Security

Reply
Occasional Contributor I
Posts: 5
Registered: ‎06-23-2016

Captive portal issue between ClearPass and IAP

Hello,


I have an issue with Radius Authentication trhough a Captive Portal inside ClearPass.

The IAPs VLAN has connectiviti with ClearPass VLAN but customer´s SSID VLAN hasn't connectivity with ClearPass VLAN, this is mandatory condition. If I configure the SSID inside a VLAN with connectivity witch ClearPass all works fine, instead I make it inside a VLAN without connectivity with CP the Captive Portal isn't showed, then, there isn't chance to authenticate with radius server.

What could you suggest me to solve this issue without interconnect ClearPass VLAN and SSID VLAN?

Thanks.

Occasional Contributor I
Posts: 5
Registered: ‎06-23-2016

Re: Captive portal issue between ClearPass and IAP

Hi,

 

I've to add that ISP router acts as DHCP server for Customers SSID VLAN.

Occasional Contributor I
Posts: 5
Registered: ‎06-23-2016

Re: Captive portal issue between ClearPass and IAP

Hi,

 

Please, can someone help me?

 

Thanks!!!

MVP
Posts: 384
Registered: ‎05-09-2013

Re: Captive portal issue between ClearPass and IAP

[ Edited ]

So if I understand your question, you have an IAP VLAN, which can reach ClearPass. However, you have a Guest VLAN, which cannot reach ClearPass and the captive portal page is hosted on CPPM?

 

The Guest user needs to be able to resolve the captive portal page from their VLAN, so is it possible to configure the Data Port on CPPM to be in the Guest user's subnet?

 

Does the customer know you can manage the guest user's level of access from the Roles assigned in the IAP since it has it's own stateful firewall? So you could permit HTTP/HTTPS access to ClearPass. On CPPM, you can also configure Access Restrictions that prevent any user from the Guest subnet to get to the Policy Manager login page to add additional security.

 


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
Occasional Contributor I
Posts: 5
Registered: ‎06-23-2016

Re: Captive portal issue between ClearPass and IAP

Hi mharing,

 

You're right about my issue. About your way to solve it, this was my first option but I would like to know if there is another way to make the radius authentication throught CPPM without connect CPPM's vlan and guest VLAN.

 

Thanks.

MVP
Posts: 384
Registered: ‎05-09-2013

Re: Captive portal issue between ClearPass and IAP

The RADIUS authentication yes, so for example if you had MAC authentication enabled on that same network, the MAC auth request would be sent from the VC (with Dynamic RADIUS proxy enabled). For captive portal, no because the user's web browser must reach the captive portal page hosted on CPPM. So the end user's device must be able to route there. You may be able to have a NAT configured, but not from the IAP. Possibly could NAT at the core or router level, but if it's a security concern which is setting the restrictions then it's not really any better than just setting up the routing.



________________________________
Michael Haring | Network Engineer
(610) 246-6037 | Comm Solutions

Sent from my iPhone

Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
Occasional Contributor I
Posts: 5
Registered: ‎06-23-2016

Re: Captive portal issue between ClearPass and IAP

Ok, thank you very much for your help mharing.

 

Regards.

Search Airheads
Showing results for 
Search instead for 
Did you mean: