ARUBA Guest & BYOD ACCESS – ANCHOR FOREIGN WITH CISCO ISE CAPTIVE PORTAL – Part 1

By adminAruba Mobility Conductor, Aruba Mobility Master 8.x, BYOD Onboarding, Cisco ISE BYOD
Internal WLCs

/md/01_EKRALAC

1. create a LIMITED traffic ACL on the internal WLC.

ip access-list session RESTRICTED-GUEST-ACCESS-ACL
   user any udp 68 deny
   any any svc-icmp permit
   any any svc-dns permit
   any any svc-dhcp permit
   any any svc-https permit
   any any svc-http permit
   any any svc-natt permit
   any network 169.254.0.0 255.255.0.0 any deny
   any network 240.0.0.0 240.0.0.0 any deny
   any any any permit
! 
2. Create the initial role on the INTERNAL controllers

user-role GUEST-ACCESS
   access-list session ra-guard
   access-list session v6-allowall
   access-list session RESTRICTED-GUEST-ACCESS-ACL
 !
user-role BYOD-ACCESS
   access-list session ra-guard
   access-list session allowall
   access-list session v6-allowall
!
3.  Define the RFC 3576 Servers

aaa rfc-3576-server "10.0.77.37"
KEY dk55ksakadkk33k66kW11#%4$@@
!
aaa rfc-3576-server "10.0.66.36"
KEY dk55ksakadkk33k66kW11#%4$@@
!
4. Define the AAA servers and server GROUP

aaa authentication-server radius "02022026-DMZPSN2.NETPROJEKRALAC.COM"
   host "10.0.77.37"
   KEY dk55ksakadkk33k66kW11#%4$@@
   called-station-id type macaddr include-ssid enable delimiter colon
!
aaa authentication-server radius "02022026-DMZPSN1.NETPROJEKRALAC.COM"
   host "10.0.66.36"
   KEY dk55ksakadkk33k66kW11#%4$@@
   called-station-id type macaddr include-ssid enable delimiter colon
!
aaa server-group "02022026-SVGRP"
   auth-server "02022026-DMZPSN2.NETPROJEKRALAC.COM" position 1
   auth-server "02022026-DMZPSN1.NETPROJEKRALAC.COM" position 2
!
5. Create the L2 MAC auth 
    aaa authentication mac "02022026-AAA-778-MAC-AUTH"
    delimiter none
    case lower
    max-authentication-failures 0
    no reauthentication
!
6. Create the AAA DOT1X Profile

aaa authentication dot1x "202022026-AAA-779-DOT1X-AUTH"
   max-requests 2
   timer wpa-key-period 3000
   timer wpa2-key-delay 100
   timer wpa-groupkey-delay 100
!
aaa authentication dot1x "202022026-AAA-778-DOT1X-AUTH"
   max-requests 2
   timer wpa-key-period 3000
   timer wpa2-key-delay 100
   timer wpa-groupkey-delay 100
!
7. Create a AAA profile

aaa profile "202022026-778-AAA-PROF"
   initial-role "DMZ-PRE-AUTH-ROLE"
   authentication-dot1x "202022026-AAA-778-DOT1X-AUTH"
   radius-roam-accounting
   radius-interim-accounting
   rfc-3576-server "10.0.66.36"
   rfc-3576-server "10.0.77.37"
   enforce-dhcp
!
aaa profile "202022026-779-AAA-PROF"
   initial-role "guest"
   authentication-dot1x "202022026-AAA-779-DOT1X-AUTH"
   dot1x-server-group "02022026-SVGRP"
   radius-accounting "02022026-SVGRP"
   radius-interim-accounting
   rfc-3576-server "10.0.77.37"
   rfc-3576-server "10.0.66.36"
   enforce-dhcp
!
8. Create the SSID Profile/ virtual-ap and assign the DMZ user VLAN

wlan ssid-profile "778_SSID_PROF"
   essid "778"
   wpa-passphrase 5if8f855u@k4fffeee
   opmode wpa2-psk-aes
   a-basic-rates 12 24
   a-tx-rates 12 18 24 36 48 54
   g-basic-rates 24
   g-tx-rates 12 18 24 36 48 54
   wmm
   wmm-vo-dscp "48"
   wmm-vi-dscp "32"
   wmm-be-dscp "0"
   wmm-bk-dscp "8"
   g-beacon-rate 24
   a-beacon-rate 24
   multicast-rate 24
   qbss-load-enable
   advertise-location
   advertise-ap-name
!
wlan ssid-profile "779-TLS_SSID_PROFILE"
   essid "779-TLS"
   opmode wpa2-aes
   a-basic-rates 12 24
   a-tx-rates 12 18 24 36 48 54
   g-basic-rates 24
   g-tx-rates 12 18 24 36 48 54
   wmm
   wmm-vo-dscp "48"
   wmm-vi-dscp "32"
   wmm-be-dscp "0"
   wmm-bk-dscp "8"
   g-beacon-rate 24
   a-beacon-rate 24
   multicast-rate 24
   qbss-load-enable
   advertise-location
   advertise-ap-name
!
wlan virtual-ap "779-TLS"
   aaa-profile "202022026-779-AAA-PROF"
   vlan 779
   ssid-profile "779-TLS_SSID_PROFILE"
!
wlan virtual-ap "778"
   aaa-profile "202022026-778-AAA-PROF"
   vlan 778
   ssid-profile "778_SSID_PROF"
!
9. Associate the virtual-ap with the AP-Group

ap-group "BROOKLYN-RETAIL-2-AP-GROUP"
virtual-ap "778"
virtual-ap "779-TLS"
!
DMZ Controllers

