IAP + ClearPass Guest Captive Portal
IAP + ClearPass Guest Captive Portal
This solution configures a captive portal SSID on an Aruba Instant Access Point (IAP). The captive portal SSID is designed for integration with ClearPass Guest. The captive portal page hosted on ClearPass Guest can be configured in multiple ways including a simple web login, a self-registration page, or a hotspot registration with payment. Please see the ClearPass Guest deployment guide for more information on how to configure ClearPass Guest .
The captive portal SSID that this solution creates has many small configuration options hard coded. These options may not be obvious as to why they are configured as they are. Please read over both the configuration notes and the referenced documents   to better understand the configuration. A video recording is also available that goes over the Captive Portal configuration on the IAP using the GUI and the configuration on ClearPass to create the necessary services and a web login page .
Aruba Instant Access Point 135 running 126.96.36.199-188.8.131.52 and ClearPass Guest running 184.108.40.206353. This solution documents configuration for ClearPass 6.2 which should be applicable to ClearPass 6.0 and 6.1. For ClearPass Guest 3.9 and earlier, the notes in this solution may not directly apply. One specific configuration option that should be modified in CPG 3.9 and earlier is the redirect parameter, which should be changed from "/guest/<login_page>.php" to simply "/<login_page>.php"
ClearPass Guest and ClearPass Policy Manager will need to be configured before captive portal authentication will succeed. See ClearPass Guest Deployment Guide  and ClearPass Policy Manager User Guide  for more details. The referenced video also goes over some of the very basics to set up a web login page on ClearPass Guest and two authentication services on ClearPass Policy Manager .
IAP has a 32 character limit for profile names. When entering values for profile prefix and profile name, ensure that the total length will not exceed 32 characters after taking into account all derived profile names. For example, if there is a profile in the configuration called "%gen_prefix%-%profile_name%-logon", ensure that the two variables plus the 7 static characters don't exceed 32 characters.
The external captive portal redirect will be configured on IAP for port 80. On ClearPass Guest, enable the option to "Require HTTPS for guest access" at Configuration -> Authentication. The combination of these two settings will automatically convert captive portal redirects from HTTP (port 80) to HTTPS (port 443). It is suggested to follow this redirection process on IAP to prevent redirection issues caused by IAP's proxy.
RADIUS accounting will be enabled but RADIUS interim accounting is optional. Enable interim accounting only if you plan to make use of the additional data that will be sent.
The solution allows you to configure the redirect to ClearPass Guest over an IP address although it is not recommended. It is instead recommended to give the solution a valid FQDN for ClearPass so the redirect can use that hostname. A captive portal redirect to an IP address will almost certainly lead to certificate trust issues.
Two user roles get created, one for the pre-authenticated clients and one for the authenticated clients. The pre-authenticated user role ("%gen_prefix%-%profile_name%-logon") forces the captive portal redirect and specifically allows HTTP/HTTPS communication to the CPG server. The post-authenticated user role ("%gen_prefix%-%profile_name%-auth") will be automatically applied to users that pass captive portal authentication. Warning: the post-authenticated user role has no network access restrictions. Please adjust this role according to your desired network policy. If the ClearPass Policy Manager Service that processes the captive portal authentication requests has an enforcement profile that returns an Aruba-User-Role attribute, the IAP will place the user role in the returned value.
No special licenses required on the IAP. ClearPass Policy Manager requires either an Enterprise type license or a Guest type license for all guest devices authenticating on a daily basis.