Aruba Instant & Cloud Wi-Fi

Reply
Contributor II
Posts: 100
Registered: ‎10-04-2012

Cloud based Clearpass

[ Edited ]

we have a customer who would like to deploy Instant clusters in their stores.

They would like a Cloud based Clearpass reachable from the stores.

They would like Clearpass guest with self-registration.

My question is:-

when the guests have created an account and they hit the login button Clearpass sends an HTML post to the

client to enable a radius login from the Cluster to Clearpass.

Does the client need IP visibility of the Instant cluster from the Guest IP subnet?

I am thinking that it doesn't because the Instant cluster will incercept the HTML post !!

Is this right?

cheers

Pete

 

MVP
Posts: 418
Registered: ‎11-04-2011

Re: Cloud based Clearpass

The Instant clusters need access to the ClearPass Guest appliance in your data center on both HTTP(S) and RADIUS.

 

Below a workflow from the old Amigopod documentation, however the flow is still about the same:

 

1) User associates

2) User is redirected to the landing page on ClearPass Guest; the proxy in Instant will proxy this from the management port; or with the proper exclusions this is forwarded directly from the Guest VLAN. Required access HTTPS and optional HTTP to the CPPM server.

3) Pre-login check on ClearPass (optioninal) and the....

4) Redirect to the NAS Login page (securelogin.arubanetworks.com by default); this is handled by the Instant AP

5) Instant AP converts the username password in the redirect to a RADIUS request to CPPM; this requires RADIUS access (udp/1812) from the Instant management interface to your CPPM in the cloud/data center.

6) CPPM returns access accept with optional role  (7) assignment and other optional access parameters.

8) Accounting from Instant AP management to CPPM udp/1813

 

guest-workflow.png

 

In some situations, you may want to trigger a disconnect or reauthentication from the CPPM. In that case, Change-of-Authorization (CoA) comes into play; for that you need access from the CPPM TO the Instant AP management IP (default on udp port 3799). In internet connected situations this may be difficult to realize; however Instant allows the configuration of a VPN to your data center and run the CPPM traffic over that VPN in two directions.

 

So you don't need guest users access the Instant Cluster; they will indirectly during the initial redirect, and the authentication.

 

Does this answer your question? Or what do you want to achieve, or avoid?

 

Herman

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC.
Search Airheads
Showing results for 
Search instead for 
Did you mean: