Aruba WLC With Cisco ISE 3.2.0.542 Registered Guest Captive Portal Logic


Proof of concept – Cisco Captive Portal via an Aruba Mobility Controller. The wireless LAN controllers are “firewalled” and can only communicate with each other via firewall policies.

Aruba Mobility Conductor CLI Config

Internal Controller

1.Create a network service for the TCP/HTTPS 8443 which is the ISE port number that is used for the redirect

netservice ise-https tcp 8443
!
2. Create a network destination 

netdestination cisco_ise
   host 10.0.0.36
   host 10.0.0.37
!

3. Create an access list that permits traffic to ISE

ip access-list session LIMITED-GUEST-ACCESS
   user any udp 68 deny
   any any ise-https permit
   any any svc-icmp permit
   any any svc-dns permit
   any any svc-dhcp permit
   any any svc-https permit
   any any svc-http permit
!

ip access-list session PERMIT-TO-ISE
   user alias cisco_ise ise-https permit
!

4. Create the initial role on the internal controllers

user-role GUEST-PERMIT
   access-list session PERMIT-TO-ISE
   access-list session LIMITED-GUEST-ACCESS
!

5. Defined the RFC 3576 Servers

aaa rfc-3576-server "10.0.0.36"
key 826fe15a2c82904dfdaffdad
!
aaa rfc-3576-server "10.0.0.37"
key 826fe15a2c82904dfdaffdad
!

6. Define the AAA servers and server GROUP

aaa authentication-server radius "LAB_ISEPSN"
   host "10.0.0.36"
   key 991e4cb4b9233aaec19
   called-station-id type macaddr include-ssid enable delimiter colon
!
aaa authentication-server radius "LAB_ISEPSN_2"
   host "10.0.0.37"
   key cc2b0ada63fac600ac438
   called-station-id type macaddr include-ssid enable delimiter colon
!
aaa server-group "LAB_ISEPSN_SVG"
   auth-server LAB_ISEPSN_2 position 1
   auth-server LAB_ISEPSN position 2
!
7. Create the AAA DOT1X Profile

aaa authentication dot1x "DOT1X-L2-0526NYC2024"
   max-requests 2
   timer wpa-key-period 3000
   timer wpa2-key-delay 100
   timer wpa-groupkey-delay 100

8. Create the L2 MAC auth 

aaa authentication mac "WIRELESS_L2_MAC_AUTH"

!
9. Create the AAA Profile

aaa profile "0526NYC2024_AAA_PROF"
   initial-role "GUEST-PERMIT"
   authentication-mac "WIRELESS_L2_MAC_AUTH"
   mac-default-role "GUEST-PERMIT"
   authentication-dot1x "DOT1X-L2-0526NYC2024"
   dot1x-default-role "GUEST-PERMIT"
   dot1x-server-group "LAB_ISEPSN_SVG"
   radius-accounting "LAB_ISEPSN_SVG"
   radius-roam-accounting
   radius-interim-accounting
   rfc-3576-server "10.0.0.36"
   rfc-3576-server "10.0.0.37"
   enforce-dhcp
!
10. Create the virtual-ap and assign the user VLAN

wlan virtual-ap "0526NYC2024"
   aaa-profile "0526NYC2024_AAA_PROF"
   vlan 667
   ssid-profile "0526NYC2024_SSID_PROF"
!
11. Associate the virtual-ap with the AP-Group

ap-group "BROOKLYN-RETAIL-2-AP-GROUP"
virtual-ap "0526NYC2024"
!

DMZ Controller

1.Create a network service for the TCP/HTTPS 8443 which is the ISE port number that is used for the redirect

netservice ise-https tcp 8443
!

2. Create a network destination 

netdestination cisco_ise
   host 10.0.0.36
   host 10.0.0.37
!

3. Create an access list that permits traffic to ISE

ip access-list session LIMITED-GUEST-ACCESS
   user any udp 68 deny
   any any ise-https permit
   any any svc-icmp permit
   any any svc-dns permit
   any any svc-dhcp permit
   any any svc-https permit
   any any svc-http permit
!

ip access-list session PERMIT-TO-ISE
   user alias cisco_ise ise-https permit
!

4. Create the AAA Authenticatoin captive-portal

aaa authentication captive-portal "DMZ-WIRELESS-GUEST-REDIRECT_ISE_SG"
   no user-logon
!

5. Create the initial role on the internal controllers (this role is part of the redirect and attributes returned by Cisco ISE)

user-role DMZ-WIRELESS-GUEST-REDIRECT
   access-list session ra-guard
   access-list session logon-control
   access-list session PERMIT-TO-ISE
   access-list session captiveportal
   access-list session v6-logon-control
   access-list session captiveportal6
   captive-portal DMZ-WIRELESS-GUEST-REDIRECT_ISE_SG

6. Defined the RFC 3576 Servers

aaa rfc-3576-server "10.0.0.36"
key 826fe15a2c82904dfdaffdad
!
aaa rfc-3576-server "10.0.0.37"
key 826fe15a2c82904dfdaffdad
!
7. Define the AAA servers and server GROUP

aaa server-group "LAB_ISEPSN_SVG"
   auth-server LAB_ISEPSN_2 position 1
   auth-server LAB_ISEPSN position 2
!
aaa authentication-server radius "LAB_ISEPSN"
   host "10.0.0.36"
   key 991e4cb4b9233aaec19
   called-station-id type macaddr include-ssid enable delimiter colon
!
aaa authentication-server radius "LAB_ISEPSN_2"
   host "10.0.0.37"
   key 991e4cb4b9233aaec19
   called-station-id type macaddr include-ssid enable delimiter colon

8. Create the AAA DOT1X Profile

aaa authentication dot1x "DOT1X-L2-0526NYC2024"
   max-requests 2
   timer wpa-key-period 3000
   timer wpa2-key-delay 100
   timer wpa-groupkey-delay 100

9. Create the L2 MAC auth 

aaa authentication mac "WIRELESS_L2_MAC_AUTH"
!

10. Create the AAA Profile

aaa profile "0526NYC2024_AAA_PROF"
   initial-role "guest-logon"
   authentication-mac "WIRELESS_L2_MAC_AUTH"
   mac-default-role "guest-logon"
   mac-server-group "LAB_ISEPSN_SVG"
   authentication-dot1x "DOT1X-L2-0526NYC2024"
   dot1x-default-role "guest-logon"
   dot1x-server-group "LAB_ISEPSN_SVG"
   radius-accounting "LAB_ISEPSN_SVG"
   radius-roam-accounting
   radius-interim-accounting
   rfc-3576-server "10.0.0.36"
   rfc-3576-server "10.0.0.37"
   enforce-dhcp
!
11. Create the Wired VLAN AAA Profile Association 

vlan 667
   wired aaa-profile 0526NYC2024_AAA_PROF
!
vlan 668
   wired aaa-profile 0605NYC2024_AAA_PROF
!

Mobility Controllers Interface and Tunnel Configuration

Internal Controller:

interface tunnel 266
   description '"TUNNEL TO pDMZANHCOR0001'
   tunnel source 10.0.205.5
   trusted
   tunnel destination 10.0.66.14
   tunnel mode gre 1
   trusted vlan 1-4094
   tunnel vlan 666-668
   no inter-tunnel-flooding
   tunnel keepalive
   tunnel keepalive 10 3
!
interface tunnel 662
   description "TUNNEL TO vDMZANCHOR0001"
   tunnel source 10.0.205.5
   trusted
   tunnel destination 10.0.66.3
   tunnel mode gre 1
   trusted vlan 1-4094
   tunnel vlan 666-668
   no inter-tunnel-flooding
   tunnel keepalive
   tunnel keepalive 10 3
!
controller-ip vlan 3023
interface mgmt
   shutdown
!
vlan 666
vlan 667
vlan 668
vlan 3023

DMZ Controller:

interface gigabitethernet 0/0/0
   description "LINK TO ASA VLAN 666 PORT"
   switchport mode trunk
   switchport trunk native vlan 666
   no spanning-tree
   trusted
   lldp transmit
   lldp receive
   trusted vlan 1-4094
!
interface gigabitethernet 0/0/1
   description "LINK TO ASA VLAN 667 PORT"
   switchport mode trunk
   switchport trunk native vlan 667
   no spanning-tree
   trusted
   lldp transmit
   lldp receive
   trusted vlan 1-4094
!
interface gigabitethernet 0/0/2
   description "LINK TO ASA VLAN 668 PORT"
   switchport mode trunk
   switchport trunk native vlan 668
   no spanning-tree
   trusted
   lldp transmit
   lldp receive
   trusted vlan 1-4094
!

interface tunnel 663
   description "TUNNEL TO US-NYC-VMC0003"
   tunnel source 10.0.66.14
   tunnel destination 10.0.205.6
   tunnel mode gre 1
   tunnel vlan 666-668
   no inter-tunnel-flooding
   tunnel keepalive
   tunnel keepalive 10 3
   no trusted
!
interface tunnel 662
   description "TUNNEL TO US-NYC-VMC0002"
   tunnel source 10.0.66.14
   tunnel destination 10.0.205.5
   tunnel mode gre 1
   tunnel vlan 666-668
   no inter-tunnel-flooding
   tunnel keepalive
   tunnel keepalive 10 3
   no trusted
!
interface tunnel 661
   description "TUNNEL TO US-NYC-VMC0001"
   tunnel source 10.0.66.14
   tunnel destination 10.0.205.4
   tunnel mode gre 1
   tunnel vlan 666-668
   no inter-tunnel-flooding
   tunnel keepalive
   tunnel keepalive 10 3
   no trusted
!

Verify that the captive portal profile is attached to the user role.

Click “show advanced” to see the captive portal settings.

DMZ Controller

 #show configuration effective | begin  "aaa authentication captive-portal"

aaa authentication captive-portal "DMZ-WIRELESS-GUEST-REDIRECT_ISE_SG"
   no user-logon
!
user-role DMZ-WIRELESS-GUEST-REDIRECT
   access-list session ra-guard
   access-list session logon-control
   access-list session PERMIT-TO-ISE
   access-list session captiveportal
   access-list session v6-logon-control
   access-list session captiveportal6
   captive-portal DMZ-WIRELESS-GUEST-REDIRECT_ISE_SG
!

Add the Controllers to Cisco ISE as a network access device (NAD)

Click on the “+” sign to add a device

Note: The Aruba_AOS XML file can be found here


Create an authorization policy/profile

The first authorization profile will redirect the user to ISE’s captive portal. Copy and paste the ACL from the mobility controller.

Click save

The following attributes will be automatically added


Create a second authorization profile that will permit Internet access only. Copy and paste the ACL from the mobility controller.

The following attributes will be automatically added


Create a simple policy set




Testing the configuration on a client

The sponsor creates a guest account

Note: The guest credentials can also be emailed to the user.


Windows Client

Kali Linux Client

iPhone 8

ISE verification

The device connected and received the redirect role from ISE

The user successfully logged in

Cisco ISE sent a change of authorization (CoA) request, which disconnected the user.

The CoA request allowed Cisco ISE to put the user in the final authorization role of permitting Internet-only.


DMZ WLC verification

CLI

ACL hit count verifying that the ALC is “correct”


GUI





Internal controller verification

Firewall blocking traffic from the DMZ to the internal network

Issue: COA failed, and the user was stuck in a redirect loop while trying to access the internet.

It appears that the shared secret on the server was incorrect.

show aaa rfc-3576-server statistics

Resolution: I updated the shared secret on the DMZ controller, and COA worked as expected.
show aaa rfc-3576-server statistics

Packet capture from ISE (10.0.0.36)

  1. The client connects to the SSID, and ISE sends an “access-accept” that redirects the user to the captive portal via the “GUEST-WIRELESS-REDIRECT” role

2. Once the guest account is registered, Cisco ISE responded with a “disconnect-request” message

3. The “disconnect-request” contains the MAC address of the wireless client.

Verify the device’s MAC address


4. The DMZ controller responds with a “disconnect-ack”

5. ISE responded with an “access-accept,” which contains the second authorization attributes

6. Verified that the user obtained the correct user-role on the DMZ controller.

7. Accounting frame from the DMZ controller to ISE

8. ISE live log verification

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.