ARUBA Guest & BYOD ACCESS – ANCHOR FOREIGN WITH CISCO ISE CAPTIVE PORTAL – Part 1

By adminAruba Mobility Conductor, Aruba Mobility Master 8.x, BYOD Onboarding, Cisco ISE BYOD

Foreign WLCs

0. cd /md/01_NETPROJEKRALAC

config terminal

1.Create a network service for the TCP/HTTPS traffic

netservice ise-https-8443 tcp 8443
netservice ise-https-8084 tcp 8084
netservice ise-https-8905 tcp 8905

!
2. Create a network destination 

netdestination dmzwireless.netprojekralac.com
   host 10.0.77.36
   host 10.0.66.36 
!

3. Create an access list that permits traffic to ISE, DNS, DHCP

ip access-list session RESTRICTED-GUEST-ACCESS-ACL
   user any udp 68 deny
   any any ise-https permit
   any any ise-https-8443 permit
   any any ise-https-8084 permit
   any any ise-https-8905 permit
   any any svc-icmp permit
   any any svc-dns permit
   any any svc-dhcp permit
   any any svc-https permit
   any any svc-http permit
   any any svc-natt permit
   any network 169.254.0.0 255.255.0.0 any deny
   any network 240.0.0.0 240.0.0.0 any deny
! 
4. Create the initial role on the INTERNAL controllers

user-role RESTRICTED-GUEST-ACCESS-ROLE
   access-list session ra-guard
   access-list session RESTRICTED-GUEST-ACCESS-ACL
   access-list session v6-allowall
!
5. Defined the RFC 3576 Servers

aaa rfc-3576-server "10.0.77.37"
key <insert passphrase>
!
aaa rfc-3576-server "10.0.66.36"
key <insert passphrase>
!
6. Define the AAA servers and server GROUP

aaa authentication-server radius "DMZPSN2.NETPROJEKRALAC.COM"
   host "10.0.77.37"
   key <insert passphrase>
   called-station-id type macaddr include-ssid enable delimiter colon
!
aaa authentication-server radius "DMZPSN1.NETPROJEKRALAC.COM"
   host "10.0.66.36"
   key <insert passphrase>
   called-station-id type macaddr include-ssid enable delimiter colon
!
aaa server-group "DMZ-PSNS-SVGRP"
   auth-server "DMZPSN2.NETPROJEKRALAC.COM" position 1
   auth-server "DMZPSN1.NETPROJEKRALAC.COM" position 2
!

7. Create the L2 MAC auth 

aaa authentication mac "AAA-778-MAC-AUTH"
	delimiter none
	case lower
	max-authentication-failures 0
	no reauthentication
	!

8. Create the AAA DOT1X Profile

aaa authentication dot1x "AAA-DOT1X-L2-778"
   max-requests 2
   timer wpa-key-period 3000
   timer wpa2-key-delay 100
   timer wpa-groupkey-delay 100
!
9. Create a AAA profile

aaa profile "778_AAA_PROF"
   initial-role "RESTRICTED-GUEST-ACCESS-ROLE"
   authentication-mac "AAA-778-MAC-AUTH"
   mac-default-role "RESTRICTED-GUEST-ACCESS-ROLE"
   authentication-dot1x "AAA-DOT1X-L2-778"
   dot1x-default-role "RESTRICTED-GUEST-ACCESS-ROLE"
   radius-roam-accounting
   radius-interim-accounting
   rfc-3576-server "10.0.77.37"
   rfc-3576-server "10.0.66.36"
   enforce-dhcp
!
10. Create the Guest and Onboarding SSID Profile

wlan ssid-profile "778_SSID_PROF"
   essid "778"
   wpa-passphrase 5if8f855u@k4fffeee
   opmode wpa2-psk-aes
   a-basic-rates 12 24
   a-tx-rates 12 18 24 36 48 54
   g-basic-rates 24
   g-tx-rates 12 18 24 36 48 54
   wmm
   wmm-vo-dscp "48"
   wmm-vi-dscp "32"
   wmm-be-dscp "0"
   wmm-bk-dscp "8"
   g-beacon-rate 24
   a-beacon-rate 24
   multicast-rate 24
   qbss-load-enable
   advertise-location
   advertise-ap-name
!
11. Create the  virtual-ap and assign the DMZ user VLAN (VLAN 778 is not part of the internal network but has to be assiged to the VAP.

wlan virtual-ap "778"
   aaa-profile "778_AAA_PROF"
   vlan 778
   ssid-profile "778_SSID_PROF"
!
12. Associate the virtual-ap to the AP-Group

ap-group "BROOKLYN-RETAIL-2-AP-GROUP"
virtual-ap "778"
!

Aruba Anchor WLCs


0. cd /md/02-DMZ

config t


1.Create a network service for the TCP/HTTPS 8443 which is the ISE port number that is used for the redirect

netservice ise-https-8443 tcp 8443
netservice ise-https-8084 tcp 8084
netservice ise-https-8905 tcp 8905
!
2. Create a network destination to the captive-portal IPs

netdestination dmzwireless.netprojekralac.com
host 10.0.77.36
host 10.0.66.36
!
3. Defined the RFC 3576 Servers

aaa rfc-3576-server “10.0.77.37”
key <insert passphrase>
!
aaa rfc-3576-server “10.0.66.36”
key <insert passphrase>
!

4. Define the AAA servers and server GROUP

aaa authentication-server radius “DMZPSN2.NETPROJEKRALAC.COM”
host “10.0.77.37”
key <insert passphrase>
called-station-id type macaddr include-ssid enable delimiter colon
!
aaa authentication-server radius “DMZPSN1.NETPROJEKRALAC.COM”
host “10.0.66.36”
key <insert passphrase>
called-station-id type macaddr include-ssid enable delimiter colon
!
aaa server-group “DMZ-PSNS-SVGRP”
auth-server “DMZPSN2.NETPROJEKRALAC.COM” position 1
auth-server “DMZPSN1.NETPROJEKRALAC.COM” position 2
!
5. Create a session ACL allowing traffic to ISE captive-portal IP and ports.

ip access-list session RESTRICTED-GUEST-ACCESS-ACL
user alias dmzwireless.netprojekralac.com ise-https-8443 permit
user alias dmzwireless.netprojekralac.com ise-https-8084 permit
user alias dmzwireless.netprojekralac.com ise-https-8905 permit
user alias dmzwireless.netprojekralac.com ise-https permit
!
ip access-list session GUEST-LOGON-CONTROL
user any udp 68 deny
any any svc-icmp permit
any any svc-dns permit
any any svc-dhcp permit
any any svc-natt permit
any network 169.254.0.0 255.255.0.0 any deny
any network 240.0.0.0 240.0.0.0 any deny
!

ip access-list session PERMIT-INTERNET-ONLY
any any any permit
!

6. Create an AAA authentication captive-portal profile

aaa authentication captive-portal “778-CAPTIVE-PORTAL”
server-group “DMZ-PSNS-SVGRP”
no user-logon
apple-cna-bypass
!
7. Create the pre and post auth roles on the DMZ controllers. The role will be sent from ISE dynamically

user-role ONBOARDING-AND-GUEST-ROLE
access-list session ra-guard
access-list session GUEST-LOGON-CONTROL
access-list session PERMIT-TO-ISE-DMZ-PSN
access-list session captiveportal
captive-portal 778-CAPTIVE-PORTAL
!

user-role AUTHENTICATED-GUEST
access-list session PERMIT-INTERNET-ONLY
!
8. Create the L2 MAC auth

aaa authentication mac “AAA-778-MAC-AUTH”
delimiter none
case lower
max-authentication-failures 0
no reauthentication
!

9. Create the AAA DOT1X Profile

aaa authentication dot1x “AAA-DOT1X-L2-778”
max-requests 2
timer wpa-key-period 3000
timer wpa2-key-delay 100
timer wpa-groupkey-delay 100
!
10. Create a AAA profile

aaa profile “778_AAA_PROF”
initial-role “guest-logon”
authentication-mac “AAA-778-MAC-AUTH”
mac-default-role “guest-logon”
mac-server-group “DMZ-PSNS-SVGRP”
authentication-dot1x “AAA-DOT1X-L2-778”
dot1x-default-role “guest-logon”
dot1x-server-group “DMZ-PSNS-SVGRP”
radius-accounting “DMZ-PSNS-SVGRP”
radius-roam-accounting
radius-interim-accounting
rfc-3576-server “10.0.77.37”
rfc-3576-server “10.0.66.36”
enforce-dhcp
!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.