05-22-2014 03:25 AM - last edited on 05-30-2014 08:13 AM by Jamie E
we have a customer who would like to deploy Instant clusters in their stores.
They would like a Cloud based Clearpass reachable from the stores.
They would like Clearpass guest with self-registration.
My question is:-
when the guests have created an account and they hit the login button Clearpass sends an HTML post to the
client to enable a radius login from the Cluster to Clearpass.
Does the client need IP visibility of the Instant cluster from the Guest IP subnet?
I am thinking that it doesn't because the Instant cluster will incercept the HTML post !!
Is this right?
05-26-2014 01:07 PM
The Instant clusters need access to the ClearPass Guest appliance in your data center on both HTTP(S) and RADIUS.
Below a workflow from the old Amigopod documentation, however the flow is still about the same:
1) User associates
2) User is redirected to the landing page on ClearPass Guest; the proxy in Instant will proxy this from the management port; or with the proper exclusions this is forwarded directly from the Guest VLAN. Required access HTTPS and optional HTTP to the CPPM server.
3) Pre-login check on ClearPass (optioninal) and the....
4) Redirect to the NAS Login page (securelogin.arubanetworks.com by default); this is handled by the Instant AP
5) Instant AP converts the username password in the redirect to a RADIUS request to CPPM; this requires RADIUS access (udp/1812) from the Instant management interface to your CPPM in the cloud/data center.
6) CPPM returns access accept with optional role (7) assignment and other optional access parameters.
8) Accounting from Instant AP management to CPPM udp/1813
In some situations, you may want to trigger a disconnect or reauthentication from the CPPM. In that case, Change-of-Authorization (CoA) comes into play; for that you need access from the CPPM TO the Instant AP management IP (default on udp port 3799). In internet connected situations this may be difficult to realize; however Instant allows the configuration of a VPN to your data center and run the CPPM traffic over that VPN in two directions.
So you don't need guest users access the Instant Cluster; they will indirectly during the initial redirect, and the authentication.
Does this answer your question? Or what do you want to achieve, or avoid?
If you have urgent issues, please contact your Aruba partner or Aruba TAC.