![](https://www.netprojnetworks.com/wp-content/uploads/2024/06/image-1024x422.png)
Proof of concept – Cisco Captive Portal via an Aruba Mobility Controller. The wireless LAN controllers are “firewalled” and can only communicate with each other via firewall policies.
![](https://www.netprojnetworks.com/wp-content/uploads/2024/05/image-15-1024x140.png)
Aruba Mobility Conductor CLI Config
Internal Controller
1.Create a network service for the TCP/HTTPS 8443 which is the ISE port number that is used for the redirect
netservice ise-https tcp 8443
!
2. Create a network destination
netdestination cisco_ise
host 10.0.0.36
host 10.0.0.37
!
3. Create an access list that permits traffic to ISE
ip access-list session LIMITED-GUEST-ACCESS
user any udp 68 deny
any any ise-https permit
any any svc-icmp permit
any any svc-dns permit
any any svc-dhcp permit
any any svc-https permit
any any svc-http permit
!
ip access-list session PERMIT-TO-ISE
user alias cisco_ise ise-https permit
!
4. Create the initial role on the internal controllers
user-role GUEST-PERMIT
access-list session PERMIT-TO-ISE
access-list session LIMITED-GUEST-ACCESS
!
5. Defined the RFC 3576 Servers
aaa rfc-3576-server "10.0.0.36"
key 826fe15a2c82904dfdaffdad
!
aaa rfc-3576-server "10.0.0.37"
key 826fe15a2c82904dfdaffdad
!
6. Define the AAA servers and server GROUP
aaa authentication-server radius "LAB_ISEPSN"
host "10.0.0.36"
key 991e4cb4b9233aaec19
called-station-id type macaddr include-ssid enable delimiter colon
!
aaa authentication-server radius "LAB_ISEPSN_2"
host "10.0.0.37"
key cc2b0ada63fac600ac438
called-station-id type macaddr include-ssid enable delimiter colon
!
aaa server-group "LAB_ISEPSN_SVG"
auth-server LAB_ISEPSN_2 position 1
auth-server LAB_ISEPSN position 2
!
7. Create the AAA DOT1X Profile
aaa authentication dot1x "DOT1X-L2-0526NYC2024"
max-requests 2
timer wpa-key-period 3000
timer wpa2-key-delay 100
timer wpa-groupkey-delay 100
8. Create the L2 MAC auth
aaa authentication mac "WIRELESS_L2_MAC_AUTH"
!
9. Create the AAA Profile
aaa profile "0526NYC2024_AAA_PROF"
initial-role "GUEST-PERMIT"
authentication-mac "WIRELESS_L2_MAC_AUTH"
mac-default-role "GUEST-PERMIT"
authentication-dot1x "DOT1X-L2-0526NYC2024"
dot1x-default-role "GUEST-PERMIT"
dot1x-server-group "LAB_ISEPSN_SVG"
radius-accounting "LAB_ISEPSN_SVG"
radius-roam-accounting
radius-interim-accounting
rfc-3576-server "10.0.0.36"
rfc-3576-server "10.0.0.37"
enforce-dhcp
!
10. Create the SSID Profile/ virtual-ap and assign the user VLAN
wlan ssid-profile "0526NYC2024_SSID_PROF"
essid "0526NYC2024"
wpa-passphrase fadd999fd7c7a2214c5b
opmode wpa2-psk-aes
a-basic-rates 12 24
a-tx-rates 12 18 24 36 48 54
g-basic-rates 24
g-tx-rates 12 18 24 36 48 54
wmm
wmm-vo-dscp "48"
wmm-vi-dscp "32"
wmm-be-dscp "0"
wmm-bk-dscp "8"
g-beacon-rate 24
a-beacon-rate 24
multicast-rate 24
qbss-load-enable
advertise-location
advertise-ap-name
!
wlan virtual-ap "0526NYC2024"
aaa-profile "0526NYC2024_AAA_PROF"
vlan 667
ssid-profile "0526NYC2024_SSID_PROF"
!
11. Associate the virtual-ap with the AP-Group
ap-group "BROOKLYN-RETAIL-2-AP-GROUP"
virtual-ap "0526NYC2024"
!
DMZ Controller
1.Create a network service for the TCP/HTTPS 8443 which is the ISE port number that is used for the redirect
netservice ise-https tcp 8443
!
2. Create a network destination
netdestination cisco_ise
host 10.0.0.36
host 10.0.0.37
!
3. Create an access list that permits traffic to ISE
ip access-list session LIMITED-GUEST-ACCESS
user any udp 68 deny
any any ise-https permit
any any svc-icmp permit
any any svc-dns permit
any any svc-dhcp permit
any any svc-https permit
any any svc-http permit
!
ip access-list session PERMIT-TO-ISE
user alias cisco_ise ise-https permit
!
4. Create the AAA Authenticatoin captive-portal
aaa authentication captive-portal "DMZ-WIRELESS-GUEST-REDIRECT_ISE_SG"
no user-logon
!
5. Create the initial role on the internal controllers (this role is part of the redirect and attributes returned by Cisco ISE)
user-role DMZ-WIRELESS-GUEST-REDIRECT
access-list session ra-guard
access-list session logon-control
access-list session PERMIT-TO-ISE
access-list session captiveportal
access-list session v6-logon-control
access-list session captiveportal6
captive-portal DMZ-WIRELESS-GUEST-REDIRECT_ISE_SG
6. Defined the RFC 3576 Servers
aaa rfc-3576-server "10.0.0.36"
key 826fe15a2c82904dfdaffdad
!
aaa rfc-3576-server "10.0.0.37"
key 826fe15a2c82904dfdaffdad
!
7. Define the AAA servers and server GROUP
aaa server-group "LAB_ISEPSN_SVG"
auth-server LAB_ISEPSN_2 position 1
auth-server LAB_ISEPSN position 2
!
aaa authentication-server radius "LAB_ISEPSN"
host "10.0.0.36"
key 991e4cb4b9233aaec19
called-station-id type macaddr include-ssid enable delimiter colon
!
aaa authentication-server radius "LAB_ISEPSN_2"
host "10.0.0.37"
key 991e4cb4b9233aaec19
called-station-id type macaddr include-ssid enable delimiter colon
8. Create the AAA DOT1X Profile
aaa authentication dot1x "DOT1X-L2-0526NYC2024"
max-requests 2
timer wpa-key-period 3000
timer wpa2-key-delay 100
timer wpa-groupkey-delay 100
9. Create the L2 MAC auth
aaa authentication mac "WIRELESS_L2_MAC_AUTH"
!
10. Create the AAA Profile
aaa profile "0526NYC2024_AAA_PROF"
initial-role "guest-logon"
authentication-mac "WIRELESS_L2_MAC_AUTH"
mac-default-role "guest-logon"
mac-server-group "LAB_ISEPSN_SVG"
authentication-dot1x "DOT1X-L2-0526NYC2024"
dot1x-default-role "guest-logon"
dot1x-server-group "LAB_ISEPSN_SVG"
radius-accounting "LAB_ISEPSN_SVG"
radius-roam-accounting
radius-interim-accounting
rfc-3576-server "10.0.0.36"
rfc-3576-server "10.0.0.37"
enforce-dhcp
!
11. Create the Wired VLAN AAA Profile Association
vlan 667
wired aaa-profile 0526NYC2024_AAA_PROF
!
vlan 668
wired aaa-profile 0605NYC2024_AAA_PROF
!
Mobility Controllers Interface and Tunnel Configuration
Internal Controller:
interface tunnel 266
description '"TUNNEL TO pDMZANHCOR0001'
tunnel source 10.0.205.5
trusted
tunnel destination 10.0.66.14
tunnel mode gre 1
trusted vlan 1-4094
tunnel vlan 666-668
no inter-tunnel-flooding
tunnel keepalive
tunnel keepalive 10 3
!
interface tunnel 662
description "TUNNEL TO vDMZANCHOR0001"
tunnel source 10.0.205.5
trusted
tunnel destination 10.0.66.3
tunnel mode gre 1
trusted vlan 1-4094
tunnel vlan 666-668
no inter-tunnel-flooding
tunnel keepalive
tunnel keepalive 10 3
!
controller-ip vlan 3023
interface mgmt
shutdown
!
vlan 666
vlan 667
vlan 668
vlan 3023
DMZ Controller:
interface gigabitethernet 0/0/0
description "LINK TO ASA VLAN 666 PORT"
switchport mode trunk
switchport trunk native vlan 666
no spanning-tree
trusted
lldp transmit
lldp receive
trusted vlan 1-4094
!
interface gigabitethernet 0/0/1
description "LINK TO ASA VLAN 667 PORT"
switchport mode trunk
switchport trunk native vlan 667
no spanning-tree
trusted
lldp transmit
lldp receive
trusted vlan 1-4094
!
interface gigabitethernet 0/0/2
description "LINK TO ASA VLAN 668 PORT"
switchport mode trunk
switchport trunk native vlan 668
no spanning-tree
trusted
lldp transmit
lldp receive
trusted vlan 1-4094
!
interface tunnel 663
description "TUNNEL TO US-NYC-VMC0003"
tunnel source 10.0.66.14
tunnel destination 10.0.205.6
tunnel mode gre 1
tunnel vlan 666-668
no inter-tunnel-flooding
tunnel keepalive
tunnel keepalive 10 3
no trusted
!
interface tunnel 662
description "TUNNEL TO US-NYC-VMC0002"
tunnel source 10.0.66.14
tunnel destination 10.0.205.5
tunnel mode gre 1
tunnel vlan 666-668
no inter-tunnel-flooding
tunnel keepalive
tunnel keepalive 10 3
no trusted
!
interface tunnel 661
description "TUNNEL TO US-NYC-VMC0001"
tunnel source 10.0.66.14
tunnel destination 10.0.205.4
tunnel mode gre 1
tunnel vlan 666-668
no inter-tunnel-flooding
tunnel keepalive
tunnel keepalive 10 3
no trusted
!
Verify that the captive portal profile is attached to the user role.
Click “show advanced” to see the captive portal settings.
DMZ Controller
#show configuration effective | begin "aaa authentication captive-portal"
aaa authentication captive-portal "DMZ-WIRELESS-GUEST-REDIRECT_ISE_SG"
no user-logon
!
user-role DMZ-WIRELESS-GUEST-REDIRECT
access-list session ra-guard
access-list session logon-control
access-list session PERMIT-TO-ISE
access-list session captiveportal
access-list session v6-logon-control
access-list session captiveportal6
captive-portal DMZ-WIRELESS-GUEST-REDIRECT_ISE_SG
!
![](https://www.netprojnetworks.com/wp-content/uploads/2024/05/image-34-1024x282.png)
![](https://www.netprojnetworks.com/wp-content/uploads/2024/05/image-35-1024x433.png)
Add the Controllers to Cisco ISE as a network access device (NAD)
![](https://www.netprojnetworks.com/wp-content/uploads/2024/05/image-1-1024x315.png)
Click on the “+” sign to add a device
Note: The Aruba_AOS XML file can be found here
![](https://www.netprojnetworks.com/wp-content/uploads/2024/05/image-2-1024x583.png)
![](https://www.netprojnetworks.com/wp-content/uploads/2024/05/image-3-1024x638.png)
Create an authorization policy/profile
![](https://www.netprojnetworks.com/wp-content/uploads/2024/05/image-4-1024x267.png)
![](https://www.netprojnetworks.com/wp-content/uploads/2024/05/image-5-1024x314.png)
The first authorization profile will redirect the user to ISE’s captive portal. Copy and paste the ACL from the mobility controller.
![](https://www.netprojnetworks.com/wp-content/uploads/2024/05/image-36-1024x448.png)
![](https://www.netprojnetworks.com/wp-content/uploads/2024/05/image-37-1024x429.png)
Click save
The following attributes will be automatically added
![](https://www.netprojnetworks.com/wp-content/uploads/2024/05/image-38-1024x317.png)
Create a second authorization profile that will permit Internet access only. Copy and paste the ACL from the mobility controller.
![](https://www.netprojnetworks.com/wp-content/uploads/2024/05/image-39-1024x515.png)
The following attributes will be automatically added
![](https://www.netprojnetworks.com/wp-content/uploads/2024/05/image-40-1024x418.png)
Create a simple policy set
![](https://www.netprojnetworks.com/wp-content/uploads/2024/06/image-2-1024x95.png)
![](https://www.netprojnetworks.com/wp-content/uploads/2024/05/image-42-1024x223.png)
![](https://www.netprojnetworks.com/wp-content/uploads/2024/05/image-43-1024x238.png)
Testing the configuration on a client
The sponsor creates a guest account
![](https://www.netprojnetworks.com/wp-content/uploads/2024/06/image-16-1024x640.png)
![](https://www.netprojnetworks.com/wp-content/uploads/2024/06/image-4-1024x379.png)
Note: The guest credentials can also be emailed to the user.
![](https://www.netprojnetworks.com/wp-content/uploads/2024/06/image-15.png)
Windows Client
Kali Linux Client
iPhone 8
ISE verification
The device connected and received the redirect role from ISE
![](https://www.netprojnetworks.com/wp-content/uploads/2024/06/image-6-1024x464.png)
The user successfully logged in
![](https://www.netprojnetworks.com/wp-content/uploads/2024/06/image-7-1024x628.png)
Cisco ISE sent a change of authorization (CoA) request, which disconnected the user.
