown in Figure Figure 39 Updated guest account... - Page 45 Amigopod and ArubaOS Integration Application Note On the Amigopod side, you can also look at the end of the RADIUS log to verify that the transactions are executing on that side. Figure 41 RADIUS log tail If you experience any issues with the authentication process, the RADIUS debugger can be enabled from this page for more detailed analysis.
-
Page 46: Test Login And Verify Successful Radius Transaction
Amigopod and ArubaOS Integration Application Note Test Login and Verify Successful RADIUS Transaction Now that everything is set up on the Amigopod and the Aruba controller, attempt to connect a test wireless or wired client to the network. The session should be redirected successfully to the Amigopod web login page. - Page 47 Amigopod and ArubaOS Integration Application Note After you enter the test user account credentials and click Log In, a successful end-to-end RADIUS transaction should be the result. You can verify by referring to the end of the RADIUS log as shown in Figure 43.
-
Page 48: Check That Radius Accounting Is Working As Expected
Amigopod and ArubaOS Integration Application Note Check that RADIUS Accounting is Working as Expected If RADIUS accounting traffic is not being received by Amigopod, you will not find a corresponding entry in the Guests > Active Sessions page shown in Figure Given the Interim Accounting support in ArubaOS 6.1, this page displays live traffic statistics based on these updates. - Page 49 Amigopod and ArubaOS Integration Application Note Chapter 6: Troubleshooting Tips This chapter provides basic troubleshooting steps to use for specific issues. If the test device is not being redirected to the Amigopod captive portal: Check the DNS resolution because the client will not be redirected if it cannot resolve the initially ...
-
Page 50: Contacting Aruba Networks
Amigopod and ArubaOS Integration Application Note Appendix A: Contacting Aruba Networks Contacting Aruba Networks Web Site Support Main Site http://www.arubanetworks.com Support Site https://support.arubanetworks.com Software Licensing Site https://licensing.arubanetworks.com/login.php Wireless Security Incident http://www.arubanetworks.com/support/wsirt.php Response Team (WSIRT) Support Emails Americas and APAC support@arubanetworks.com EMEA emea_support@arubanetworks.com WSIRT Email... - Page 51 Amigopod and ArubaOS Integration Application Note Telephone Support Universal Free Phone Service Numbers (UIFN): IDC: 10 810 494 34526 * Select fixed phones Japan IDC: 0061 010 812 494 34526 * Any fixed, mobile & payphone KDD: 10 813 494 34526 * Select fixed phones JT: 10 815 494 34526 * Select fixed phones JT: 0041 010 816 494 34526 * Any fixed, mobile &...