Controllerless Networks

Reply
Contributor II

Aruba Instant with Clearpass Captive Portal Source IP / NAT

I am going to configure some Locations with Aruba Instant an have a centralized Clearpass Server,

 

how do i get the clients to communicate with the Clearpass Logon Site? Is it possible to NAT the Clients, that the virtuell controller IP is used to communicate with the clearpass server?

 

And can the virtual controller NAT the Clients to an public IP after they are authorized from Clearpass?

Re: Aruba Instant with Clearpass Captive Portal Source IP / NAT

Once the user has register through the captive portal then you can return a role that source NAT the traffic
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II

Re: Aruba Instant with Clearpass Captive Portal Source IP / NAT

It's more about the login on the clearpass. I like to masquerade the guest behind the virtuall controller ip because there I no route from the clearpass to the guest ip range
Contributor II

Re: Aruba Instant with Clearpass Captive Portal Source IP / NAT

The setup is a network assignt vlan for guest with no routing to the internal networks. DHCP and dns from the network. The iap is not the default gateway.

The clearpass server is in the internal networks

What acl has to be in the the pre authentication rule to get a connection to the clearpass server?

Source nat http and https to destination clearpass server
+ allow DHCP + dns?

Or is the captive portal rule needed with pre-configured cp profile?

Contributor II

Re: Aruba Instant with Clearpass Captive Portal Source IP / NAT

Source nat http and https to destination clearpass server
+ allow DHCP + dns worked, but the automatik redirect does not work.

 

any suggestions?!

Aruba Employee

Re: Aruba Instant with Clearpass Captive Portal Source IP / NAT

Can you elaborate on "automatic redirect" does not work? Is it the redirect after login?

Sent from my iPhone
Contributor II

Re: Aruba Instant with Clearpass Captive Portal Source IP / NAT

no it is the redirect to the clearpath login page.

 

I connect to the SSID, get an IP Adress and DNS is working. When i open a firefox and type a website i only get an error message and no redirect to the logon page.

 

I added a source Nat rule and can login when i use the 172.16.1.10/guest/guest_logon.php url. But the redirect does not work

 

running 6.4.2 on IAP 108

 

here is my captive Portal profile and the pre-auth role/acl

 

wlan external-captive-portal CP
 server 172.16.1.10
 port 443
 url "172.16.1.10/guest/guest_logon.php"
 auth-text ""
 auto-whitelist-disable
 https

 

wlan access-rule Guest-Logon
 index 4
 captive-portal external profile CP
 rule 172.16.1.10 255.255.255.255 match any any any src-nat
 rule any any match udp 67 68 permit
 rule any any match udp 53 53 permit
 rule 172.16.1.10 255.255.255.255 match tcp 80 80 permit
 rule 172.16.1.10 255.255.255.255 match tcp 443 443 permit

Contributor II

Re: Aruba Instant with Clearpass Captive Portal Source IP / NAT

found the solution here in the forum :)

 

http://www.airheads.eu/t5/Aruba-Instant-Cloud-Wi-Fi/Instant-does-not-redirect-to-Clearpass/td-p/200527

 

it is the captive portal profile

 

wlan external-captive-portal CP
 server 172.16.1.10
 port 443
 url "172.16.1.10/guest/guest_logon.php"
 auth-text ""
 auto-whitelist-disable
 https

 

has to be

 

wlan external-captive-portal CP
 server 172.16.1.10
 port 443
 url "/guest/guest_logon.php"
 auth-text ""
 auto-whitelist-disable
 https

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: