Amigopod and ArubaOS Integration Version 1.
Amigopod and ArubaOS Integration Application Note Copyright © 2011 Aruba Networks, Inc. AirWave®, Aruba Networks®, Aruba Mobility Management System®, Bluescanner, For Wireless That Works®, Mobile Edge Architecture®, People Move. Networks Must Follow®, RFprotect®, The All Wireless Workplace Is Now Open For Business, Green Island, and The Mobile Edge Company® are trademarks of Aruba Networks, Inc. All rights reserved.
Amigopod and ArubaOS Integration Application Note Table of Contents Chapter 1: Chapter 2: Chapter 3: Chapter 4: Chapter 5: Aruba Networks, Inc.
Amigopod and ArubaOS Integration Chapter 6: Troubleshooting Tips Appendix A: Contacting Aruba Networks Contacting Aruba Networks Aruba Networks, Inc.
Amigopod and ArubaOS Integration Application Note Chapter 1: Introduction Aruba supports advanced visitor management services through the combination of Aruba Mobility Controllers and APs running the ArubaOS software, and Aruba Amigopod guest management software. This guide describes the configuration process that must be performed on the Aruba Mobility Controllers and the Aruba Amigopod to create a fully integrated visitor management solution.
Amigopod and ArubaOS Integration Application Note Chapter 2: Captive Portal Authentication Captive portals are the simplest form of authentication for users. This section introduces the concepts behind the authentication and compares and contrasts Amigopod with the ArubaOS portal. Captive Portal Overview Captive portal allows a wireless client to authenticate using a web-based portal page. Captive portals are typically used in wireless hotspots or for hotel in-room Internet access.
Amigopod and ArubaOS Integration Application Note ArubaOS or Amigopod for Visitor Management ArubaOS supports two methods of guest access: using just the mobility controller or using the mobility controller plus Amigopod. ArubaOS supports basic guest management and captive portal functionality, with guest access limited to a single master-local cluster.
Amigopod and ArubaOS Integration Table 2 Application Note Comparison of ArubaOS Captive Portal and Amigopod (Continued) Feature ArubaOS ArubaOS Plus Amigopod Export/import of user database Mandatory and nonmandatory fields Guest password complexity requirements Guest account information printing via templates Guest credential delivery through email and SMS Force password change on first login Delete and/or disable guest accounts on expiration Guest Session Management Time and day policy Guest access
Amigopod and ArubaOS Integration Table 2 Application Note Comparison of ArubaOS Captive Portal and Amigopod (Continued) Feature ArubaOS ArubaOS Plus Amigopod Enterprise Features and Scalability Managing 1000s of accounts High availability/redundancy Expandability (plug-in architecture) Although ArubaOS supports internal and external captive portal functionality, this guide focuses on external captive portal functionality.
Amigopod and ArubaOS Integration Application Note Captive Portal Authentication Workflow Figure 2 shows the phases that a guest user passes through during a captive portal authentication process. In the Aruba system, the mobility controller acts as the network access server (NAS) and Amigopod acts as the RADIUS server. Figure 2 details the captive portal authentication workflow.
Amigopod and ArubaOS Integration Application Note 4. The login message instructs the guest user’s browser to submit the user credentials directly to the Aruba controller as a HTTPS POST for authentication processing. 5. When the Aruba controller receives the user credentials, it creates a corresponding RADIUS session and sends an Access-Request message to the defined Amigopod RADIUS server. 6.
Amigopod and ArubaOS Integration Application Note Chapter 3: ArubaOS Configuration Three phases make up the configuration of the ArubaOS controller to support external captive portal based authentication leveraging the RADIUS protocol: 1. Base RADIUS configuration 2. Captive portal configuration 3.
Amigopod and ArubaOS Integration Application Note Adding a RADIUS Server aaa authentication-server radius "Amigopod" host 10.169.130.50 key ******* Figure 4 NOTE Aruba Networks, Inc. Adding a RADIUS server Ensure that the key is recorded, because you will need this shared secret for a later step in the Amigopod configuration. For security purposes, each NAS should have its own key.
Amigopod and ArubaOS Integration Application Note Modify NAS ID for Master Local Deployments In an Aruba master local deployment, you must modify the NAS ID of the local controllers to ensure that the correct identifier is recorded in the RADIUS accounting traffic sourced from each local controller that is responsible terminating the APs. In the VRD campus topology, the local controllers are deployed on the 10.169.145.0/24 network (VLAN 145).
Amigopod and ArubaOS Integration Application Note Modify RADIUS Client Settings ip radius nas-ip 10.169.145.4 ip radius source-interface vlan 145 Figure 5 Modify RADIUS client setting Add RADIUS Server to a Server Group A server group must be created to define which authentication server will be referenced during the authentication of visitor accounts. This server group is then referenced in the subsequent captive profile configuration.
Amigopod and ArubaOS Integration Application Note Adding a AAA Server Group aaa server-group "Guest-Amigopod" auth-server "Amigopod" position 1 Figure 6 Adding a AAA server group Creating an RFC3576 Server Instance RFC3576 is an extension to the RADIUS standard that allows for a RADIUS server initiated control of an established RADIUS AAA session.
Amigopod and ArubaOS Integration Application Note RFC3576 Server Configuration aaa rfc-3576-server "10.169.130.50" key wireless Figure 7 Aruba Networks, Inc.
Amigopod and ArubaOS Integration Application Note Creating a Captive Portal Profile One of the key features of Amigopod is the ability to host the branded web login or captive portal pages on the Amigopod appliance. With the captive portal profile, you can configure the login and optional welcome pages to be hosted by Amigopod.
Amigopod and ArubaOS Integration Application Note Captive Portal Profile Configuration aaa authentication captive-portal "guestnet" default-role auth-guest redirect-pause 3 no logout-popup-window login-page https://10.169.130.50/Aruba_Login.php welcome-page https://10.169.130.50/Aruba_welcome.php switchip-in-redirection-url Figure 8 NOTE Aruba Networks, Inc.
Amigopod and ArubaOS Integration Application Note Configure Authentication for Captive Portal Profile Now that the new captive portal profile has been created, you must select the server group for the Amigopod RADIUS definition as the authentication source. Configure the Authentication Source aaa authentication captive-portal "guestnet" server-group "Guest-Amigopod" Figure 9 Aruba Networks, Inc.
Amigopod and ArubaOS Integration Application Note Modify the AAA Profile The AAA profiles define how users are authenticated. The AAA profile determines the user role for unauthenticated clients (initial role) and the user role to be applied after successful authentication (default role) based on the authentication type. The AAA profile also defines the server group that is used for RADIUS accounting and an RFC3576 server if present.
Amigopod and ArubaOS Integration Application Note Enable 3576 Support aaa profile "guestnet" rfc-3576-server "10.169.130.50" Figure 11 Aruba Networks, Inc.
Amigopod and ArubaOS Integration Application Note Define a Policy to Permit Traffic to Amigopod A new firewall policy must be created and assigned to the initial role allocated to unauthenticated guest users to allow the successful redirect to the captive portal page defined on Amigopod. These policies can be simplified by using the existing network destination alias as defined in the campus VRD baseline configuration. Amigopod Netdestination Alias netdestination Amigopod host 10.169.130.
Amigopod and ArubaOS Integration Application Note Example of Source NAT on VLAN ip access-list session "amigopod" alias "user" alias "Amigopod" "svc-http" permit queue low alias "user" alias "Amigopod" "svc-https" permit queue low Figure 13 Amigopod access – source NAT on VLAN example Source NAT per Application If you are using application-based source NAT, use this configuration.
Amigopod and ArubaOS Integration Application Note Enable Captive Portal on Initial Role of Captive Portal Profile In the previous step, the initial role for this captive portal authentication configuration is configured as guest-logon. This role must be modified to enable the newly created Amigopod captive portal profile. If you forget this step, the captive portal is not triggered when a new guest connects to the guest Wi-Fi SSID.
Amigopod and ArubaOS Integration Application Note Verify Virtual AP Configuration Based on the baseline configuration detailed in the campus VRD resource, the guest virtual AP should have the appropriate SSID and AAA profile applied.
Amigopod and ArubaOS Integration Application Note Chapter 4: Amigopod Configuration Leveraging the baseline configurations in the campus VRD design, this guide assumes that the Amigopod appliance is installed and available on the network. The reference design has Amigopod installed on an IP address of 10.169.130.50 and the assumption is that there is Internet access available to this IP address.
Amigopod and ArubaOS Integration Application Note A correctly configured subscription ID can be verified by browsing to Amigopod Administrator > Plugin Manager > Manage Subscriptions as shown in Figure 18. Figure 18 Aruba Networks, Inc.
Amigopod and ArubaOS Integration Application Note If you click Check for plugin updates, the software update process begins on the Amigopod appliance. As shown in Figure 19, the system contacts the software distribution server and downloads any new updates to the Amigopod system, any new licensed plugins, and other licensing updates. Figure 19 Add new Amigopod plugins If updates are available, they are listed and can be selected individually for installation.
Amigopod and ArubaOS Integration Application Note A useful diagnostic tool to verify that Amigopod has Internet connectivity via HTTP is available under Administrator > Network Setup > Network Diagnostics shown in Figure 21. Figure 21 Amigopod diagnostics Configure RADIUS NAS for an Aruba Controller For the Aruba controller to authenticate users, it must be able to communicate with the Amigopod RADIUS instance. In first step of the Aruba controller configuration, a RADIUS server definition was defined.
Amigopod and ArubaOS Integration Application Note The following fields must be configured in the RADIUS NAS definition as seen in Figure 23: Name the NAS entry to match the local controller naming convention (need not be present in DNS). Enter IP address of the Aruba controller. The NAS Type should be set to Aruba Networks (RFC3576 support). The Shared Secret (called the Key in the first Aruba controller step) must be configured and confirmed.
Amigopod and ArubaOS Integration Application Note Click Create NAS Device, and you are prompted to restart the RADIUS server as seen in Figure 24. You must restart the server, because the RADIUS server within Amigopod rejects any request from the Aruba controller as unknown until the restart has been performed. Figure 24 Aruba Networks, Inc.
Amigopod and ArubaOS Integration Application Note Configure Web Login for Captive Portal Authentication If you clicked Create Web Login in the previous step, a newly created web login page can be seen in Customization > Web Logins. Figure 25 shows the automatically created web login, but a new one can be created manually at a later stage. Figure 25 Automatically generated web login page The Page Name field defines the URL that is hosted on the Amigopod appliance.
Amigopod and ArubaOS Integration Application Note Alternatively, the switchip variable that is sent as part of the redirect URL can be parsed automatically and used as the IP address for the web login credential submission. This option should be selected in multicontroller environments so that the web login page dynamically is aware of which controller the guest user is currently connected to and therefore which controller must be part of the authentication transaction.
Amigopod and ArubaOS Integration Application Note You can enable the display of an Accept Terms & Conditions option on the login page. This option refers to the default terms and conditions URL defined under Customization > Guest Manager Settings as seen in Figure 27. Figure 27 Configuration of terms and conditions Amigopod Skins and Content Customization You can leverage the Amigopod skin technology to brand the captive portal that is displayed to the wireless and wired users.
Amigopod and ArubaOS Integration Application Note The Title field allows you to customize the page title that is displayed in the browser. The Header, Footer, and Login fields allow the administrator to add and modify the displayed text and content displayed on the web login page. You can choose Insert Content to display content items that have been uploaded via Customization > Content Manager.
Amigopod and ArubaOS Integration Application Note Configure the RADIUS User Role The RADIUS user role is a collection of one or many RADIUS standard or vendor-specific attributes (VSAs). These attributes can be used to signal role-based access control context back to the Aruba controller as shown in Figure 30. Figure 30 RADIUS user role definition The Aruba-User-Role is an example of an Aruba VSA that allows a RADIUS authentication session to automatically have a user role applied.
Amigopod and ArubaOS Integration Application Note This RADIUS role is presented as a selection when creating new guest accounts via the Create User screens of the Amigopod Guest Manager or can be hard coded as a hidden field in the self-registration pages to ensure that each user session gets managed appropriately on the Aruba controller. (Optional) Import Sample Welcome Page As part of the Aruba controller configuration, the captive-portal profile defines a proposed welcome page of: https://10.169.130.
Amigopod and ArubaOS Integration Application Note Figure 32 Restore welcome page To restore the customized welcome page, check Restore settings from backup and click Restore Configuration. When the restore is complete, browse to Customize > Web Logins and verify that the web login page has been successfully restored to the local deployment, as seen in Figure 33. Figure 33 Aruba Networks, Inc.
Amigopod and ArubaOS Integration Application Note As seen in the Page Name column in Figure 33, this web login page is hosted at the following address: https://10.169.130.50/Aruba_welcome.php This URL can be changed to suit each local deployment and the corresponding captive portal profile on the ArubaOS controller must be modified to match any changes made. Figure 34 shows the sample welcome page developed for this guide.
