This blog provides a guided approach on creating an Aruba guest login page with sponsor approval.
When a guest user connects to a guest network, he/she be redirected to a self-registration page on ClearPass. After filling in the registration form, the request is forwarded to a sponsor for approval and only after sponsor approval; the guest is allowed to connect to the WLAN.
Start with creating a self-registration Page
ClearPass offers a wizard for the creation of a Self-Registration page that guides us through the important steps.
Login to ClearPass Guest and go to ‘Configuration–Pages–Self-Registrations’ and click the ‘Create new self-registration page’ link in the upper right of the screen:
Fill in the “Name” and the “Description” and click “Save and Continue” to move to the next screen.
On the next screen, we have the option to change the “Skin”. Click “Save and Continue” after making a selection.
This screen gives you the option of changing the presentation of the self-registration page the user will see. To leave it at default Click “Save and Continue”.
This screen is the page that the guests will see after they have registered. To leave it at default Click “Save and Continue”.
Next, we are presented with the screen for configuring the delivery of receipts. We can leave this as default and Click “Save and Continue” to proceed to the next screen. This page is about sponsorship. We will come back to this in a moment. Just click “Save and Continue” to proceed to the next screen shown below:
On this screen we can pick the vendor environment for example, if we our vendor of choice is Aruba then we will set the “Vendor Settings” as “Aruba Networks”. We can also modify the “IP Address” or hostname of our product. For Aruba line of products, it will be the CN of the Captive Portal certificate. Click “Save and Continue” to proceed to the next screen.
Do not make any changes here, as we will come back to it later. For now, just “Save and Continue”.
Click “Save Changes” and we will be brought back to the main configuration screen for the self-registration page. At this stage, we are done with the basic setup.
Next step is to create a clear workflow and the first step is to ‘Enable Sponsor Approval’. To enable sponsor approval, click the “Sponsorship Confirmation” link on the main configuration screen for the self-registration page as shown below:
Check the “Enabled” field at the top of the form. This will enable sponsor approval for all guests. To let the sponsor select the validity period for the guests, use the “Extend Expiration” text box at the bottom of the screen. It may look like the following and is fully editable:
1d|Visitor for one day.
7d|Visitor for one week.
1y|Visitor for one year.
A new setting “Account State” appears after setting the above. Set this to “Disabled – Account will remain disabled until confirmation”.
Click “Save Changes”.
Next we will configure a static email to which the sponsor request is sent. To configure a static email go the main configuration screen for the self-registration page and click on “Form” in the context of the “Register Page”. This will bring up a big table as shown in the following picture. Search for the “sponsor_email” field and click on “Edit”
This will lead you to the following screen:
Now make the 3 highlighted changes. Enable the “Field” and set the “User Interface” to “Hidden field”, so it is not visible to guests. And for sure, provided an “Initial Value” which is not changed by the guests, as he is not able to see the field. Click “Save Changes” to proceed.
Guest Receipt Customization
To customize the receipt for the guest, go to “Configuration–>Guest Manager” and search for the “Receipt Options”:
These settings are now the default settings for the SSID name and the WPA2 PSK. In the example, the SSID is “FloLan-Guest” and “aruba123” is the WPA2 password. The receipts sent to guests will have those values. Next we go back to the main configuration screen for the self-registration page and click the “Actions” link in the “Receipt Page” context:
Here we enable the “Email Delivery” with the option “Display a link enabling a guest receipt via email”. With this setting a guest can decide whether to get a receipt or not.
Authentication via the Policy Manager
To access the WLAN an authentication service needs to be enabled. There are many ways to create those services. The good news is that Clearpass provides wizards for majority of functions. We can go to the policy manager and the Wizards can be found under “Configuration–>Service Templates & Wizards” as shown below:
The “Guest Authentication with MAC Caching” wizard is the one that we will use. However, Let me show you the manual method of setting this up. We will manually create two services to serve the guest page. The first will be a mac-authentication service for device authentication. The second is for the guest ‘user’ authentication.
To create a mac authentication service, we will need to create a new “Enforcement Profile”. This also provides an option to set the username of the device as the guest’s email address. To see the email address, instead of the mac address, go to “Configuration–>Enforcement–>Profiles” and click the “Add” button to create the following profile:
An important configuration step is to set the “Radius:IETF” “User-Name” to “%{Endpoint:Username}”. This will fetch the content of this attribute in the “Endpoints Repository”.
Next, we need to create a new “Enforcement Policy”. Go to “Configuration–>Enforcement–>Policies” and click the “Add” button to create a new one:
The “Enforcement Policy” rule 1 will respond with a deny if the device is not “Known” or the “MAC-Auth-Expiry” is invalid. The mac is not known when the device connects for the first time so it is redirected to the captive portal page. The second line checks if the device was already connected and a guest has successfully authenticated. If the “MAC-Auth Expiry” timestamp is already expired, this means, the user needs to re-authenticate at the portal or request a new account. If both conditions are true, the device is granted access by sending an accept along with the username back to the network device, where the guest is connected. We then combine everything together in a new service by going to “Configuration–>Services” and like the one below:
Don’t forget to modify the SSID name. The “Authentication Methods” is “[MAC AUTH]” and the source is the “[Endpoints Repository]”. Also, add the “[Time Source]” as a second authorization source and use the created “Enforcement Policy” as the “Enforcement Policy” for this service.
Now we need to create two additional “Enforcement Profiles” for the 2nd service. The first one sets username field for the device. Go to “Configuration–>Enforcement–>Profiles” and create a new profile like the one shown below:
The profile is from ‘Type’ “Post_Authentication” and will use the “%{Authentication:Username}” provided during the authentication by the guest and write this into the “Username” attribute for the endpoint.
The second profile is to set the “MAC-Auth-Expiry” value. Create a following profile:
This one uses the “%{Authorization:[Guest User Repository]:ExpireTime}” value from the authentication to set the “MAC-Auth-Expiry” for the device. We then put together the profiles created earlier in an “Enforcement Policy” by going to “Configuration–>Enforcement–>Policies” and create a new policy:
This policy allows access every day for the whole week and just checks if the guest has a specific role within ClearPass, “FloLan-Guest”. It then applies all the relevant profiles to the request. The last, but not the least, step is to create a service and put everything together. Go to “Configuration–>Services” and add a new service like this:
The “type” of the service is “Radius Enforcement (Generic)”. Authentication method is “[PAP]” and use the “[Guest Repository]” as the source. Under Authorization, we add the “[Endpoints Repository]” and the “[Time Source]”. Under Roles, role mapping policy use the “[Guest Roles]” role mapping and the “Enforcement Policy” we created earlier. That’s all that you need to configure the Guest Access with Sponsorship.