This time I would like to share some thoughts about the local captive portal authentication on the MSM controllers. For this post I will keep it simple and will use the local radius server for authentication. In a later post, will also show the remote authentication capabilities. For small environment it should be OK to use the local radius database for the captive portal. To manage the users on the controller, it is possible to use a small tool, without log into the  controller web GUI every time. I will show this toll at the end of this post.

For this test I used the latest and greatest version of the MSM controller software, which is 6.4.0.0-16925.

Prepare the controller for captive portal

When doing captive portal on the controller, all traffic needs to go through the controller, to present the captive portal to the clients. The controller acts as a L2 firewall, restricting all traffic from unauthenticated clients, except DHCP requests and DNS queries. Those packets needs to be forwarded to let the captive portal work.

I will start to disable NAT for the egress interface. Therefore we need to disable it on the internet port:

Disable-NAT-On-The-Internet-Port

Disable-NAT-On-The-Internet-Port

I will not use the DHCP server on the controller itself, as this will not work when doing teaming. Therefore I will explain how to use the DHCP relay agent. Go to “Network–>Address allocation”:

DHCP-Relay-Agent

DHCP-Relay-Agent

Just select “DHCP relay agent” and press the “Configure” button:

DHCP-Relay-Agent-Configuration

DHCP-Relay-Agent-Configuration

Enter a dummy server address and make sure that only the Client data tunnel, which is the tunnel carrying the client data traffic, is selected for dhcp relay agent. Also check the check box for “Extend VSC egress subnet to VSC ingress subnet”. This will make sure, that the traffic is bridged on L2 to the egress network and vice versa.  Then press “Save”.

I will now create a VLAN, which will be tagged on the internet port and will carrying the user traffic, which already passed the controller. Create a new “Network profile”, go to “Network–>Network profiles” and click “Add New Profile…”:

Add-New-Network-Profile

Add-New-Network-Profile

Click “Save” to create the profile. Afterwards we need to map this profile to the internet port. Go to “Network–>VLANs” and click on the created profile:

Profile-Mapping

Profile-Mapping

After clicking “Save”, the VLAN is mapped to the internet port. On the Switch side, this VLAN needs to be tagged.

To complete the controller configuration, we need to create an IP interface for this VLAN. Go to “Network–>IP interfaces” and add a new interface:

Add-New-IP-Interface

Add-New-IP-Interface

It is important to disable NAT. If the IP address is assigned statically or by DHCP doesn’t matter. Click “Save” and we are done with this part.

Configure A VSC For Captive Portal

As the controller is now ready, we need to create a SSID which will use the captive portal for authentication. The SSID is configured by creating a VSC or Virtual Service Community. The configuration is quite easy.

To create a new VSC go to “VSCs–>Add new VSC profile…”. This will bring you to the configuration screen for the VSC. I will go thought every configuration item, which is important or is different then the default setting.

VSC-global

VSC-global

Please consider a good naming for the VSC, maybe better than my 🙂 The important stuff is below the profile name, which is the check box for “Authentication” and “Access control”. Both boxes needed to be checked, to let the captive portal work. If you miss one of the two, HTML based authentication, which is captive portal, will not be available.

VSC-Virtual-AP

VSC-Virtual-AP

This setting box will configure the SSID name and you have to make sure, that the “Always tunnel client traffic” check box is checked. You can also play with the other settings, but this is not within the scope of this post.

VSC-Egress-Mapping

VSC-Egress-Mapping

In this settings part you can configure, which VLAN to use for which client. It is for 99% of the environments necessary, to use the created VLAN for both, “Unauthenticated” and Authenticated” clients. I’ve never seen a configuration, which was different, but is good to know, that it is possible to map authenticated clients to another VLAN than unauthenticated ones.

VSC-Captive-Portal

VSC-Captive-Portal

Those settings will enable the captive portal for the SSID. As we will look at local authentication, we use the check box for local. Remote authentication capabilities will be explained in  a later post.

VSC-DHCP-Relay-Agent

VSC-DHCP-Relay-Agent

The last configuration step is to configure the DHCP relay agent for this VSC. And this one is as easy as the other ones, just enable the agent and select “Forward to egress interface”. This option will send all DHCP packets to the egress network, so you have to make sure, that a DHCP server or relay agent is part of the egress network.

Now you have to save the VSC.

To bind this created VSC on an AP click on the AP group of choice and go to “VSC bindings”. Click on “Add New Binding…”:

VSC-binding

VSC-binding

On this page you have to select the created VSC and just press “Save”. Synchronize the AP’s in this group and after a short time, the SSID will be available and you are able to connect. If you open your browser on a client device, you should be redirected to the captive portal page:

MSM-captive-portal

MSM-captive-portal

Great job so far, we now need to create username and password to gain full access.

Create users for captive portal authentication

On the MSM controller, you have two options, when it comes to local authentication.

    1. create the user via the web GUI

 

  1. use the GMS Guest Management Software, which comes for free with the MSM controller

I will create a user via the web GUI first. This is good for testing purpose but not for normal user creation, as it requires full access to the MSM controller web GUI.

Go to “Users–>User accounts” and click on “Add New Account”:

MSM-add-user

MSM-add-user

To keep it simple, I will just set the username and password and restrict the user to the captive portal based SSID. After that, click “Save” at the bottom of the page.

You should be able to use those credentials to log into the captive portal.

Next, I will use the GMS (Guest Management Software) to create an account. This little piece of software will connect to the controller, or controller team, and manage all local accounts on the MSM controller. The installation is very easy and beyond the scope of this post. Check my post for MSM best practice to let the GMS tool successfully working with the MSM controller.

You will get the GMS software from the MSM controller support page:

https://h10145.www1.hp.com/downloads/SoftwareReleases.aspx?ProductNumber=J9840A

After a successful installation you will see the dashboard of the software:

GMS-dashboard

GMS-dashboard

This dashboard will show you all connected controllers with the list of created user. In my case, there is no created user and we see an empty list. My installation is a German one, but I will use the English words in the explanation.

I will now create a new user via the “New Account(s)” button.

GMS-add-new-user

GMS-add-new-user

This screen will allow you to set the basic account settings for user. You can also decide to create many accounts as a batch job which is very helpful when you need to create a lot of users at one time, for a convention, for example. Presse “Next” to get to the next screen:

GMS-add-user-vsc-binding

GMS-add-user-vsc-binding

On this screen you can bind the user to a specific VSC, which is not required, but from my point of view a good advise. You can now click “Finish” to keep it simple, but you can also click “Next” for further options, which is not in the scope if this post. On the last page you can print a voucher for the guest. You can also re-print the voucher any time in the GMS tool.

You should now see the created user in the list as an active user and the credentials can be used for the captive portal to gain access.

You successfully created the SSID and the user for gaining access. That’s it for the moment.

We have created the SSID and local users on the MSM controller which will gain access to the network. This is basically the normal guest application for small environments.

For feedback or questions, feel free to use the comment function. I will try to answer every comment.