I have not done a lot with the built-in captive portal recently; but I think the 'Default Guest' role is applied for guest users, which is selected as 'guest' and also what you see. You could try to change the 'Default Guest Role' to the role that you want to be assigned.
Further, is you use Guest Login or User Login does not affect what access is provided. You can configure a local user to have only internet access, and a guest user to have full access to the internal network (by applying the authenticated role and running the guest network in a VLAN that has access to internal). From what I remember of guest login is that it asks for an e-mail address, but there is no validation or checking at all, so it may not be very useful (depending on your use-case). If you use 'User Login', you could create a user 'guest' (or the local language equivalent) with a password that you change (like you had before) and a role that allows the access that is appropriate for guests, and other users with other roles that provide more access.
Note that there are all kinds of potential security issues with allowing internal access from a captive portal network that is also accessible for guests/unauthenticated users, as these could easily spoof the mac address of a more authorized user and gain internal access. Also the logging/reporting/auditing on internal captive portals on controllers is very limited (versus an external captive portal solution like ClearPass or a cloud service). It may be good to properly design this with your Aruba partner and go over the requirements and risks.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Aug 21, 2024 06:08 PM
From: StavrosK
Subject: Using Email Registration for Guest Portal Access
When the user is logged with the Email registration SSID (Test1)I can run a command from the local controller.
>show user-table | INCLUDE 192.168.103.76
This will output:
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name User Type
------ --------- ------------ -------- ---------------- --------- ------------- -------------- --------------- --------------------- ---------- ----------------------- -------- ----------------- ---------------
.76 ##.## Petros@ guest ## Web Blank ##### Wireless ####### Guest-Email Tunnel Limux ##### WIRELESS
-------------------------------------------
When the user is logged with the Noral GUest Wifi that uses a user account (vast) SSID (VAST) I can run a command from the local controller.
>show user-table | INCLUDE 192.168.103.144
This will output:
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name User Type
------ --------- ------------ -------- ---------------- --------- ------------- -------------- --------------- --------------------- ---------- ----------------------- -------- ----------------- ---------------
.144 ## vast , VAST-Guest-post-auth, Web ## Wireless ###### Test2-Vast tunnel Linux WIRELESS
So the question is how can I get the new Guest Email registration profile of 'Guest-Email' to use the 'VAST-Guest-post-auth' role? Or will I need to change the local guest role - rules to match the: VAST-Guest-post-auth role rules?
------------------------------
Stavros K
Original Message:
Sent: Aug 21, 2024 05:04 PM
From: StavrosK
Subject: Using Email Registration for Guest Portal Access
My company has been using a local user account, that I have manually created on the Aruba Local Controllers, for Guest WiFi access. I have set this up using the 'Interactive Captive Portal with authentication' template. That process has been working well for years and I typically change that password every 6 months.
It has now been suggested that I should try and setup a different type of Guest login process on the Aruba Controllers. Specifically I should try to setup the 'Interactive Captive Portal with email registration' template. I have tried to set this new way but i am having a problem with post authentication.
After I authenticate the user has a guest profile instead of the desired post authentication profile that I have selecte din the 'Group' --> 'Configuration' --> 'L3 Authentication' --> 'Captive Portal Authentication' --> 'SSID_Name' --> 'Default Role'.
The only difference in the new SSID is using a 'Guest Login' instead of the 'User Login' option. Which is located in the L3 Authentication Captive Portal Authentication section. Please see attachment.
The problem is that the new SSID is not only allowing access to the internet but it is allowing access to the internal network as well and I think it is because i tis using the 'Guest Login' option instead of the 'User Login' option.
------------------------------
Stavros K
------------------------------