Proof of concept – Cisco Captive Portal via an Aruba Mobility Controller. The wireless LAN controllers are “firewalled” and can only communicate with each other via firewall policies.
Aruba Mobility Conductor CLI Config
Internal Controller
1.Create a network service for the TCP/HTTPS 8443 which is the ISE port number that is used for the redirect
netservice ise-https tcp 8443
!
2. Create a network destination
netdestination cisco_ise
host 10.0.0.36
host 10.0.0.37
!
3. Create an access list that permits traffic to ISE
ip access-list session LIMITED-GUEST-ACCESS
user any udp 68 deny
any any ise-https permit
any any svc-icmp permit
any any svc-dns permit
any any svc-dhcp permit
any any svc-https permit
any any svc-http permit
!
ip access-list session PERMIT-TO-ISE
user alias cisco_ise ise-https permit
!
4. Create the initial role on the internal controllers
user-role GUEST-PERMIT
access-list session PERMIT-TO-ISE
access-list session LIMITED-GUEST-ACCESS
!
5. Defined the RFC 3576 Servers
aaa rfc-3576-server "10.0.0.36"
key 826fe15a2c82904dfdaffdad
!
aaa rfc-3576-server "10.0.0.37"
key 826fe15a2c82904dfdaffdad
!
6. Define the AAA servers and server GROUP
aaa authentication-server radius "LAB_ISEPSN"
host "10.0.0.36"
key 991e4cb4b9233aaec19
called-station-id type macaddr include-ssid enable delimiter colon
!
aaa authentication-server radius "LAB_ISEPSN_2"
host "10.0.0.37"
key cc2b0ada63fac600ac438
called-station-id type macaddr include-ssid enable delimiter colon
!
aaa server-group "LAB_ISEPSN_SVG"
auth-server LAB_ISEPSN_2 position 1
auth-server LAB_ISEPSN position 2
!
7. Create the AAA DOT1X Profile
aaa authentication dot1x "DOT1X-L2-0526NYC2024"
max-requests 2
timer wpa-key-period 3000
timer wpa2-key-delay 100
timer wpa-groupkey-delay 100
8. Create the L2 MAC auth
aaa authentication mac "WIRELESS_L2_MAC_AUTH"
!
9. Create the AAA Profile
aaa profile "0526NYC2024_AAA_PROF"
initial-role "GUEST-PERMIT"
authentication-mac "WIRELESS_L2_MAC_AUTH"
mac-default-role "GUEST-PERMIT"
authentication-dot1x "DOT1X-L2-0526NYC2024"
dot1x-default-role "GUEST-PERMIT"
dot1x-server-group "LAB_ISEPSN_SVG"
radius-accounting "LAB_ISEPSN_SVG"
radius-roam-accounting
radius-interim-accounting
rfc-3576-server "10.0.0.36"
rfc-3576-server "10.0.0.37"
enforce-dhcp
!
10. Create the SSID Profile/ virtual-ap and assign the user VLAN
wlan ssid-profile "0526NYC2024_SSID_PROF"
essid "0526NYC2024"
wpa-passphrase fadd999fd7c7a2214c5b
opmode wpa2-psk-aes
a-basic-rates 12 24
a-tx-rates 12 18 24 36 48 54
g-basic-rates 24
g-tx-rates 12 18 24 36 48 54
wmm
wmm-vo-dscp "48"
wmm-vi-dscp "32"
wmm-be-dscp "0"
wmm-bk-dscp "8"
g-beacon-rate 24
a-beacon-rate 24
multicast-rate 24
qbss-load-enable
advertise-location
advertise-ap-name
!
wlan virtual-ap "0526NYC2024"
aaa-profile "0526NYC2024_AAA_PROF"
vlan 667
ssid-profile "0526NYC2024_SSID_PROF"
!
11. Associate the virtual-ap with the AP-Group
ap-group "BROOKLYN-RETAIL-2-AP-GROUP"
virtual-ap "0526NYC2024"
!
DMZ Controller
1.Create a network service for the TCP/HTTPS 8443 which is the ISE port number that is used for the redirect
netservice ise-https tcp 8443
!
2. Create a network destination
netdestination cisco_ise
host 10.0.0.36
host 10.0.0.37
!
3. Create an access list that permits traffic to ISE
ip access-list session LIMITED-GUEST-ACCESS
user any udp 68 deny
any any ise-https permit
any any svc-icmp permit
any any svc-dns permit
any any svc-dhcp permit
any any svc-https permit
any any svc-http permit
!
ip access-list session PERMIT-TO-ISE
user alias cisco_ise ise-https permit
!
4. Create the AAA Authenticatoin captive-portal
aaa authentication captive-portal "DMZ-WIRELESS-GUEST-REDIRECT_ISE_SG"
no user-logon
!
5. Create the initial role on the internal controllers (this role is part of the redirect and attributes returned by Cisco ISE)
user-role DMZ-WIRELESS-GUEST-REDIRECT
access-list session ra-guard
access-list session logon-control
access-list session PERMIT-TO-ISE
access-list session captiveportal
access-list session v6-logon-control
access-list session captiveportal6
captive-portal DMZ-WIRELESS-GUEST-REDIRECT_ISE_SG
6. Defined the RFC 3576 Servers
aaa rfc-3576-server "10.0.0.36"
key 826fe15a2c82904dfdaffdad
!
aaa rfc-3576-server "10.0.0.37"
key 826fe15a2c82904dfdaffdad
!
7. Define the AAA servers and server GROUP
aaa server-group "LAB_ISEPSN_SVG"
auth-server LAB_ISEPSN_2 position 1
auth-server LAB_ISEPSN position 2
!
aaa authentication-server radius "LAB_ISEPSN"
host "10.0.0.36"
key 991e4cb4b9233aaec19
called-station-id type macaddr include-ssid enable delimiter colon
!
aaa authentication-server radius "LAB_ISEPSN_2"
host "10.0.0.37"
key 991e4cb4b9233aaec19
called-station-id type macaddr include-ssid enable delimiter colon
8. Create the AAA DOT1X Profile
aaa authentication dot1x "DOT1X-L2-0526NYC2024"
max-requests 2
timer wpa-key-period 3000
timer wpa2-key-delay 100
timer wpa-groupkey-delay 100
9. Create the L2 MAC auth
aaa authentication mac "WIRELESS_L2_MAC_AUTH"
!
10. Create the AAA Profile
aaa profile "0526NYC2024_AAA_PROF"
initial-role "guest-logon"
authentication-mac "WIRELESS_L2_MAC_AUTH"
mac-default-role "guest-logon"
mac-server-group "LAB_ISEPSN_SVG"
authentication-dot1x "DOT1X-L2-0526NYC2024"
dot1x-default-role "guest-logon"
dot1x-server-group "LAB_ISEPSN_SVG"
radius-accounting "LAB_ISEPSN_SVG"
radius-roam-accounting
radius-interim-accounting
rfc-3576-server "10.0.0.36"
rfc-3576-server "10.0.0.37"
enforce-dhcp
!
11. Create the Wired VLAN AAA Profile Association
vlan 667
wired aaa-profile 0526NYC2024_AAA_PROF
!
vlan 668
wired aaa-profile 0605NYC2024_AAA_PROF
!
Mobility Controllers Interface and Tunnel Configuration
Internal Controller:
interface tunnel 266
description '"TUNNEL TO pDMZANHCOR0001'
tunnel source 10.0.205.5
trusted
tunnel destination 10.0.66.14
tunnel mode gre 1
trusted vlan 1-4094
tunnel vlan 666-668
no inter-tunnel-flooding
tunnel keepalive
tunnel keepalive 10 3
!
interface tunnel 662
description "TUNNEL TO vDMZANCHOR0001"
tunnel source 10.0.205.5
trusted
tunnel destination 10.0.66.3
tunnel mode gre 1
trusted vlan 1-4094
tunnel vlan 666-668
no inter-tunnel-flooding
tunnel keepalive
tunnel keepalive 10 3
!
controller-ip vlan 3023
interface mgmt
shutdown
!
vlan 666
vlan 667
vlan 668
vlan 3023
DMZ Controller:
interface gigabitethernet 0/0/0
description "LINK TO ASA VLAN 666 PORT"
switchport mode trunk
switchport trunk native vlan 666
no spanning-tree
trusted
lldp transmit
lldp receive
trusted vlan 1-4094
!
interface gigabitethernet 0/0/1
description "LINK TO ASA VLAN 667 PORT"
switchport mode trunk
switchport trunk native vlan 667
no spanning-tree
trusted
lldp transmit
lldp receive
trusted vlan 1-4094
!
interface gigabitethernet 0/0/2
description "LINK TO ASA VLAN 668 PORT"
switchport mode trunk
switchport trunk native vlan 668
no spanning-tree
trusted
lldp transmit
lldp receive
trusted vlan 1-4094
!
interface tunnel 663
description "TUNNEL TO US-NYC-VMC0003"
tunnel source 10.0.66.14
tunnel destination 10.0.205.6
tunnel mode gre 1
tunnel vlan 666-668
no inter-tunnel-flooding
tunnel keepalive
tunnel keepalive 10 3
no trusted
!
interface tunnel 662
description "TUNNEL TO US-NYC-VMC0002"
tunnel source 10.0.66.14
tunnel destination 10.0.205.5
tunnel mode gre 1
tunnel vlan 666-668
no inter-tunnel-flooding
tunnel keepalive
tunnel keepalive 10 3
no trusted
!
interface tunnel 661
description "TUNNEL TO US-NYC-VMC0001"
tunnel source 10.0.66.14
tunnel destination 10.0.205.4
tunnel mode gre 1
tunnel vlan 666-668
no inter-tunnel-flooding
tunnel keepalive
tunnel keepalive 10 3
no trusted
!
Verify that the captive portal profile is attached to the user role.
Click “show advanced” to see the captive portal settings.
DMZ Controller
#show configuration effective | begin "aaa authentication captive-portal"
aaa authentication captive-portal "DMZ-WIRELESS-GUEST-REDIRECT_ISE_SG"
no user-logon
!
user-role DMZ-WIRELESS-GUEST-REDIRECT
access-list session ra-guard
access-list session logon-control
access-list session PERMIT-TO-ISE
access-list session captiveportal
access-list session v6-logon-control
access-list session captiveportal6
captive-portal DMZ-WIRELESS-GUEST-REDIRECT_ISE_SG
!
Add the Controllers to Cisco ISE as a network access device (NAD)
Click on the “+” sign to add a device
Note: The Aruba_AOS XML file can be found here
Create an authorization policy/profile
The first authorization profile will redirect the user to ISE’s captive portal. Copy and paste the ACL from the mobility controller.
Click save
The following attributes will be automatically added
Create a second authorization profile that will permit Internet access only. Copy and paste the ACL from the mobility controller.
The following attributes will be automatically added
Create a simple policy set
Testing the configuration on a client
The sponsor creates a guest account
Note: The guest credentials can also be emailed to the user.
Windows Client
Kali Linux Client
iPhone 8
ISE verification
The device connected and received the redirect role from ISE
The user successfully logged in
Cisco ISE sent a change of authorization (CoA) request, which disconnected the user.
The CoA request allowed Cisco ISE to put the user in the final authorization role of permitting Internet-only.
DMZ WLC verification
CLI
ACL hit count verifying that the ALC is “correct”
GUI
Internal controller verification
Firewall blocking traffic from the DMZ to the internal network
Issue: COA failed, and the user was stuck in a redirect loop while trying to access the internet.
It appears that the shared secret on the server was incorrect.
show aaa rfc-3576-server statistics
Resolution: I updated the shared secret on the DMZ controller, and COA worked as expected.
show aaa rfc-3576-server statistics
Packet capture from ISE (10.0.0.36)
- The client connects to the SSID, and ISE sends an “access-accept” that redirects the user to the captive portal via the “GUEST-WIRELESS-REDIRECT” role
2. Once the guest account is registered, Cisco ISE responded with a “disconnect-request” message
3. The “disconnect-request” contains the MAC address of the wireless client.
Verify the device’s MAC address
4. The DMZ controller responds with a “disconnect-ack”
5. ISE responded with an “access-accept,” which contains the second authorization attributes
6. Verified that the user obtained the correct user-role on the DMZ controller.
7. Accounting frame from the DMZ controller to ISE
8. ISE live log verification