Security

Hi

We have a mixed wireless environment, we have both Cisco and Aruba wifi infrustructure. For guest web authentication, currently Cisco controller (flex 7510

) using internal landing page ( within 7510 controller), the SSID that serve guest access is local switching,  we are trying to switch the guest web

authentication landing page from internal (( with Cisco controller)to external ( clearpass). my test failed in both http and https redirecting to clearpass

page, the landing page won't show up on client device.  the preauth ACL on Cisco WLC is as below:
     1 Any         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0           17     0-65535    53-53     Any Permit           0
     2 Any         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0           17    53-53        0-65535  Any Permit           0
     3 Any         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0            1     0-65535     0-65535  Any Permit         103
     4 Any         0.0.0.0/0.0.0.0               10.0.6.60/255.255.255.255    6     0-65535   443-443    Any Permit           0
     5 Any       10.0.6.60/255.255.255.255         0.0.0.0/0.0.0.0            6   443-443       0-65535  Any Permit           0
     6 Any         0.0.0.0/0.0.0.0               10.0.6.60/255.255.255.255    6     0-65535    80-80     Any Permit          50
     7 Any       10.0.6.60/255.255.255.255         0.0.0.0/0.0.0.0            6    80-80        0-65535  Any Permit           0
     8 Any         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0          Any     0-65535     0-65535  Any   Deny      181008

The same guest SSID works fine if using internal landing page with same clearpass server as radius server.
The same clearpass landing page works fine for client associated to Aruba APs.

Any ideas or suggestions?

Thanks

I don't think external captive portal is supported in FlexConnect mode.

Thank you very much Tim.

Did u have any documents about it ? If yes can you please send me a link. I checked Cisco web site and opend a TAC case , nowhere mentioned this?

Looks like support was added in 7.2.110. What version are you running?

 

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-wlc-00.html

8.0.110.0, yes, looks like supported.

I would post in parallel on Cisco's forums.

I'm working on my deployment now. I have a Cisco 5520 WLC, running 8.1.x code, in FlexConnect mode and ClearPass 6.5.3. I'm just getting started but have found this document that may help.

 

http://www.cisco.com/c/en/us/support/docs/wireless/flex-7500-series-wireless-controllers/113605-ewa-flex-guide-00.html

 

Patrick

 

 

Thanks patrick.

 

This works.

 

I also followed a document using ISE as external login server which explained similar configuration.

So you guys got a Flexconnect AP with local switching to work with Clearpass Guest?

Can you share a bit more detail?