Security

Reply
MVP
Posts: 360
Registered: ‎01-14-2010

Captive Portal with Clearpass VLAN VSA

All,

 

I'm trying to figure out a way for guest users to be sent to a different VLAN when they log into a captive portal. I was told by my Aruba SE that they believe it was possible for a guest user to be handed off to another VLAN if you send a CoA after they log in. I've been trying to get this to work all night and I'm coming up short.

 

Has anyone got something similar to work?


Thanks for your help!

 

-Mike

 

The ArubaOS infrastructure is running 6.3.1.1 and Clearpass 6.2.3.

Guru Elite
Posts: 19,964
Registered: ‎03-29-2007

Re: Captive Portal with Clearpass VLAN VSA

[ Edited ]

Boston1630,

 

The only way that has worked is if the initial VLAN that the Captive Portal user is in has a DHCP lease of 30 seconds or less (the controller can provide sub-30 second DHCP leases).  When the user authenticates, ClearPass can send back a role or VLAN that has the new VLAN.  The client will re-dhcp and obtain the new VLAN when the lease expires at the 50% mark and be placed into the new VLAN.

 

Others have said it can be done with COA, but COA, will resetting the authentication status of a Captive Portal client, does not force it to re-dhcp to obtain a new ip address.  It would be good if someone can show us how it would work that way.

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
MVP
Posts: 360
Registered: ‎01-14-2010

Re: Captive Portal with Clearpass VLAN VSA

CJoseph,

 

Thanks for the reply! That's an interesting way to go about it. I'm going to send this to my local SE and hope that his source can chime in on this topic. I, too, would like to be able to do it with a CoA, or something similar - that would be a lot slicker than waiting for the client to time out.

 

Thanks!

 

-Mike

Guru Elite
Posts: 19,964
Registered: ‎03-29-2007

Re: Captive Portal with Clearpass VLAN VSA


boston1630 wrote:

CJoseph,

 

Thanks for the reply! That's an interesting way to go about it. I'm going to send this to my local SE and hope that his source can chime in on this topic. I, too, would like to be able to do it with a CoA, or something similar - that would be a lot slicker than waiting for the client to time out.

 

Thanks!

 

-Mike


Boston1630,

 

Again, the reason why COA works for 802.1x is that ip addressing and auth in 802.1x are tied together.  In captive portal, it is not, so the client is not disconnected from the network; his authentication state is merely reset, which is independent from ip addressing.  

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
MVP
Posts: 360
Registered: ‎01-14-2010

Re: Captive Portal with Clearpass VLAN VSA

CJ,

 

Any chance there's an equivalent CoA function with Aruba similar to the "Port Bounce" with the Cisco? I know that is a signal to the physical port, but something equivalent might be able to do the trick. This is off course completely spit balling.

 

Thanks!

 

-Mike

Guru Elite
Posts: 19,964
Registered: ‎03-29-2007

Re: Captive Portal with Clearpass VLAN VSA

There is none that I know of that is radius-server facing. Maybe someone can chime in if they know of one.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Frequent Contributor II
Posts: 122
Registered: ‎01-19-2013

Re: Captive Portal with Clearpass VLAN VSA

Boston,

Is this an open SSID? Are you using clearpass guest as a registration mechanism?


You should be able to do this without a problem.
MVP
Posts: 360
Registered: ‎01-14-2010

Re: Captive Portal with Clearpass VLAN VSA

Hi sdr53,

 

Yep, I'm using Clearpass 6.2.3 and it is providing a web login page. The controller is running 6.3.1.1 and is pointing to Clearpass from a captive portal profile - standard stuff.

 

Is this something that you've pulled off before? I'm really interested in how you did it.

 

Thanks!

 

-Mike

Frequent Contributor II
Posts: 122
Registered: ‎01-19-2013

Re: Captive Portal with Clearpass VLAN VSA

Mike,

Yes i do it and here is how

Set authentication method on service to allow all mac auth. Then set the default role on enforcement policy to return a user role on the controller include a vlan on radius return if you want. that user role should have the captive portal you would like to use for this SSID

The key is the initial role on your controller will never be used because you will approve all requests.

Hope this works for you.

Guru Elite
Posts: 19,964
Registered: ‎03-29-2007

Re: Captive Portal with Clearpass VLAN VSA

Sdr53,

Thank you for that configuration.

Boston1630, I think wants to start from an unknown client with Captive Portal and switch vlans after Captive Portal authentication. Will your solution work with what he wants?
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Search Airheads
Showing results for 
Search instead for 
Did you mean: