Update:
I have successfully used my setup with the internal captive portal. I can authenticate with ClearPass through the VPN tunnel using the Instant internal captive portal.
However, I still cannot get it to function when trying to use ClearPass as the external captive portal. This is true either trying to setup the self-registration or the simpler web-login.
I beleive the issue is that the Guest user cannot use the VPN tunnel in all cases. Maybe I need a specialized set of access rules?
It looks like the captive portal (http, https) work fine through the VPN. However, once it gets to the authentication part, it gets blocked.
Both self-registartion and web-login have a NAS setting.
Web-login is set to Aruba Netoworks, Controller initiated, Address (used the VPN termination IP)
Self-registration is set to the same.
After the self-registration , or user login through the web-login captive portals, a new browser tab pops up with the address given in the NAS settings. Then it promptly gets redirected back to the captive portal.
I'm assuming nothing is getting to the ClearPass as the Access Tracker or Event Viewer are not picking anything up.
I once received a comment from an Aruab expert that doubted the external portal could be used through a VPN as in my setup. His theory was that the Guest SSID blocked use of the VPN. Not sure if that's 100% true, since I can make it work with the internal captive portal, so a some level the VPN can be used during the authentication with the Guest SSID. However, maybe the VPN can be used becasue it's not the user initiating the login, but the IAP itself during the internal captive portal routine.
If anyone has any thoughts to the above, it would be much appreciated.
I'm sure give the absence of the VPN connection, with the ClearPass accessible on the same subnet or in the cloud, this would work in all cases.
Regards,
Colin