Amigopod and ArubaOS Integration Application Note A logout page is also included in the sample backup file. This page is linked to the Wi-Fi Logout button on the previous welcome page and allows for further messaging to be displayed on the logout page. As shown in Figure 35, the inclusion of this sample logout page allows for a consistent user experience and also another opportunity of branding or messaging to the guest Wi-Fi user. Figure 35 Aruba Networks, Inc.
Amigopod and ArubaOS Integration Application Note Chapter 5: Integration Verification If you complete the steps in Chapter 3: ArubaOS Configuration and Chapter 4: Amigopod Configuration, you should have the base configuration for a functioning guest access solution that can be further customized to suit each local deployment. The chapter provides some simple verification tests that can be performed to ensure that all the functional components are in place and are working as expected.
Amigopod and ArubaOS Integration Application Note The resulting account is created with random digits for both the username and password as shown in Figure 37. Figure 37 Completed guest account If numeric user credentials will be challenging during your testing phase, these credentials can be edited easily by clicking the List guest accounts option. Click the newly created guest account to display the actions that are available for the new account. Click Edit to make changes to the user credentials.
Amigopod and ArubaOS Integration Application Note On the Edit screen, a new username and password can be defined manually to make any level of repetitive testing easier on the administrator. Click Update Account to display the confirmation page as shown in Figure 39. Figure 39 Updated guest account Testing RADIUS This section shows how RADIUS transactions with the Amigopod server can be tested to confirm that the configuration is correct.
Amigopod and ArubaOS Integration Application Note On the Amigopod side, you can also look at the end of the RADIUS log to verify that the transactions are executing on that side. Figure 41 RADIUS log tail If you experience any issues with the authentication process, the RADIUS debugger can be enabled from this page for more detailed analysis. Aruba Networks, Inc.
Amigopod and ArubaOS Integration Application Note Test Login and Verify Successful RADIUS Transaction Now that everything is set up on the Amigopod and the Aruba controller, attempt to connect a test wireless or wired client to the network. The session should be redirected successfully to the Amigopod web login page. Figure 42 Aruba Networks, Inc.
Amigopod and ArubaOS Integration Application Note After you enter the test user account credentials and click Log In, a successful end-to-end RADIUS transaction should be the result. You can verify by referring to the end of the RADIUS log as shown in Figure 43. Note that the client MAC address is now visible in the RADIUS log entry because it was driven by the captive portal authentication process on the controller. Figure 43 Aruba Networks, Inc.
Amigopod and ArubaOS Integration Application Note Check that RADIUS Accounting is Working as Expected If RADIUS accounting traffic is not being received by Amigopod, you will not find a corresponding entry in the Guests > Active Sessions page shown in Figure 44. Given the Interim Accounting support in ArubaOS 6.1, this page displays live traffic statistics based on these updates.
Amigopod and ArubaOS Integration Application Note Chapter 6: Troubleshooting Tips This chapter provides basic troubleshooting steps to use for specific issues. If the test device is not being redirected to the Amigopod captive portal: Check the DNS resolution because the client will not be redirected if it cannot resolve the initially requested webpage. Command line tools such as nslookup and ping can be used.
Amigopod and ArubaOS Integration Application Note Appendix A: Contacting Aruba Networks Contacting Aruba Networks Web Site Support Main Site http://www.arubanetworks.com Support Site https://support.arubanetworks.com Software Licensing Site https://licensing.arubanetworks.com/login.php Wireless Security Incident Response Team (WSIRT) http://www.arubanetworks.com/support/wsirt.php Support Emails Americas and APAC support@arubanetworks.com EMEA emea_support@arubanetworks.
Amigopod and ArubaOS Integration Application Note Telephone Support Universal Free Phone Service Numbers (UIFN): Japan IDC: 10 810 494 34526 * Select fixed phones IDC: 0061 010 812 494 34526 * Any fixed, mobile & payphone KDD: 10 813 494 34526 * Select fixed phones JT: 10 815 494 34526 * Select fixed phones JT: 0041 010 816 494 34526 * Any fixed, mobile & payphone Korea DACOM: 2 819 494 34526 KT: 1 820 494 34526 ONSE: 8 821 494 34526 Singapore Singapore Telecom: 1 822 494 34526 Taiwan
