Hi there, my intention is to run a few IAP’s together and let them use a ClearPass device to do external captive portal for ease of use and additional account management functionality (I’ll get to the “onboarding” later). I seem to have come unstuck for some reason and thus my post is as follows.
So. I configure the IAP to have guest portal, external URL’s and point the radius (which I have configured) at the ClearPass device.
As a test, I’ve connected the IAP 105 and the ClearPass on the same subnet, no VLANS. I have a small Debian machine running dnsmasq, so that I can have a DHCP and DNS server available.
This subnet is 172.16.99.0/24 and addresses are as follows:
Gateway Address 172.16.99.4 ( Debian machine)
DNS Server Address 172.16.99.4 ( Debian machine)
ClearPass STATIC, 172.16.99.5
IAP-Virtual Controller STATIC, 172.16.99.1
IAP-Master Controller STATIC, 172.16.99.115
Guests and other users DHCP, 172.16.99.10-254
First of all, versions:
IAP105 - 6.1.3.1-3.0.0.1_33617 – current and does not find any updates on the internet.
ClearPass device: VM with all the latest patches, and yes, licensed ;)
Physical connectivity:
The IAP is hardwired to the VM machine via a gigabit port.
The other interface connects to my network so that I can manage the ESXi Server. This port also has the “firewall” portion of the Debian server on it which connects to the internet.
IAP Configuration:
The IAP has two ip’s as above and can readily be administered from the ADMIN SSID.
I have 2 SSID’s on the IAP:
ADMIN - (pre-shared key) and I can browse the internet when associated to it, being given my IP address , DNS server and gateway correctly from the dnsmasq on the Debian server. I then use this ADMIN SSID to manage the system.
Guest AP Portal – guest mode , external captive portal. No VLANS, default connectivity to the network, matching the config from the ADMIN SSID. Devices on the SSID get DHCP , DNS and gateway delivered information.
ClearPass Configuration:
LAN interface configured as 172.16.99.5 and the MGMT interface configured with DHCP on my management network. I can get to the ClearPass on both the MGMT and LAN interfaces.
I have created an Radius NAS entry for the 172.16.99.115 address and set up the credentials etc
I have created a web login for the address 172.16.99.115 and called it guest_portal . This is referenced as guest_portal.php, the URL for the IAP’s external portal config.
The networking interfaces show that all is ok and that there are no errors.. ( that it knows of ;) )
I create a user on the ClearPass to have a login that is current, in time and correct role.
Observations:
From the ADMIN SSID, on the same subnet I can get to the url: http://172.16.99.5/guest_portal.php
It provides me with the login page. A mobile device that joins the network however cannot get to the login page.
On an iPhone, if one makes an attempt to browse the internet before logging in, it takes a while after you have submitted the web url before it redirects to the captive portal page but never gets there.
If I change the Guest SSID to have an internal captive portal but use the radius server then I can browse. Thus I assume my Radius part of the config is ok.
Has anyone done this kind of deployment before with the ClearPass?
Pictures of my configs attached.