Controllerless Networks

Occasional Contributor I

IAP 105 and new Clearpass Captive portal issues.

Hi there, my intention is to run a few IAP’s together and let them use a ClearPass device to do external captive portal for ease of use and additional account management functionality (I’ll get to the “onboarding” later). I seem to have come unstuck for some reason and thus my post is as follows.


So. I configure the IAP to have guest portal, external URL’s and point the radius (which I have configured) at the ClearPass device.

As a test, I’ve connected the IAP 105 and the ClearPass on the same subnet, no VLANS. I have a small Debian machine running dnsmasq, so that I can have a DHCP and DNS server available.


This subnet is and addresses are as follows:

Gateway Address ( Debian machine)

DNS Server Address ( Debian machine)

ClearPass STATIC,

IAP-Virtual Controller STATIC,

IAP-Master Controller STATIC,

Guests and other users  DHCP,


First of all, versions:

IAP105 - – current and does not find any updates on the internet.

ClearPass device:  VM with all the latest patches, and yes, licensed ;)


Physical connectivity:

The IAP is hardwired to the VM machine via a gigabit port.

The other interface connects to my network so that I can manage the ESXi Server. This port also has the “firewall” portion of the Debian server on it which connects to the internet.


IAP Configuration:

The IAP has two ip’s as above and can readily be administered from the ADMIN SSID.

I have 2 SSID’s on the IAP:

 ADMIN - (pre-shared key)  and I can browse the internet when associated to it, being given my IP address , DNS server and gateway correctly from the dnsmasq on the Debian server. I then use this ADMIN SSID to manage the system.

Guest AP Portal – guest mode , external captive portal. No VLANS, default connectivity to the network, matching the config from the ADMIN SSID. Devices on the SSID get DHCP , DNS and gateway delivered information.


ClearPass Configuration:

LAN interface configured as and the MGMT interface configured with DHCP on my management network. I can get to the ClearPass on both the MGMT and LAN interfaces.

I have created an Radius NAS entry for the address and set up the credentials etc

I have created a web login for the address and called it guest_portal . This is referenced as guest_portal.php, the URL for the IAP’s external portal config.

The networking interfaces show that all is ok and that there are no errors.. ( that it knows of ;) )

I create a user on the ClearPass to have a login that is current, in time and correct role.



From the ADMIN SSID, on the same subnet I can get to the url:

It provides me with the login page. A mobile device that joins the network however cannot get to the login page.

On an iPhone, if one makes an attempt to browse the internet before logging in, it takes a while after you have submitted the web url before it redirects to the captive portal page but never gets there.


If I change the Guest SSID to have an internal captive portal but use the radius server then I can browse. Thus I assume my Radius part of the config is ok.


Has anyone done this kind of deployment before with the ClearPass?

Pictures of my configs attached.

Aruba Employee

Re: IAP 105 and new Clearpass Captive portal issues.

Use "/ " in the URL section of IAP config. i.e. in image 3 that you have attached use /guest_portal.php instead of guest_portal.php


On Amigopod select the secure login as "send clear text password over HTTP"





If HTTPS is required, keep the port as 80 in the port config section of IAP (if you use 443 you will get a tiny proxy error) but go to amigopod and make the change as shown in the the image below









Occasional Contributor I

Re: IAP 105 and new Clearpass Captive portal issues.

Thanks. that worked like a charm as teh portal page now comes up.


However, where do i set the text string on the Clearpass that tells the IAP that the authentication has been successful ?

Aruba Employee

Re: IAP 105 and new Clearpass Captive portal issues.

Just give a random text on the IAP for the authentication text field. For RADIUS based captive portals such as cleapass this is not required. However, IAP doesn't allow you to have this field empty so just input any dummy text on IAP. No config is required for this on clearpass.





Occasional Contributor I

Re: IAP 105 and new Clearpass Captive portal issues.

ok, i have it working nicely now.


no random text required ( just left it blank)'


In the advanced settings of the IAP, enable "proxy radius" , the rest falls into place.


New Contributor

Re: IAP 105 and new Clearpass Captive portal issues.

Can I use an URL config with folders in the path? For example: /folder/page



Contributor I

Re: IAP 105 and new Clearpass Captive portal issues.

Sorry for thread reviival. I have exactly the same problem, I cannot get HTTPS to work.


I have ClearPass  and IAP-105 with latest code (


I can't find Network Access Login > "Require HTTPS for Guest access" anywhere in the GUI on ClearPass. Can you point me in the right direction?


Also when I do register, provision the account with a sponsor, and log on using HTTP (with Iphone 4S with IOS 6.1) I get "Network login in progress" then it redirects me to where I get a blank page.


If I open a new tab I go back to the registration page..... help :)








Contributor I

Re: IAP 105 and new Clearpass Captive portal issues.

OK I got everything working with HTTP. Now I want HTTPS


If I select "Require HTTPS for guest access" under Configuration > Authentication on ClearPass I got a message on my iphone


"Safari cannot open the page because it could establish a secure connection to the server"

The IAP is set up to redirect to ClearPass using Port 80 with login page "/guest/register.php"








Frequent Contributor II

Re: IAP 105 and new Clearpass Captive portal issues.

Iap actually doesn't support https external captive portal so you've to poin and permit with firewall rules both http and https captive portal and tell amigopod to force https.


this technically works but  with firefox  users get security warning that doesn't sound good like ""Although this page is encrypted, this information you have entered is to be sent over an unencrypted connection and could easily be read by a third party. Are you sure you want to continue sending this information?""


i open a ticket for that

Andrea Consadori
ACMP 5.0 and 6.3

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: