HPE Community
IMC
1752774 Members
4839 Online
108789 Solutions
New Discussion

[Help} Guest Access

 
NeilR
Esteemed Contributor

‎11-04-2014 05:38 PM - edited ‎11-04-2014 05:45 PM

‎11-04-2014 05:38 PM - edited ‎11-04-2014 05:45 PM

[Help} Guest Access

I'm trying to deploy the guest function of UAM (not the GAM for comware) for WIRED devices as well as wireless. I'm missing something as its not behaving as I would think from reading the docs.

 

My interpretation is that a guest user would connect to the network and be directed to a registration/self service page. Then the guest manager would "approve" the registered user and assign to a service/policy with more priveleges, associating the MAC address with the user id provisioned by the user. 

 

The switch has been configured for mac auth and successfully authenticates.

 

I'm trying to use the process model highlighted in the youtube video for UAM 5.2 and the ipads - a registration vlan and an access vlan. The registration vlan points to IMC as DNS, the user is sent to the registration site, then the registered user is disconnected from the reg vlan and added to the access vlan:

 

IMC 5.2 BYOD Guest Authentication Overview

 

So I've created the 2 vlans - I set up the Byodanonymous user, assigned an access service which deploys the registration vlan. Connected it to MS DHCP server with DNS > iMC, installed the dhcp plugin.

 

I set up a MAC authentication page push policy with separate subpolicies for access swicth and time of day.

 

The PC connects to the switch and MAC is authetnicated as the BYODanonymous user, gets an ip address and dns server.

 

However when the laptop connects no registration page is "pushed" to the user when I open a browser and site. No name resolution is occuring so page not found instead. Can ping but not resolve.

 

What step(s) am I missing to have the MAC authentication at the switch trigger the registration page? thx

0 Kudos
6 REPLIES 6
Pack3tL0ss
Valued Contributor

‎11-04-2014 07:12 PM

‎11-04-2014 07:12 PM

Re: [Help} Guest Access

The short answer is DNS.  There was a change in the way the re-direct is done since that video.  Re-direct is no longer done via DNS, and their is no DNS proxy on the IMC server, so no resolution is done.

 

The re-direct has to be done in hardware now with a comware based device (it's only really needed on the onboarding/registration VLAN).  Do you have a portal-redirect configured on the registration VLAN (generally done on the gateway for that subnet, and must be a comware device)??

 

The Portal-redirect configuration will handle the re-direct so no need for the DNS hi-jack.  Just configure DHCP to handout the normal DNS servers.

 

PL

0 Kudos
NeilR
Esteemed Contributor

‎11-05-2014 09:28 AM

‎11-05-2014 09:28 AM

Re: [Help} Guest Access

Thanks for the quick reply - at least I can stop banging my head in that particular spot.

 

Arrggh - no comware device currently serving as gateway. Currently using a Procurve zl TMS module to handle inside routing and firewall on a 5412zl chassis.

 

So the entire suite of guest options depends on having comware??? The docs do not convey that fact - only that GAM is dependent on comware.

 

My only comware devices are two 5900-AF-48XGT-4QSFP+ which backbone my vmware environment. (comware device management is one of the reasons for migrating from PCM - the other being the rumored/someday demise of PCM)

 

So imc is running on the vm hosts, and I could make the regsitration vlan avaialble to that device, but beyond that....

 

Still a comware novice - so not sure how portal redirect would be implented in that context (I found portal redirect exactly 1 time in UAM docs), so if you could elaborate on the process a bit or point me to some specifics would be appreciated.

 

Worst case since my environment is not that big, is to just let them fail, and use the auth failure log and the apply button to turn them into real users...Probably about the same effort but not so elegant.

0 Kudos
Peter_Debruyne
Honored Contributor

‎11-08-2014 07:41 AM

‎11-08-2014 07:41 AM

Re: [Help} Guest Access

Hi Neil,

 

The portal redirect feature is being rolled out on the Provision products as well.

 

HP has just released the K.15.16.0004 for the 5400/3500/3800 platform, and this release includes the portal redirect.

 

https://h10145.www1.hp.com/downloads/SoftwareReleases.aspx?ProductNumber=J8697A&lang=&cc=&prodSeriesId=

 

I have not actually tested it so far, but you can give it a try if you have a test switch.

 

Hope this helps,Peter

 

 

 

0 Kudos
NeilR
Esteemed Contributor

‎11-08-2014 04:48 PM

‎11-08-2014 04:48 PM

Re: [Help} Guest Access

Do those have to be the access port switches? If so then not going to work for me - all my access ports are 2910 and 2915.

 

thx

0 Kudos
Peter_Debruyne
Honored Contributor

‎11-09-2014 01:41 PM

‎11-09-2014 01:41 PM

Re: [Help} Guest Access

Hi Neil,

 

I would say typically no, since you just run this on the switch which provides the L3 gateway for the onboarding subnet.

I just finished a sample test config and it worked using a 3500 as L3 gateway (I used it in combination with a Unified wireless controller, but that is not relevant here).

See http://abouthpnetworking.com/2014/11/09/provision-supports-portal-redirect-for-byod-use/ for the sample configuration,

 

Hope this helps,Peter

0 Kudos
NeilR
Esteemed Contributor

‎11-10-2014 09:05 AM

‎11-10-2014 09:05 AM

Re: [Help} Guest Access

OK - that looks like I could make it work but it will take me a few steps to get there. 

 

and thanks for the link to the abouthpnetworking.com site - looks like a good collection of information.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.