/md/02-DMZ


1.Create a network service for the TCP/HTTPS 8443 which is the ISE port number that is used for the redirect

netservice 2026-ise-https-8443 tcp 8443
netservice 2026-ise-https-8084 tcp 8084
netservice 2026-ise-https-8905 tcp 8905

!
2. Create a network destination to the captive-portal IPs

netdestination 02222026-dmzwireless.netprojekralac.com
   host 10.0.77.36
   host 10.0.66.36 
!
  
3.  Defined the RFC 3576 Servers

aaa rfc-3576-server "10.0.77.37"
KEY dk55ksakadkk33k66kW11#%4$@@
!
aaa rfc-3576-server "10.0.66.36"
KEY dk55ksakadkk33k66kW11#%4$@@
! 

aaa authentication-server radius "02022026-DMZPSN2.NETPROJEKRALAC.COM"
   host "10.0.77.37"
   KEY dk55ksakadkk33k66kW11#%4$@@
   called-station-id type macaddr include-ssid enable delimiter colon
!
aaa authentication-server radius "02022026-DMZPSN1.NETPROJEKRALAC.COM"
   host "10.0.66.36"
   KEY dk55ksakadkk33k66kW11#%4$@@
   called-station-id type macaddr include-ssid enable delimiter colon
!

aaa server-group "02022026-SVGRP"
   auth-server "02022026-DMZPSN2.NETPROJEKRALAC.COM" position 1
   auth-server "02022026-DMZPSN1.NETPROJEKRALAC.COM" position 2
!
 
4. Create a session ACL allowing traffic to ISE captive-portal IP and ports.

ip access-list session CISCO-ISE-ACL-PERMIT
   user alias 02222026-dmzwireless.netprojekralac.com 2026-ise-https-8443 permit
   user alias 02222026-dmzwireless.netprojekralac.com 2026-ise-https-8084 permit
   user alias 02222026-dmzwireless.netprojekralac.com 2026-ise-https-8905 permit
  !

ip access-list session CISCO-ISE-LOGON-CONTROL-ACL
   user any udp 68 deny
   any any svc-icmp permit
   any any svc-dns permit
   any any svc-dhcp permit
   any any svc-natt permit
   any network 169.254.0.0 255.255.0.0 any deny
   any network 240.0.0.0 240.0.0.0 any deny
!

5. Create an AAA authentication captive-portal profile

aaa authentication captive-portal "778-CAPTIVE-PORTAL"
   server-group "02022026-SVGRP"
   no user-logon
   apple-cna-bypass
!

6. Create the initial role on the DMZ controllers. The role will be sent from ISE dynamically

user-role ONBOARDING-AND-GUEST-ROLE
   access-list session ra-guard
   access-list session CISCO-ISE-LOGON-CONTROL-ACL
   access-list session CISCO-ISE-ACL-PERMIT
   access-list session captiveportal
   captive-portal 778-CAPTIVE-PORTAL
!

7.user-role BYOD-ACCESS
   access-list session ra-guard
   access-list session allowall
   access-list session v6-allowall
!
user-role GUEST-ACCESS
   access-list session ra-guard
   access-list session allowall
   access-list session v6-allowall
!

8. Create the L2 MAC auth 

aaa authentication mac "02022026-AAA-778-MAC-AUTH"
	delimiter none
	case lower
	max-authentication-failures 0
	no reauthentication
	!

aaa authentication mac "02022026-AAA-779-MAC-AUTH"
	delimiter none
	case lower
	max-authentication-failures 0
	no reauthentication
	!

9. Create the AAA DOT1X Profile

aaa authentication dot1x "202022026-AAA-779-DOT1X-AUTH"
   max-requests 2
   timer wpa-key-period 3000
   timer wpa2-key-delay 100
   timer wpa-groupkey-delay 100
!

10. Create a AAA profile

aaa profile "202022026-778-AAA-PROF"
   initial-role "guest-logon"
   authentication-mac "02022026-AAA-778-MAC-AUTH"
   mac-default-role "guest-logon"
   mac-server-group "02022026-SVGRP"
   radius-accounting "02022026-SVGRP"
   radius-roam-accounting
   radius-interim-accounting
   rfc-3576-server "10.0.77.37"
   rfc-3576-server "10.0.66.36"
   enforce-dhcp
!
aaa profile "202022026-779-AAA-PROF"
   authentication-mac "02022026-AAA-779-MAC-AUTH"
   mac-server-group "02022026-SVGRP"
   dot1x-server-group "02022026-SVGRP"
   radius-accounting "02022026-SVGRP"
   radius-interim-accounting
   rfc-3576-server "10.0.77.37"
   rfc-3576-server "10.0.66.36"
   enforce-dhcp
!

vlan 778
   wired aaa-profile 02022026-778-AAA-PROF
   description WIRELESS_778
!
vlan 779
   wired aaa-profile 202022026-779-AAA-PROF
   description WIRELESS_779
!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.