Security

Is it possible to use self-registration on ClearPass with Instant?

Do I have to use a web-login becasue of some limitation on the IAP with it's Guest SSID?

I have seen from multiple guides/youtube/demos, and they all point customers to use the weblogin on ClearPass, not the self registration. (however, they are from earlier versions of both Instant and ClearPass)

I have not been successful in copying a working self-reg configuration with my controller and adapting it to the Instant VC. 

I had no issue adapting a Employee/BYOD config to work with the Instant VC.  

Regards,

Colin 

Sure, 

Yo can do that. I just have finished PoC with the customer on IAPs and CPPM/Guest. You should just redirect traffic in IAP to guest manager (self registration) portal at Guest and create regular RADIUS service for Aruba guest authentication at Policy Manager. Guest manager has a built-in wizzard that creates complete self-registration page, login landing page, self-service, etc. 

HTH 

Thanks Marek, good to see someone has it working.

I'm still having trouble with my implementation. 

I'm accessing the ClearPass server and self-registration page through a VPN connection terminated on a controller.

In the self-registration setup, I'm using the IP addresss of the VPN termination, as that is the address that gets used in the RADIUS request to ClearPass.

What I'm seeing is that I can access the self-registration, and successfully create an account.  However, when it goes to authenticate, the RADIUS request does not get to the ClearPass.  It seems like the RADIUS request becomes another http browsing request, and gets redirected back to the self-registration page.

Not sure if the VPN being in the middle of this is somehow preventing the RADIUS authentication after account creation.

I've tried both "Aurba" and "ClearPass web-auth" with no luck.

Regards,

Colin   

Update:

I have successfully used my setup with the internal captive portal.  I can authenticate with ClearPass through the VPN tunnel using the Instant internal captive portal.

However, I still cannot get it to function when trying to use ClearPass as the external captive portal.  This is true either trying to setup the self-registration or the simpler web-login.

I beleive the issue is that the Guest user cannot use the VPN tunnel in all cases.  Maybe I need a specialized set of access rules? 

It looks like the captive portal (http, https) work fine through the VPN.  However, once it gets to the authentication part, it gets blocked.

Both self-registartion and web-login have a NAS setting. 

Web-login is set to Aruba Netoworks, Controller initiated, Address (used the VPN termination IP)

Self-registration is set to the same.

After the self-registration , or user login through the web-login captive portals, a new browser tab pops up with the address given in the NAS settings.  Then it promptly gets redirected back to the captive portal. 

I'm assuming nothing is getting to the ClearPass as the Access Tracker or Event Viewer are not picking anything up.

I once received a comment from an Aruab expert that doubted the external portal could be used through a VPN as in my setup.  His theory was that the Guest SSID blocked use of the VPN.  Not sure if that's 100% true, since I can make it work with the internal captive portal, so a some level the VPN can be used during the authentication with the Guest SSID.  However, maybe the VPN can be used becasue it's not the user initiating the login, but the IAP itself during the internal captive portal routine.

If anyone has any thoughts to the above, it would be much appreciated. 

I'm sure give the absence of the VPN connection, with the ClearPass accessible on the same subnet or in the cloud, this would work in all cases.  

Regards,

Colin

Just a thought - did you try just leaving the address to securelogin.arubanetworks.com? That works in my  scenarios using instants and self-reg.