Guest Authentication with MAC Caching Service Template

Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.

Guest Authentication with MAC Caching Service Template

This template is designed for authenticating guest accounts based on the cached MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses used during authentication. When users first log in via the Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users., their MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses are cached. Subsequent logins use MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication and bypass the Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.. A guest can belong to a specific role such as Contractor, Guest, or Employee, and each role can have a different lifetime for the cached MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address. The cache lifetime of the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address can vary according to the user's role (Guest, Employee, or Contractor) and after that the user will have to reauthenticate via the Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.. Network access can be restricted based on day of the week, bandwidth limit, or number of unique devices used by the user. Optionally, posture checks can be enabled to validate the client device for antivirus or firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. status. These results determine the enforcement for the device.

To configure the Guest Authentication with MAC Caching service template:

1. Navigate to the Configuration > Service Templates & Wizards page. The Service Templates & Wizards page opens.

2. Scroll down to and select the Guest Authentication with MAC Caching service template:

Figure 1 Guest Authentication with MAC Caching Service Template

3. Specify the Guest Authentication with MAC Caching service template parameters as described in the following table:

Table 1: Guest Authentication with MAC Caching Service Template Parameters
Parameter	Action/Description
General
Select Prefix	Select a prefix from the existing list of prefixes. This populates the preconfigured information in the Wireless Network Settings, MAC Caching Settings, and Access restrictions tabs. The Name Prefix field is not editable.
Name Prefix	Enter a prefix that you want to append to services using this template. Use this to identify services that use templates.
Wireless Network Settings
Wireless SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.	Enter the SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. name of your network.
Select Wireless Controller	Select the wireless controller from the drop-down list if you already configured the controller for Policy Manager.
Wireless Controller Name	Enter the name of the wireless controller.
Controller IP Address	Enter the wireless controller's IP address.
Vendor Name	Select the manufacturer of the wireless controller.
RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. Shared Secret	Enter the shared secret that is configured on the controller and in Policy Manager to send and receive RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. requests.
Enable RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions.	Select this check box to enable RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. initiated CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. (Change of Authorization) on the network device.
RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. Port	Specifies the default port 3799 if RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. is enabled. NOTE: Change this value only if you defined a custom port on the network device.
MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. Caching Settings
Cache Duration for Employee	From the Account Expiry Time drop-down, select the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. caching duration for employees: One Day One Week One Month Six Months NOTE: When this duration expires, users must reauthenticate via the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.. NOTE: You must specify the cache duration for at least one role.
Cache Duration for Guest	From the Account Expiry Time drop-down, select the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. caching duration for guests: One Day One Week One Month Six Months
Cache Duration for Contractor	From the Account Expiry Time drop-down, select the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. caching duration for contractors: One Day One Week One Month Six Months
Posture Settings
Enable Posture Checks	Select the Enable Posture Checks check box to perform health checks post authentication. This enables the Host Operating System and Quarantine Message fields.
Host Operating System	Select the operating system(s): Windows, Linux, or macOS.
Quarantine Message	Specify the quarantine message that will appear on the client.
Initial Role/VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.	Enter the initial role of the client before posture checks are performed.
Quarantine Role/VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.	Enter the role of clients that fail posture checks.
Access Restrictions
Enforcement Type	Select one of the following enforcement types: Aruba Role Enforcement VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. Enforcement Filter ID-Based Enforcement NOTE: Enforcement Type applies to the Captive Portal Access, Employee Access, Guest Access, and Contractor Access fields. NOTE: At least one of Employee, Guest, or Contractor Access must be specified.
Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. Access	Used for unauthenticated users and after the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. caching has expired. If you selected Aruba Role Enforcement as the Enforcement Type, enter the Aruba Role Name. If you selected VLAN Enforcement as the Enforcement Type, enter the VLAN ID. If you selected Filter ID-Based Enforcement as the Enforcement Type, enter the Filter ID.
Days allowed for access	Select the days of the week that guest users are allowed network access. By default, all seven days of the week are enabled.
Maximum number of devices allowed per user	Enter the maximum number of devices that users can connect to the network.
Maximum bandwidth allowed per user	Enter a number to set an upper limit for the amount of data in megabytes to which a user is allowed per day. A value of 0 (zero), the default, means no limit is set.
Employee Access	If you selected Aruba Role Enforcement as the Enforcement Type, enter the Aruba Role Name. If you selected VLAN Enforcement as the Enforcement Type, enter the VLAN ID. If you selected Filter ID-Based Enforcement as the Enforcement Type, enter the Filter ID.
Guest Access	If you selected Aruba Role Enforcement as the Enforcement Type, enter the Aruba Role Name. If you selected VLAN Enforcement as the Enforcement Type, enter the VLAN ID. If you selected Filter ID-Based Enforcement as the Enforcement Type, enter the Filter ID.
Contractor Access	If you selected Aruba Role Enforcement as the Enforcement Type, enter the Aruba Role Name. If you selected VLAN Enforcement as the Enforcement Type, enter the VLAN ID. If you selected Filter ID-Based Enforcement as the Enforcement Type, enter the Filter ID.