ARUBA Guest & BYOD ACCESS – ANCHOR FOREIGN WITH CISCO ISE CAPTIVE PORTAL – Explanation of Part 1

By adminAruba Mobility Conductor, Aruba Mobility Master 8.x, BYOD Onboarding, Cisco ISE BYOD

Create Network Services

These define reusable TCP/UDP ports by name (similar to service objects).

netservice ise-https-8443 tcp 8443
netservice ise-https-8084 tcp 8084
netservice ise-https-8905 tcp 8905

Purpose: ArubaOS needs to know which ports ISE uses for HTTPS redirection.

8443 – Cisco ISE Guest Portal default redirect port.

8084 / 8905 – Additional ISE ports (for BYOD onboarding, Hotspot portals, etc.).

These allow the ACL to reference “ise-https-8443” instead of numeric port 8443.

Define Network Destinations

These are named groups of IPs (like objects or host groups).

netdestination dmzwireless.netprojekralac.com
host 10.0.77.36
host 10.0.66.36

Purpose: Defines the DMZ PSN (Policy Service Node) IPs used by Cisco ISE.

The WLC will allow or redirect clients to these IPs for portal authentication.

Create Limited Access ACL

This is the restricted session ACL used before authentication.

ip access-list session RESTRICTED-GUEST-ACCESS-ACL
user any udp 68 deny
any any ise-https permit
any any ise-https-8443 permit
any any ise-https-8084 permit
any any ise-https-8905 permit
any any svc-icmp permit
any any svc-dns permit
any any svc-dhcp permit
any any svc-https permit
any any svc-http permit
any any svc-natt permit
any network 169.254.0.0 255.255.0.0 any deny
any network 240.0.0.0 240.0.0.0 any deny

Line-by-line:

  • user any udp 68 deny → Blocks DHCP client traffic from being spoofed by another user.
  • any any ise-https* permit → Allows HTTPS to ISE on ports 8443, 8084, 8905.
  • svc-icmp/dns/dhcp/http/https/natt → Allows necessary services for redirect + connectivity.
  • The last two lines deny link-local (169.254.0.0/16) and reserved (240.0.0.0/4) IP ranges

Define Initial Role

user-role RESTRICTED-GUEST-ACCESS-ROLE
access-list session ra-guard
access-list session RESTRICTED-GUEST-ACCESS-ACL
access-list session v6-allowall

Purpose: Creates a user role assigned before authentication.

ra-guard: Protects against rogue IPv6 router advertisements.

RESTRICTED-GUEST-ACCESS-ACL: Enforces limited traffic.

v6-allowall: Allows all IPv6 traffic (often used since the ACL mostly handles IPv4).

Define RFC 3576 (CoA) Servers

aaa rfc-3576-server “10.0.77.37”
key

aaa rfc-3576-server “10.0.66.36”
key

Purpose: Enables Change of Authorization (CoA), allowing ISE to dynamically reassign roles when the user is authenticated or posture changes.

The key must match the shared secret configured in ISE.

Define AAA Servers and Group

aaa authentication-server radius “DMZPSN2.NETPROJEKRALAC.COM”
host “10.0.77.37”

aaa authentication-server radius “DMZPSN1.NETPROJEKRALAC.COM”
host “10.0.66.36”

aaa server-group “DMZ-PSNS-SVGRP”
auth-server “DMZPSN2.NETPROJEKRALAC.COM” position 1
auth-server “DMZPSN1.NETPROJEKRALAC.COM” position 2

Defines two RADIUS servers (ISE PSNs).

Each uses a key and includes the SSID in the called-station-id (useful for ISE policies).

The group combines both servers for load-balancing/failover.

Define Layer 2 MAC Authentication

aaa authentication mac “AAA-778-MAC-AUTH”
delimiter none
case lower
max-authentication-failures 0
no reauthentication

Defines MAC-based authentication behavior.

delimiter none / case lower: MACs are sent as lowercase continuous strings.

max-authentication-failures 0: No lockout.

no reauthentication: Once authenticated, client stays until disconnection.

Define 802.1X Profile

aaa authentication dot1x “AAA-DOT1X-L2-778”
max-requests 2
timer wpa-key-period 3000
timer wpa2-key-delay 100
timer wpa-groupkey-delay 100

Sets tuning parameters for WPA/802.1X.

Adjusts how often keys are rekeyed and how long the WLC waits for EAP responses.

Define the AAA Profile

aaa profile “778_AAA_PROF”
initial-role “RESTRICTED-GUEST-ACCESS-ROLE”
authentication-mac “AAA-778-MAC-AUTH”
mac-default-role “RESTRICTED-GUEST-ACCESS-ROLE”
authentication-dot1x “AAA-DOT1X-L2-778”
dot1x-default-role “RESTRICTED-GUEST-ACCESS-ROLE”
radius-roam-accounting
radius-interim-accounting
rfc-3576-server “10.0.77.37”
rfc-3576-server “10.0.66.36”
enforce-dhcp

This ties together everything for authentication:

  • Uses the restricted role initially.
  • Defines which MAC and 802.1X profiles to use.
  • Enables accounting and CoA.
  • enforce-dhcp: ensures clients must get IP via DHCP before full access (security measure).

Create SSID Profile and Virtual AP

wlan ssid-profile “778_SSID_PROF”
essid “778”
wpa-passphrase 5if8f855u@k4fffeee
opmode wpa2-psk-aes
a-basic-rates 12 24
a-tx-rates 12 18 24 36 48 54
g-basic-rates 24
g-tx-rates 12 18 24 36 48 54
wmm
wmm-vo-dscp “48”
wmm-vi-dscp “32”
wmm-be-dscp “0”
wmm-bk-dscp “8”
g-beacon-rate 24
a-beacon-rate 24
multicast-rate 24
qbss-load-enable
advertise-location
advertise-ap-name
!

wlan ssid-profile “778_SSID_PROF”
  • This begins the definition of an SSID profile named “778_SSID_PROF.”
  • The SSID profile holds all radio, QoS, and security settings that will later be linked to a virtual AP and broadcast by access points.
essid “778”
  • Sets the actual SSID name (the network name clients see when scanning Wi-Fi).
  • "778" is what shows up in the client’s Wi-Fi list.
  • The profile name (778_SSID_PROF) is internal; the ESSID is public.
wpa-passphrase 5if8f855u@k4fffeee
  • Defines the pre-shared key (PSK) used for WPA/WPA2 authentication.
  • It’s the password clients must enter to join this SSID.
  • Stored in encrypted format on the controller; used during the 4-way handshake to derive encryption keys.
opmode wpa2-psk-aes
  • Sets the operating mode for wireless security.
  • wpa2-psk → WPA2 security using a pre-shared key.
  • aes → AES (CCMP) encryption; the modern and secure standard.
  • This combination (WPA2-PSK-AES) provides personal-level encryption suitable for guest or small deployments.
a-basic-rates 12 24
  • Defines mandatory/basic data rates for the 5 GHz (802.11a) band.
  • Only clients capable of using these rates can connect.
  • Lower data rates (6, 9 Mbps) are excluded → improves performance and reduces airtime overhead by forcing clients to use faster rates.
  • 12 Mbps and 24 Mbps become the minimum required transmission rates.
a-tx-rates 12 18 24 36 48 54
  • Lists all allowed transmit rates (data rates) for the 5 GHz band.
  • Clients can dynamically shift between these based on signal strength (rate adaptation).
  • Excluding the lowest (6 and 9 Mbps) keeps the network efficient and avoids slow clients hogging airtime.
g-basic-rates 24
  • Sets the mandatory rate for 2.4 GHz (802.11g) clients.
  • Forcing 24 Mbps as the minimum rate improves throughput but can reduce coverage slightly.
  • It’s common in controlled environments (like retail or enterprise) to improve performance by eliminating very low data rates.
g-tx-rates 12 18 24 36 48 54
  • Allowed transmission rates for 2.4 GHz band.
  • Same logic as for 5 GHz: limit to mid-to-high rates to optimize airtime efficiency and discourage weak-signal associations.
wmm
  • Enables Wi-Fi Multimedia (WMM), which activates Quality of Service (QoS) at the wireless MAC layer.
  • WMM classifies traffic into four queues: Voice (VO), Video (VI), Best Effort (BE), and Background (BK).
  • This is required for good voice/video performance and for 802.11e compliance.
wmm-vo-dscp “48”
  • Maps voice traffic (WMM-VO) to DSCP value 48 (decimal) = CS6/EF class.
  • Ensures that voice packets are prioritized through the network (low latency/jitter).
wmm-vi-dscp “32”
  • Maps video traffic (WMM-VI) to DSCP value 32 (typically AF41).
  • Ensures streaming/video applications receive higher priority than best effort.
wmm-be-dscp “0”
  • Maps best effort traffic (normal client traffic) to DSCP 0, meaning no QoS marking — default class.
  • Used for general web browsing or non-time-sensitive data.
wmm-bk-dscp “8”
  • Maps background traffic (e.g., file sync, updates) to DSCP 8 (CS1).
  • Low priority; transmitted only when higher classes are idle.
g-beacon-rate 24
  • Sets the beacon transmission rate for the 2.4 GHz band to 24 Mbps.
  • Beacons are the management frames APs send every ~100 ms announcing the SSID.
  • Raising the beacon rate helps reduce airtime overhead and encourages higher-rate associations.
  • Only clients capable of 24 Mbps or higher will see the SSID.
a-beacon-rate 24

