Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Captive portal issue between ClearPass and IAP

This thread has been viewed 1 times

  • 1.  Captive portal issue between ClearPass and IAP

    Posted Mar 03, 2017 08:06 AM

    Hello,


    I have an issue with Radius Authentication trhough a Captive Portal inside ClearPass.

    The IAPs VLAN has connectiviti with ClearPass VLAN but customer´s SSID VLAN hasn't connectivity with ClearPass VLAN, this is mandatory condition. If I configure the SSID inside a VLAN with connectivity witch ClearPass all works fine, instead I make it inside a VLAN without connectivity with CP the Captive Portal isn't showed, then, there isn't chance to authenticate with radius server.

    What could you suggest me to solve this issue without interconnect ClearPass VLAN and SSID VLAN?

    Thanks.



  • 2.  RE: Captive portal issue between ClearPass and IAP

    Posted Mar 03, 2017 08:10 AM

    Hi,

     

    I've to add that ISP router acts as DHCP server for Customers SSID VLAN.



  • 3.  RE: Captive portal issue between ClearPass and IAP

    Posted Mar 07, 2017 11:25 AM

    Hi,

     

    Please, can someone help me?

     

    Thanks!!!



  • 4.  RE: Captive portal issue between ClearPass and IAP

    MVP
    Posted Mar 10, 2017 12:36 PM

    So if I understand your question, you have an IAP VLAN, which can reach ClearPass. However, you have a Guest VLAN, which cannot reach ClearPass and the captive portal page is hosted on CPPM?

     

    The Guest user needs to be able to resolve the captive portal page from their VLAN, so is it possible to configure the Data Port on CPPM to be in the Guest user's subnet?

     

    Does the customer know you can manage the guest user's level of access from the Roles assigned in the IAP since it has it's own stateful firewall? So you could permit HTTP/HTTPS access to ClearPass. On CPPM, you can also configure Access Restrictions that prevent any user from the Guest subnet to get to the Policy Manager login page to add additional security.

     



  • 5.  RE: Captive portal issue between ClearPass and IAP

    Posted Mar 11, 2017 04:47 PM

    Hi mharing,

     

    You're right about my issue. About your way to solve it, this was my first option but I would like to know if there is another way to make the radius authentication throught CPPM without connect CPPM's vlan and guest VLAN.

     

    Thanks.



  • 6.  RE: Captive portal issue between ClearPass and IAP
    Best Answer

    MVP
    Posted Mar 11, 2017 06:19 PM
    The RADIUS authentication yes, so for example if you had MAC authentication enabled on that same network, the MAC auth request would be sent from the VC (with Dynamic RADIUS proxy enabled). For captive portal, no because the user's web browser must reach the captive portal page hosted on CPPM. So the end user's device must be able to route there. You may be able to have a NAT configured, but not from the IAP. Possibly could NAT at the core or router level, but if it's a security concern which is setting the restrictions then it's not really any better than just setting up the routing.



    ________________________________
    Michael Haring | Network Engineer
    (610) 246-6037 | Comm Solutions

    Sent from my iPhone


  • 7.  RE: Captive portal issue between ClearPass and IAP

    Posted Mar 12, 2017 05:10 AM

    Ok, thank you very much for your help mharing.

     

    Regards.