There are 2 critical points to the confining, the IAP using tiny proxy does not support HTTPS directly. As mentioned in previous posts,
the auth server must demand (and rediret the client from port 80 to 443) HTTPS.
In clearpass Guest - > authentication -> Require HTTPS for guest access (set to enable).
The pre auth role must explicitly allow the https:
Example Lab config:
wlan external-captive-portal
server clearpass-1.test.net
url "/guest/iap_guest_clearpass.php"
auth-text ""
auto-whitelist-disable
wlan access-rule preauth
index 4
rule 192.168.17.36 255.255.255.255 match tcp 443 443 permit
rule 192.168.17.36 255.255.255.255 match tcp 80 80 permit
rule 192.168.17.26 255.255.255.255 match tcp 443 443 permit
rule 192.168.17.26 255.255.255.255 match tcp 80 80 permit
rule 192.168.17.37 255.255.255.255 match udp 53 53 permit
rule 192.168.17.30 255.255.255.255 match udp 53 53 permit
rule any any match udp 67 68 permit
In this case, the IAP SSID is configured for "network assigned ip", with no vlan.
If this doesn't work, I'd suggest opening a support case, and we'll look into the issue.