Scribd
Upload
146 views56 pages

AOS10-demo v0.3

The document discusses configuring a demo network topology with Aruba Central and AOS10, including adding devices to Aruba Central, configuring the LAN switch, configuring gateways in Aruba Central including VLANs and ports, and initial AP configuration.

Uploaded by

bkshrestha69
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
146 views56 pages

AOS10-demo v0.3

The document discusses configuring a demo network topology with Aruba Central and AOS10, including adding devices to Aruba Central, configuring the LAN switch, configuring gateways in Aruba Central including VLANs and ports, and initial AP configuration.

Uploaded by

bkshrestha69
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 56

Contents

1.1 Revision History ........................................................................................................................................... 1


2 Demo Topology ................................................................................................................................................... 2
3 Aruba Central Account ........................................................................................................................................ 3
4 Aruba Central Configuration ................................................................................................................................ 6
4.1 LAN Switch Configuration ............................................................................................................................ 6
4.2 Gateway Configuration ................................................................................................................................ 7
4.3 AP Configuration........................................................................................................................................ 12
4.4 Assigning Static IP addresses for APs .......................................................................................................... 14
4.5 Firmware Upgrade ..................................................................................................................................... 14
4.6 Gateway Cluster ........................................................................................................................................ 17
4.7 Monitoring Gateway Cluster ...................................................................................................................... 17
5 ClearPass Initial Configuration ........................................................................................................................... 20
5.1 Joining AD Domain ..................................................................................................................................... 21
5.2 ClearPass dot1x Service ............................................................................................................................. 22
5.3 NAD Configuration ..................................................................................................................................... 24
6 WLAN Configuration .......................................................................................................................................... 25
6.1 Tunnelled Wireless Configuration .............................................................................................................. 25
6.2 Wireless dot1x Testing ............................................................................................................................... 27
7 RF Monitoring ................................................................................................................................................... 31
8 Guest Access Configuration ............................................................................................................................... 37
8.1 Guest Wireless Configuration..................................................................................................................... 37
8.2 ClearPass Guest policy Configuration ......................................................................................................... 41
8.3 ClearPass Guest Portal Configuration ......................................................................................................... 46
8.4 Guest Testing ............................................................................................................................................. 50

1.1 Revision History

DATE VERSION EDITOR CHANGES


15 Mar 2021 0.1 Ariya Parsamanesh Initial creation
22 May 2021 0.2 Ariya Parsamanesh Added the ClearPass guest operator login
04 Jul 2021 0.3 Ariya Parsamanesh Added the Monitoring section

1|P a ge
2 Demo Topology
The aim here is to provide the starting point to put together a solution that include the AOS10 APs, two gateways,
ClearPass and obviously Aruba Central.
Note that APs in AOS10 support bridged, tunnelled and mix mode wireless LANs (WLAN) however in this technote
we’ll be deploying tunnelled mode WLANs. We’ll also demonstrate the gateway clustering with AOS10.
This is type of deployment is particularly useful when all the buildings in a school/college campus have L3 IP
demarcation and are routed to various part of the campus.

With AOS10, the campus architecture consists of two layers:


1. The infrastructure layer consists of a WLAN setup which can be either a campus setup or a branch setup. The
campus setup can consist only of access points (APs) or APs combined with gateway clusters. In case of a
branch setup, the infrastructure layer includes an AP. Here we have combined the Instant APs and Campus
APs into just APs, and you bridge, or tunnel user traffic based on the configuration on the APs.
2. The cloud management layer consists of Aruba Central which is a cloud management SaaS platform. The
Network Operations app is one of the Aruba apps which is a part of Aruba Central and this app helps to
create the SSID profiles for the different WLAN campus and branch setups.

As you can see in the above diagram, the classic components that would normally run on mobility master or instant
APs are now run as services in Aruba Central. I am talking about Airmatch, Roaming, clientmatch, etc.
Here we’ll not go to the details of the architecture for that please refer to this link
https://www.arubanetworks.com/techdocs/AOS10X_OLH/Content/overview/architecture-overview.htm

2|P a ge
3 Aruba Central Account
You need an Aruba Central account with appropriate licenses for APs and gateways. You can sign up for a 90 days
trial from this link
https://www.arubanetworks.com/products/network-management-operations/central/eval/
Once you login to your Central account you need to add your devices (APs and Gateways) to the device inventory

Here I have already added my APs.

You do the same for the gateways as well. Then you need to assign the licenses to the devices, for this from Account
home you need to go to “License Assignment”

3|P a ge
Now, we’ll go the network operations App in Aruba Central.

Here we’ll create a group and move the devices into it. The groups are used for device configurations.

4|P a ge
Then you need to convert the group to AOS10.

Once the group is converted, you can then drag and drop the devices from the right hand side table.

5|P a ge
4 Aruba Central Configuration
For this demo, I have also added Aruba 2930F switch to Aruba Central’s AOS10 group. We’ll start with the
configuration of the LAN switch to which we’ll connect the APs and the gateways.

4.1 LAN Switch Configuration


We won’t go deep in this section as the focus here is AOS 10 demo. Take a note of the VLANs that are configured.

As the names suggests, APs are connected to AP-VLAN, gateways and ClearPass are connected to Server VLAN.
The gateways are connected to port 5 and 7 that are configured for VLAN trunking. DHCP for AP, staff, and student
VLANs are configured on the switch.

dhcp-server pool "AP-VLAN"


default-router "10.10.55.1"
dns-server "10.224.254.1"
lease 00:08:00
network 10.10.55.0 255.255.255.0
range 10.10.55.10 10.10.55.19
exit
dhcp-server pool "Staff-VLAN"
6|P a ge
default-router "10.10.44.1"
dns-server "1.1.1.1"
lease 00:04:00
network 10.10.44.0 255.255.255.0
range 10.10.44.50 10.10.44.59
exit
dhcp-server pool "Student-VLAN"
default-router "10.10.33.1"
dns-server "1.1.1.1"
lease 00:04:00
network 10.10.33.0 255.255.255.0
range 10.10.33.50 10.10.33.59
exit
dhcp-server enable

Aruba-2930F-8G-PoEP-2SFPP#

4.2 Gateway Configuration


Note that with AOS 10, Gateways are not mandatory. They are required if you want to tunnel user traffic to a central
location particularly useful for scenarios that you need L2 roaming between APs in different subnets.
We’ll start the configuration at group level before powering up the gateways. This is to minimise the reboots and
some potential network issues especially when it comes to changing IP address and loosing connectivity.
We’ll be using Aruba 7005 gateways which have 4x ports.
AOS10

7|P a ge
Disabling spanning tree

Adding the relevant ports for Aruba 7005 gateway.

I am planning to sue interface 0/0/0 as my gateway uplink. This port needs to be in trunk mode and here we’ll add
the relevant VLANs.

Adding the VLANs to appropriate ports.

8|P a ge
Adding the default route

Adding the user roles by going to “security tab”

9|P a ge
Here we’ll add the allow-all policy.

Next, we’ll assign a VLAN to this role.

10 | P a g e
We’ll create a new user role staff and as before, we’ll add a allow-all policy and assign VLAN 44 to it.

We’ll configure the authentication server and RFC3576 for RADIUS CoA

Then once saved, click on it to set the RADIUS secret key

And finally add a rfc3576 server for CoA.

11 | P a g e
Note that they are not assigned to any authentication server groups.

4.3 AP Configuration
Here we’ll go through the AP configuration. As always, we’ll do the bulk of configuration at the group level.

12 | P a g e
As we did with gateways, we’ll create various user roles here as well.

13 | P a g e
This is in case we want to change from tunnel mode to bridge mode for user traffic, otherwise we don’t need these
roles here.

4.4 Assigning Static IP addresses for APs


In most of the cases you’ll go with DHCP based IP addresses, but in case you need to assign static IP addresses, it is
done as shown below.

4.5 Firmware Upgrade


We’ll now connect the APs that we previously added to Aruba Central inventory that are running Instant software to
the network. The network must have Internet access. Ensure that the APs are in factory default mode to get rid of
any previous configuration. When they are powered up, they will get DHCP IP address and with a valid DNS and will
then contact Central and will end up in AOS10 group that we created before.
For the gateways ensure they are factory default and running the SD-branch image 8.6.0.4-2.2.x.x or better. Again,
like the APs, once the gateways are powered up they can use DHCP to get their IP addresses and will then contact
Aruba Central, but we’ll go through the full setup without DHCP.

Auto-provisioning is in progress. It requires DHCP and Activate servers


Choose one of the following options to override or debug auto-provisioning...
'enable-debug' : Enable auto-provisioning debug logs
14 | P a g e
'disable-debug' : Disable auto-provisioning debug logs
'mini-setup' : Start mini setup dialog. Provides minimal customization and
requires DHCP server
'full-setup' : Start full setup dialog. Provides full customization
'static-activate' : Provides customization for static or PPPOE ip assignment.
Uses activate for master information

Enter Option (partial string is acceptable): full-setup

Are you sure that you want to stop auto-provisioning and start full setup dialog?
(yes/no): yes

***************** Welcome to the Aruba7005 setup dialog *****************


This dialog will help you to set the basic configuration for the switch.
These settings, except for the Country Code, can later be changed from the
Command Line Interface or Graphical User Interface.

Commands: <Enter> Submit input or use [default value], <ctrl-I> Help


<ctrl-B> Back, <ctrl-F> Forward, <ctrl-A> Line begin, <ctrl-E> Line end
<ctrl-D> Delete, <BackSpace> Delete back, <ctrl-K> Delete to end of line
<ctrl-P> Previous question <ctrl-X> Restart beginning <ctrl-R> Reload box

Enter System name [Aruba7005]: 7005-1


Enter Switch Role (standalone|md) [md]:
Enter IP type to terminate IPSec tunnel (ipv4|ipv6) [ipv4]:
Enter Master switch IP address/FQDN or ACP IP address/FQDN: device-
apacsouth.central.arubanetworks.com
Enter Master switch type(MM|ACP) ACP
Enter Uplink Vlan ID [1]:192
Enter Uplink port [GE 0/0/0]:
Enter Uplink port mode (access|trunk) [access]:
Enter Uplink Vlan IP assignment method (dhcp|static|pppoe) [static]:
Enter Uplink Vlan Static IP address [172.16.0.254]: 192.168.1.243
Enter Uplink Vlan Static IP netmask [255.255.255.0]:
Enter IP default gateway [none]: 192.168.1.1
Enter DNS IP address [none]: 192.168.1.1
Do you wish to configure IPV6 address on vlan (yes|no) [yes]: no
Do you want to configure dynamic port-channel (yes|no) [no]:
Enter Country code (ISO-3166), <ctrl-I> for supported list: AU
You have chosen Country code AU for Australia (yes|no)?: yes
Enter the controller's IANA Time zone [America/Los_Angeles]: Australia/Melbourne
Enter Time in UTC [12:53:36]:
Enter Date (MM/DD/YYYY) [12/3/2021]:
Do you want to create admin account (yes|no) [yes]:
Enter Password for admin login (up to 32 chars): ********
Re-type Password for admin login: ********

<omitted the other lines>

System will now restart!

[12:55:07]:Starting rebootme
[12:55:07]:Shutdown processing started

Once the APs and gateways are online in Aruba Central, we’ll upgrade them to AOS10 image. In the next release SD-
branch and AOS10 firmware will merge. I have already upgraded my APs, but this is how you can do it.

15 | P a g e
We’ll use the same firmware version for the gateways as well.

Here we’ll check to see if the APs and gateways are online with the correct firmware

Notice that there is one gateway cluster. The cluster will automatically be formed between gateways on the network
using their system IP addresses.

16 | P a g e
4.6 Gateway Cluster
Cluster is a combination of multiple MDs working together to provide high availability to all the clients and ensure
service continuity when a failover occurs. The gateways need not be identical and can be either L2- connected or L3-
connected with a mixed configuration. In case of failover, the client SSO works for the L2- connected managed
devices and the clients are de-authenticated for L3-connected managed devices in a cluster.
The aims of clustering are
• seamless Campus Roaming: When a client roams between APs of different managed devices within a large L2
domain, the client retains the same subnet and IP address to ensure seamless roaming. The clients remain
anchored to a single managed device in a cluster throughout their roaming area which makes their roaming
experience seamless because their L2 or L3 information and sessions remain on the same managed device.
• Hitless Client Failover: When a managed device fails, all the users fail over to their standby managed device
seamlessly without any disruption to their wireless connectivity or existing high-value sessions.
• Client and AP Load Balancing: When there is excessive workload among the managed devices, the client and
AP load is evenly balanced among the cluster members. Both clients and APs are load balanced seamlessly.

4.7 Monitoring Gateway Cluster


Here is how to check the gateway cluster

17 | P a g e
Here is the CLI command to check the operation of the cluster.
(7005_AOS10_gwy1) #show lc-cluster group-membership

Cluster Enabled, Profile Name = "auto_gwcluster_178_0"


Heartbeat Threshold = 900 msec
Cluster Info Table
------------------
Type IPv4 Address Priority Connection-Type STATUS
---- --------------- -------- --------------- ------
self 192.168.1.243 128 N/A CONNECTED (Member)
peer 192.168.1.242 128 L2-Connected CONNECTED (Leader)

(7005_AOS10_gwy1) #show lc-cluster load distribution client

Cluster Load Distribution for Clients


-------------------------------------
Type IPv4 Address Active Clients Standby Clients
---- --------------- -------------- ---------------
self 192.168.1.243 0 1
peer 192.168.1.242 1 0
Total: Active Clients 1 Standby Clients 1

(7005_AOS10_gwy1) #
(7005_AOS10_gwy1) #show lc-cluster load distribution ap

Cluster Load Distribution for APs


---------------------------------
Type IPv4 Address Active APs Standby APs
---- --------------- -------------- ---------------
self 192.168.1.243 1 1
peer 192.168.1.242 1 1
Total: Active APs 2 Standby APs 2

(7005_AOS10_gwy1) #

Now checking the second gateway. Note we have 1x client and 2x APs that are connected.

(7005_AOS10_gwy2) #show lc-cluster group-membership

Cluster Enabled, Profile Name = "auto_gwcluster_178_0"


Heartbeat Threshold = 900 msec
Cluster Info Table
------------------
Type IPv4 Address Priority Connection-Type STATUS
---- --------------- -------- --------------- ------
peer 192.168.1.243 128 L2-Connected CONNECTED (Member)
self 192.168.1.242 128 N/A CONNECTED (Leader)

(7005_AOS10_gwy2) #
(7005_AOS10_gwy2) #
(7005_AOS10_gwy2) #show lc-cluster load distribution client

18 | P a g e
Cluster Load Distribution for Clients
-------------------------------------
Type IPv4 Address Active Clients Standby Clients
---- --------------- -------------- ---------------
peer 192.168.1.243 0 1
self 192.168.1.242 1 0
Total: Active Clients 1 Standby Clients 1

(7005_AOS10_gwy2) #
(7005_AOS10_gwy2) #show lc-cluster load distribution ap

Cluster Load Distribution for APs


---------------------------------
Type IPv4 Address Active APs Standby APs
---- --------------- -------------- ---------------
peer 192.168.1.243 1 1
self 192.168.1.242 1 1
Total: Active APs 2 Standby APs 2

(7005_AOS10_gwy2) #

19 | P a g e
5 ClearPass Initial Configuration
Here we’ll do the basic ClearPass configuration and join it to the AD domain along with creation of dot1x service
policy. We’ll start with NTP and time zone.

20 | P a g e
5.1 Joining AD Domain
Configure the IP addresses and the rest as per your Lab setup but ensure you have the IP address of your domain
controller as the primary DNS. CPPM needs to join the AD domain, in order to authenticate against it. Make sure the
clock time for AD and CPPM are almost in sync. It is best to use NTP. If they are not in sync, then CPPM will not be
able to join the domain. When you click on the “join domain” button, you need to provide the FQDN of the DC and
that’s why you need the DNS entry to resolve the name of your domain controller.

Now we need to add the AD as authentication source

21 | P a g e
5.2 ClearPass dot1x Service
Here we create a dot1x service for wireless access.

“school” is the name of the SSID

22 | P a g e
And here are the enforcement profiles that are being used in the enforcement policy
• AA Aruba 802.1X Wireless Default Profile RADIUS
• AA-Aruba 802.1X Wireless Staff Profile RADIUS
• AA-Aruba 802.1X Wireless Student Profile RADIUS
• AA Aruba 802.1X Wireless Update Endpoint Location Post_Authentication

23 | P a g e
5.3 NAD Configuration
Here we are adding Network Access Devices (NAD). This will be the AOS10 APs and gateways. Note that you need to
either add the AP IP addresses individually or just add their subnet as I have done here.

24 | P a g e
6 WLAN Configuration
Here we’ll configure the AOS10 APs to broadcast a tunnelled SSID. This is done at the group level.
6.1 Tunnelled Wireless Configuration

You can choose the cluster from the menu. Also note that the VLAN IDs are being displayed from the gateways.

25 | P a g e
Select the authentication server that we had configured on the gateways. It gets automatically populated using the
drop down menu. Note that this is not the RADIUS server that we configured in the AP group but rather from the
gateway group. Next select Accounting from the advance Setting section

And save the configuration.

26 | P a g e
6.2 Wireless dot1x Testing
First, we’ll check the gateway authentication server configuration, the highlighted lines were pushed form the AP’s
tunnel configuration.

Now we’ll get a laptop to connect to “school” SSID with staff1 user credentials and check ClearPass access tracker

Note that 192.168.1.242 is the IP address of the gateway-1 and 10.224.254.161 is the IP address of the AP.

27 | P a g e
And we also have the accounting tab, which indicates RADIUS accounting is working

Lastly, we need to test if CoA is working, click on the “change status” to terminate the session

28 | P a g e
Now looking at Aruba Central pages.

29 | P a g e
Clicking on the gateway symbol takes us to the gateway that is terminating the user traffic

Now we’ll run a few CLI commands.


b4:5d:50:c6:82:4a# sh ap bss-table

Aruba AP BSS Table


------------------
bss ess port ip phy type ch/EIRP/max-EIRP cur-cl ap name in-t(s) tot-t
flags
--- --- ---- -- --- ---- ---------------- ------ ------- ------- ----- --
---
b4:5d:50:e8:24:b0 school ?/? 10.224.254.161 a-VHT ap 36E/15.0/21.5 1 b4:5d:50:c6:82:4a 0 1h:2m:16s
b4:5d:50:e8:24:b1 Guest ?/? 10.224.254.161 a-VHT ap 36E/15.0/21.5 1 b4:5d:50:c6:82:4a 0 4m:29s o
b4:5d:50:e8:24:b2 _owetm_Guest2874425900 ?/? 10.224.254.161 a-VHT ap 36E/15.0/21.5 0 b4:5d:50:c6:82:4a 0 4m:28s WO
b4:5d:50:e8:24:a0 school ?/? 10.224.254.161 g-HT ap 3/7.5/21.5 0 b4:5d:50:c6:82:4a 0 1h:2m:15s
b4:5d:50:e8:24:a1 Guest ?/? 10.224.254.161 g-HT ap 3/7.5/21.5 0 b4:5d:50:c6:82:4a 0 4m:29s o
b4:5d:50:e8:24:a2 _owetm_Guest2874425900 ?/? 10.224.254.161 g-HT ap 3/7.5/21.5 0 b4:5d:50:c6:82:4a 0 4m:28s WO

Channel followed by "*" indicates channel selected due to unsupported configured channel.
"Spectrum" followed by "^" indicates Local Spectrum Override in effect.

Num APs:6
Num Associations:2

Flags: K = 802.11K Enabled; W = 802.11W Enabled; 3 = WPA3 BSS; O = Enhanced-open BSS with transition mode; o = Enhanced-open transition
mode open BSS; M = WPA3-SAE mixed mode BSS; E = Enhanced-open BSS without transition mode; m = Agile Multiband (MBO) BSS; c = MBO Cellular Data
Capable BSS; I = Imminent VAP Down; T = Individual TWT Enabled; t = Broadcast TWT Enabled
b4:5d:50:c6:82:4a#

checking the IPSEC tunnels from the AP


b4:5d:50:c6:82:4a# sh ata endpoint

ATA Endpoint Status


-------------------
UUID IP ADDR STATE TUN DEV TUN SPI(OUT/IN) PORT(SRC/DST) VALID TIME(s) TUNNEL TYPE
GRE VLANs HBT(Jiff/Missed/Sent/Rcv) INNER IP UP TIME(s)
---- ------- ----- ------- --------------- ------------- ------------- ----------- -
-------- ------------------------- -------- ----------
522d59ab-05d0-43b6-ab49-177e49fb7bb0 192.168.1.242 SM_STATE_CONNECTED tun0 1ad1b900/c6d09100 4500/4500 125781 GRE
1,33,44,192,4094 3999/0/3808/3808 10.224.254.161 2021-03-13 08:28:59
5bb2c1da-f402-4afa-af39-c09d4aafa946 192.168.1.243 SM_STATE_CONNECTED tun1 92607100/969f6100 4500/4500 125783 GRE
1,33,44,192,4094 3999/0/3807/3807 10.224.254.161 2021-03-13 08:29:01
Total Endpoints Count: 2
b4:5d:50:c6:82:4a#

30 | P a g e
7 RF Monitoring
Here we’ll just touch on some of the RF mgmt. info that are available in Central. To start with at the global level, you
can check the WiFi connectivity and then drill down on any specifics, like AI insights, associations, authentication ,
etc.

Clicking on “clients had excessive 802.1.x failures”

31 | P a g e
Next, we can check the usage summary

We can then go to the Site level and see some of the stats

32 | P a g e
Looking at 5GHz band

33 | P a g e
Next, we can have a look at the Live view, for that we’ll choose a specific AP.

34 | P a g e
35 | P a g e
Now you can click on go live to get real-time view of the RF counter for 15min.

36 | P a g e
8 Guest Access Configuration
Here we’ll start with AP configuration followed by ClearPass.
8.1 Guest Wireless Configuration
The Guest WLAN will be tunnelled to the gateways, for this scenario all the configuration will take place on the AP
group.

37 | P a g e
38 | P a g e
In the above we have also enabled MAC auth and RADIUS accounting. MAC auth is enabled because we want to also
enable MAC caching for the guest users.

Now we have our Guest SSID configured.

39 | P a g e
We don’t need to do any configuration on the gateways as all the relevant configuration will be pushed to them,
which are:
- Authentication Servers and groups.
- L3 Captive Portal Authentication
- Pre-authentication user role

40 | P a g e
Lastly note that we have not use a publicly signed HTTPS server certificate for the controllers and hence the
redirection of a web page will issue a warning on the client’s web browser. In all deployment you need to have a
public cert for the controllers as well as ClearPass nodes.

8.2 ClearPass Guest policy Configuration


We’ll go through the guest confirmation needed on ClearPass. There are two part to it, one is the web pages that the
client redirects to and the other is the policy service we need to create. We’ll start with the policy service. Here we
are using the following template. This creates 2x services one is MAC authentication and the second one is Guest
redirection to captive portal page.

41 | P a g e
Guest-guest-logon

We’ll look at the MAC authentication service

42 | P a g e
And here are the enforcement profiles that are used here

43 | P a g e
We’ll look at the User Authentication with MAC caching service

44 | P a g e
The enforcement profiles

45 | P a g e
8.3 ClearPass Guest Portal Configuration
Here we’ll configure the portal pages.

Now we’ll create a guest user called cpguser with no expiration on the account.

46 | P a g e
Once created we’ll modify it to change the username and password

47 | P a g e
Next we’ll create a weblogin page, note that the page name will be in the redirection URL, also securelogin.hpe.com
will need to change to CN in the server certificate on Aruba controller.

48 | P a g e
49 | P a g e
You can test the page as well, when you’ll click on the launch a tab will open and you’ll see the captive portal note
the URL which in this case is https://victory.clearpass.info/guest/school.php?_browser=1
The “guest/school.php” is used in the URL redirection which we configured in MM
Now go to content manager and upload your terms and condition page.

8.4 Guest Testing


Now we’ll get a test device to connect to Guest SSID, it gets automatically redirected to guest page in ClearPass but
the browser will issue a warning

50 | P a g e
We’ll have a look at the certificate, and we’ll see it is the default captive portal certificate which is on the controller.

We’ll accept this and carry on, but for all deployments you need to have a public server certificate for your
controllers. Once we accept the certificate, we’ll get redirected to the captive portal page on ClearPass

51 | P a g e
Before we login with our guest credentials, we’ll look at the MM dashboard and see the user is in guest-login role
with minimum access.

Then we’ll check the access tracker and see that we have a failed MAC authentication.

This is normal as this MAC address has not been seen before.
It should be noted that the redirection happens from the AP not the gateways
b4:5d:50:c6:82:4a# sh client
52 | P a g e
Client List
-----------
Name IP Address MAC Address OS ESSID Access Point Channel Type Role IPv6
Address Signal Speed (mbps)
---- ---------- ----------- -- ----- ------------ ------- ---- ---- ----------
-- ------ ------------
Number of Clients :0
Info timestamp :8460
b4:5d:50:c6:82:4a#
b4:5d:50:c6:82:4a#
b4:5d:50:c6:82:4a# sh client

Client List
-----------
Name IP Address MAC Address OS ESSID Access Point
Channel Type Role IPv6 Address Signal Speed (mbps)
---- ---------- ----------- -- ----- ------------
------- ---- ---- ------------ ------ ------------
a088b450c084 192.168.1.132 a0:88:b4:50:c0:84 Win 10 Schoo-Guest b4:5d:50:c6:82:4a
6 GN CP-Guest fe80::7d4a:2f07:955c:cd4f 54(good) 72(ok)

Number of Clients :1
Info timestamp :9155

b4:5d:50:c6:82:4a#
b4:5d:50:c6:82:4a# sh external-captive-portal

External Captive Portal


-----------------------
Name Server Port Url Auth Text Redirect Url
Server Fail Through Disable Auto Whitelist Use HTTPs Server Offload Prevent Frame
Overlay In Use Redirect Mode Switch IP
---- ------ ---- --- --------- ------------
------------------- ---------------------- --------- -------------- ---------------
default localhost 80 / Authenticated
Disable Enable Yes No Disable
No Yes No
CP-Guest victory.clearpass.info 443 /guest/school.php
http://www.arubanetworks.com Disable Enable Yes
No Disable Yes Yes No

b4:5d:50:c6:82:4a# sh external-captive-portal CP-Guest

Name :CP-Guest
Server :victory.clearpass.info
Port :443
Url :/guest/school.php
Auth Text :
Redirect Url :http://www.arubanetworks.com
Server Fail Throuth :Disable
Disable Auto Whitelist :Enable
Use HTTPs :Yes
Server Offload :No
Prevent Frame Overlay :Disable
In Used :Yes
Redirect Mode :Yes
Switch IP :No
b4:5d:50:c6:82:4a#

Now when the user performs a successful the login (we are using username cpguser) process, they will be redirected
to the “redirect URL” that we specified.

53 | P a g e
Now let’s look at the Client dashboard and access tracker, note that the user role is now “guest”.

And the access tracker shows a successful authentication that matches with “GG User Authentication with MAC
Caching” policy.

54 | P a g e
Also note that one of the post authentication actions were to update the endpoint repository status for that MAC
address to be known.

Now because the status of this endpoint is known the next time, this client connects it will not be redirected to the
captive portal until its allotted time has expired. So now if we disconnect the client, we should see it will successfully
MAC auths. This uses RADIUS CoA. We can do that directly from the access tracker.

55 | P a g e
Looking at the details of that session

Here we can see the user in the gateway’s user table using tunnel forwarding mode and in guest user role.

(7005_AOS10_gwy2) #show user


This operation can take a while depending on number of users. Please be patient ....

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link
Connected To Roaming Essid/Bssid/Phy Profile Forward
mode Type Host Name User Type
---------- ------------ ------ ---- ---------- ---- -------- -
----------------- ------- --------------- ------- --------
---- ---- --------- ---------
192.168.1.132 a0:88:b4:50:c0:84 a088b450c084 guest 00:00:03 MAC
b4:5d:50:c6:82:4a Wireless Schoo-Guest Schoo-Guest_#1615938135060_41#_ dtunnel
Win 10 WIRELESS

User Entries: 1/1


Curr/Cum Alloc:1/6 Free:0/5 Dyn:1 AllocErr:0 FreeErr:0
(7005_AOS10_gwy2) #

56 | P a g e

You might also like