Same as above, but for 5 GHz (802.11a/n/ac) radios.

Beacons sent at 24 Mbps help maintain consistent airtime and limit coverage overlap.

multicast-rate 24
  • Forces multicast traffic (e.g., mDNS, video streams, IPv6 advertisements) to transmit at 24 Mbps instead of the lowest rate.
  • Improves efficiency (less airtime used per frame).
  • However, clients with weak signals may miss some multicast packets — acceptable in enterprise networks optimized for performance.
qbss-load-enable
  • Enables QoS Basic Service Set (QBSS) load information in beacons.
  • APs include metrics like channel utilization and number of associated clients.
  • Allows client devices to make intelligent roaming decisions (useful for voice handsets or Wi-Fi 6 clients).
advertise-location
  • Tells the AP to include location information (like AP coordinates or building ID) in beacon and probe responses.
  • Useful for location-aware applications or ISE profiling that need to know where the client is connecting from.
advertise-ap-name
  • Instructs the AP to include its AP name in beacons and probe responses.
  • Helps troubleshooting and location analytics — clients or backend systems can identify the exact AP a client associates with.

the “!” Ends the SSID profile configuration block.

  • Anything following the "! returns to the higher (global) configuration level.

Summary:
This SSID profile (778_SSID_PROF) configures a high-performance, QoS-enabled WPA2-PSK SSID optimized for enterprise/retail use:

  • Fast minimum data rates (12/24 Mbps).
  • Clean traffic prioritization (voice/video QoS).
  • Efficient beacon and multicast handling.
  • Supports accurate location and AP visibility.

wlan virtual-ap “778”
aaa-profile “778_AAA_PROF”
vlan 778
ssid-profile “778_SSID_PROF”

Combines the SSID with VLAN and AAA profile.

VLAN 778 is the user VLAN for guests.

Associate SSID with AP Group

ap-group “BROOKLYN-RETAIL-2-AP-GROUP”
virtual-ap “778”

Foreign (DMZ) Side

3. Create a session ACL allowing traffic to ISE captive-portal IP and ports.

    ip access-list session RESTRICTED-GUEST-ACCESS-ACL
    user alias dmzwireless.netprojekralac.com ise-https-8443 permit
    user alias dmzwireless.netprojekralac.com ise-https-8084 permit
    user alias dmzwireless.netprojekralac.com ise-https-8905 permit
    user alias dmzwireless.netprojekralac.com ise-https permit
    !

    ip access-list session GUEST-LOGON-CONTROL
    user any udp 68 deny
    any any svc-icmp permit
    any any svc-dns permit
    any any svc-dhcp permit
    any any svc-natt permit
    any network 169.254.0.0 255.255.0.0 any deny
    any network 240.0.0.0 240.0.0.0 any deny
    !

    1. Create an AAA authentication captive-portal profile

    aaa authentication captive-portal “778-CAPTIVE-PORTAL”
    server-group “DMZ-PSNS-SVGRP”
    no user-logon
    apple-cna-bypass
    !

    1. Create the initial role on the DMZ controllers. The role will be sent from ISE dynamically

    user-role ONBOARDING-AND-GUEST-ROLE
    access-list session ra-guard
    access-list session GUEST-LOGON-CONTROL
    access-list session PERMIT-TO-ISE-DMZ-PSN
    access-list session captiveportal
    captive-portal 778-CAPTIVE-PORTAL
    !

    Create a session ACL allowing traffic to ISE captive-portal IP and ports

    ip access-list session RESTRICTED-GUEST-ACCESS-ACL

    • Starts the definition of a session ACL named RESTRICTED-GUEST-ACCESS-ACL.
    • A session ACL in ArubaOS is applied to a user session and can filter traffic based on IPs, aliases, or services.
    • This ACL will allow guest clients to reach Cisco ISE for web redirection (captive portal).
    user alias dmzwireless.netprojekralac.com ise-https-8443 permit
    • Allows the user to send traffic to the network alias dmzwireless.netprojekralac.com on port 8443.
    • user = source traffic from a wireless client.
    • alias dmzwireless.netprojekralac.com = destination group defined earlier that contains ISE PSN IPs in the DMZ.
    • ise-https-8443 = predefined network service object (TCP port 8443).
    • Purpose: Enables redirected HTTPS requests to reach ISE’s Guest Portal port 8443 for onboarding/portal access.
    user alias dmzwireless.netprojekralac.com ise-https-8084 permit
    • Same logic as above but for TCP port 8084.
    • ISE uses port 8084 for Hotspot or BYOD onboarding flows (e.g., certificate provisioning or device registration).
    user alias dmzwireless.netprojekralac.com ise-https-8905 permit
    • Permits traffic to ISE’s TCP port 8905, which is used for device registration portals (especially Android or mobile onboarding flows).
    user alias dmzwireless.netprojekralac.com ise-https permit
    • Allows access to the standard TCP/443 HTTPS port on ISE.
    • Once a guest authenticates, ISE often redirects back to HTTPS 443 for session validation and policy updates.
    ip access-list session GUEST-LOGON-CONTROL
    • Begins another session ACL definition named GUEST-LOGON-CONTROL.
    • This ACL handles general network control and hygiene rules for unauthenticated clients.
    user any udp 68 deny
    • Denies DHCP client-to-server traffic originating from one wireless client to another.
    • Protects against DHCP spoofing attacks, where a rogue client might act as a DHCP server.
    any any svc-icmp permit
    • Allows ICMP (ping, traceroute) traffic.
    • Useful for network reachability during troubleshooting or captive portal redirection.
    any any svc-dns permit
    • Allows DNS lookups.
    • Critical for the captive portal redirect flow because the client first resolves a public hostname, then gets redirected to ISE.
    any any svc-dhcp permit
    • Allows DHCP to and from legitimate DHCP servers so clients can obtain an IP address.
    any any svc-natt permit
    • Allows NAT-T (UDP 4500) traffic, used for IPsec VPN clients that might try to connect while behind NAT.
    any network 169.254.0.0 255.255.0.0 any deny
    • Denies traffic to link-local addresses (169.254.0.0/16).
    • These are non-routable, self-assigned IPs — blocking prevents unwanted broadcast or peer-to-peer communication.
    any network 240.0.0.0 240.0.0.0 any deny
    • Denies traffic to reserved Class E IP addresses (240.0.0.0/4).
    • These are undefined in IPv4 and should never be used on the network — basic security hygiene.

    Create an AAA authentication captive-portal profile

    aaa authentication captive-portal “778-CAPTIVE-PORTAL”

    • Starts a definition for a captive portal AAA authentication profile named "778-CAPTIVE-PORTAL".
    • This profile defines how the controller will handle web-based authentication (redirecting users to ISE).
    server-group “DMZ-PSNS-SVGRP”
    • Points the captive portal authentication to the RADIUS server group named "DMZ-PSNS-SVGRP".
    • This group contains the ISE PSN servers (10.0.66.36 and 10.0.77.36).
    • The controller will forward web authentication requests to these servers.
    no user-logon
    • Disables local user authentication on the controller.
    • Ensures all authentication is handled externally by ISE, not by any internal WLC user database.
    apple-cna-bypass
    • Enables Apple Captive Network Assistant (CNA) bypass mode.
    • iPhones and iPads automatically pop up a mini-browser when detecting a captive portal.
    • With this option enabled, the controller bypasses Apple’s CNA to avoid partial portal displays or authentication issues.
    • Instead, users open Safari or Chrome manually to authenticate, ensuring full portal functionality.
    Create the initial role on the DMZ controllers
    user-role ONBOARDING-AND-GUEST-ROLE
    • Starts the definition of a user role named "ONBOARDING-AND-GUEST-ROLE".
    • This is the initial role assigned to guest users connecting to the SSID.
    • It limits traffic and triggers the captive portal until the user is authenticated.
    • Cisco ISE can later dynamically change this role after successful authentication using CoA (Change of Authorization).
    access-list session ra-guard
    • Attaches the RA-Guard ACL, which blocks rogue IPv6 Router Advertisements (RA).
    • Protects clients from being misled by unauthorized IPv6 routers.
    access-list session GUEST-LOGON-CONTROL
    • Applies the earlier GUEST-LOGON-CONTROL ACL to this role.
    • This enforces basic network hygiene: allows DNS/DHCP/ICMP, denies invalid ranges, etc.
    access-list session PERMIT-TO-ISE-DMZ-PSN
    • Applies an ACL that permits access to ISE DMZ PSN IPs and redirect ports.
    • (You may have already defined this earlier as part of “RESTRICTED-GUEST-ACCESS-ACL.”)
    • This ensures unauthenticated guests can still communicate with ISE for web redirection.
    access-list session captiveportal
    • Applies a built-in ACL called captiveportal that specifically allows redirection to the captive portal and blocks general traffic until authentication completes.
    • It typically handles HTTP/HTTPS redirect behavior between the client and ISE.
    captive-portal 778-CAPTIVE-PORTAL
    • Links the captive portal AAA authentication profile created earlier (778-CAPTIVE-PORTAL) to this user role.
    • This tells the controller which portal configuration (server group, CNA bypass, etc.) to use when redirecting clients to ISE.

    Create a AAA profile

    aaa profile “778_AAA_PROF”

    • Begins the configuration of a AAA (Authentication, Authorization, and Accounting) profile named 778_AAA_PROF.
    • The AAA profile defines how users are authenticated (MAC, 802.1X, captive portal), which RADIUS servers are used, what roles to assign, and how accounting and CoA are handled.
    initial-role “guest-logon”
    • Defines the default role assigned to users upon connection before any authentication occurs.
    • The role "guest-logon" (or whatever role you’ve defined earlier) typically includes:
      • ACLs for DHCP, DNS, and ISE portal traffic.
      • The captive portal redirect configuration.
    • This role limits access until Cisco ISE validates the user and sends back an updated role via Change of Authorization (CoA).
    authentication-mac “AAA-778-MAC-AUTH”
    • Specifies the MAC authentication profile to use for this AAA profile.
    • The referenced profile "AAA-778-MAC-AUTH" defines:
      • How MAC addresses are formatted (case, delimiter).
      • Retry/reauthentication settings.
    • Aruba controllers perform MAC authentication by sending the device’s MAC address as the username/password to the RADIUS server (ISE), which can respond with a role or policy.
    mac-default-role “guest-logon”
    • Specifies the default user role assigned after a MAC authentication attempt if the RADIUS server (ISE) does not return a specific role.
    • In this case, clients remain in the "guest-logon" role, meaning restricted access and captive portal redirection.
    mac-server-group “DMZ-PSNS-SVGRP”
    • Tells the controller which RADIUS server group to use for MAC authentication.
    • "DMZ-PSNS-SVGRP" contains the Cisco ISE PSN servers located in the DMZ (10.0.77.36 and 10.0.66.36).
    • The controller sends RADIUS authentication requests for MAC auth to these ISE servers.
    authentication-dot1x “AAA-DOT1X-L2-778”
    • Specifies the 802.1X authentication profile to use for this AAA profile.
    • The "AAA-DOT1X-L2-778" profile defines EAP timers, retry counts, and WPA key exchange behavior.
    • This allows 802.1X-capable clients (e.g., managed corporate devices) to authenticate securely if applicable.
    dot1x-default-role “guest-logon”
    • Sets the default user role for clients that use 802.1X if ISE does not explicitly return one.
    • Ensures users are placed into the same initial “restricted” state as MAC-auth clients before full access is granted.
    dot1x-server-group “DMZ-PSNS-SVGRP”
    • Defines which RADIUS server group to use for 802.1X authentication requests.
    • Again, "DMZ-PSNS-SVGRP" points to ISE PSNs in the DMZ.
    • This ensures both MAC auth and 802.1X requests are handled by the same ISE infrastructure.
    radius-accounting “DMZ-PSNS-SVGRP”
    • Specifies where RADIUS accounting data (session start/stop/interim updates) is sent.
    • Allows ISE to log session activity, duration, and client attributes (IP, MAC, etc.).
    • Accounting messages are crucial for auditing and for CoA to work properly later.
    radius-roam-accounting
    • Enables accounting for client roaming events between access points.
    • When a client roams, the controller sends accounting “update” packets to ISE so it can maintain session continuity (no re-auth needed).
    • This helps avoid session drops during movement across APs.
    radius-interim-accounting
    • Enables periodic RADIUS interim updates (accounting updates during a session).
    • These updates provide ISE with ongoing session status, data usage, and time online.
    • Ensures accurate reporting and allows ISE to trigger policies or CoA based on session conditions.
    rfc-3576-server “10.0.77.37”
    • Configures a Change of Authorization (CoA) server (RFC 3576) at IP 10.0.77.37.
    • CoA allows ISE to send a message to the controller instructing it to change a user’s role or disconnect them (e.g., once authentication succeeds).
    • This IP should match one of your ISE Policy Service Nodes (PSNs).
    rfc-3576-server “10.0.66.36”
    • Adds another CoA server (secondary PSN) for redundancy.
    • Both servers can send CoA messages to the controller.
    • Ensures fault tolerance — if one PSN fails, the other can still manage session changes.
    enforce-dhcp
    • Forces the client to obtain an IP address via DHCP.
    • If a client assigns itself a static IP, the controller will block its traffic.
    • This ensures proper IP allocation and accurate identity mapping between MAC, IP, and session — which is critical for ISE to track users correctly.

    Bind the AAA profile to the VLAN

    vlan 778
    • Begins configuration of VLAN ID 778, which will be used for guest or onboarding traffic.
    • This VLAN typically maps to a guest subnet that routes toward the DMZ and has limited access to the internal network.
    wired aaa-profile 778_AAA_PROFILE
    • Applies the AAA profile (778_AAA_PROF) to VLAN 778.
    • This means all user sessions entering this VLAN will use the specified authentication methods (MAC, 802.1X, captive portal) and RADIUS servers.
    • Even though it says “wired,” Aruba treats both wired and wireless clients in the same policy engine — this ensures consistent AAA behavior for users landing in this VLAN.

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.