![](https://www.netprojnetworks.com/wp-content/uploads/2024/06/image-8-1024x591.png)
The CoA request allowed Cisco ISE to put the user in the final authorization role of permitting Internet-only.
![](https://www.netprojnetworks.com/wp-content/uploads/2024/06/image-9-1024x550.png)
DMZ WLC verification
CLI
![](https://www.netprojnetworks.com/wp-content/uploads/2024/06/image-5-1024x210.png)
ACL hit count verifying that the ALC is “correct”
![](https://www.netprojnetworks.com/wp-content/uploads/2024/06/image-17-1024x188.png)
![](https://www.netprojnetworks.com/wp-content/uploads/2024/06/image-18-1024x124.png)
GUI
![](https://www.netprojnetworks.com/wp-content/uploads/2024/06/image-11-1024x294.png)
![](https://www.netprojnetworks.com/wp-content/uploads/2024/06/image-20-1024x263.png)
![](https://www.netprojnetworks.com/wp-content/uploads/2024/06/image-12-1024x426.png)
![](https://www.netprojnetworks.com/wp-content/uploads/2024/06/image-21-1024x415.png)
Internal controller verification
![](https://www.netprojnetworks.com/wp-content/uploads/2024/06/data-1024x186.png)
Firewall blocking traffic from the DMZ to the internal network
![](https://www.netprojnetworks.com/wp-content/uploads/2024/06/image-13-1024x586.png)
![](https://www.netprojnetworks.com/wp-content/uploads/2024/06/image-14-1024x210.png)
Issue: COA failed, and the user was stuck in a redirect loop while trying to access the internet.
![](https://www.netprojnetworks.com/wp-content/uploads/2024/05/COA-1024x578.png)
![](https://www.netprojnetworks.com/wp-content/uploads/2024/05/image-19-1024x408.png)
It appears that the shared secret on the server was incorrect.
show aaa rfc-3576-server statistics
![](https://www.netprojnetworks.com/wp-content/uploads/2024/05/COA-2-1024x138.png)
![](https://www.netprojnetworks.com/wp-content/uploads/2024/05/image-17.png)
Resolution: I updated the shared secret on the DMZ controller, and COA worked as expected.
show aaa rfc-3576-server statistics
![](https://www.netprojnetworks.com/wp-content/uploads/2024/05/image-18-1024x181.png)
![](https://www.netprojnetworks.com/wp-content/uploads/2024/05/image-20-1024x238.png)
Packet capture from ISE (10.0.0.36)
- The client connects to the SSID, and ISE sends an “access-accept” that redirects the user to the captive portal via the “GUEST-WIRELESS-REDIRECT” role
![](https://www.netprojnetworks.com/wp-content/uploads/2024/05/image-25-1024x511.png)
![](https://www.netprojnetworks.com/wp-content/uploads/2024/05/image-28-1024x139.png)
2. Once the guest account is registered, Cisco ISE responded with a “disconnect-request” message
![](https://www.netprojnetworks.com/wp-content/uploads/2024/05/image-21-1024x354.png)
3. The “disconnect-request” contains the MAC address of the wireless client.
![](https://www.netprojnetworks.com/wp-content/uploads/2024/05/image-22-1024x472.png)
Verify the device’s MAC address
![](https://www.netprojnetworks.com/wp-content/uploads/2024/05/image-23.png)
4. The DMZ controller responds with a “disconnect-ack”
![](https://www.netprojnetworks.com/wp-content/uploads/2024/05/image-24-1024x520.png)
5. ISE responded with an “access-accept,” which contains the second authorization attributes
![](https://www.netprojnetworks.com/wp-content/uploads/2024/05/image-29-1024x502.png)
6. Verified that the user obtained the correct user-role on the DMZ controller.
![](https://www.netprojnetworks.com/wp-content/uploads/2024/05/COA-3-1024x135.png)
7. Accounting frame from the DMZ controller to ISE
![](https://www.netprojnetworks.com/wp-content/uploads/2024/05/image-30-1024x470.png)
8. ISE live log verification
![](https://www.netprojnetworks.com/wp-content/uploads/2024/05/image-31-1024x562.png)
![](https://www.netprojnetworks.com/wp-content/uploads/2024/05/image-32-1024x152.png)