Security

Reply
Occasional Contributor II
Posts: 31
Registered: ‎05-04-2011

ClearPass Guest captive portal with Instant. ClearPass accessed through Instant VPN to controller.

 

I'm trying to setup Guest access on an Instant AP using ClearPass Guest.

 

The IAP has a VPN connection back to a controller, to access "corporate" resources.

The ClearPass server is on a VLAN accessible through the VPN.

 

I have a normal Employee SSID setup on the Instant (WPA2 personal), which I have verified that the VPN connection is up and working.  All VLANs can be accessed when on that SSID.

 

I used the video "Captive Portal Authentication with Aruba Instant and ClearPass"

 

I'm having trouble with some basic connectivity back through the VPN to my corporate VLANs.  Even if I temporarily set access rules of logon roles to "allow all".

 

Question would be if the VPN to the controller is not usable from a Guest SSID? 

If not, is there any alternative, other than moving the ClearPass server to a location accessible outside the "corporate" VLANs.

 

Regards,

Colin 

 

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: ClearPass Guest captive portal with Instant. ClearPass accessed through Instant VPN to controlle

It would depend on the guest network and how that is configured.  The VPN on instant is really meant for internal users (employees). However, if you want to make that work, perhaps use split tunneling and NAT the traffic using L3, Local mode of operation on the IAP VPN config on the guest side.  However, use the routing profile to ONLY send the web guest page traffic into the tunnel but NAT everything else out of the instant AP.  

 

This is an untested theory that may or may not work. 

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor II
Posts: 31
Registered: ‎05-04-2011

Re: ClearPass Guest captive portal with Instant. ClearPass accessed through Instant VPN to controlle

Seth,

 

Thanks for the information and suggestions.

 

Given that the VPN is only meant for employees, would that also suggest that it can't be used prior to authentication for any type of network (SSID)?

I'm asking for the case of using the same setup described in my first post ,except using ClearPass to perform a WPA2-AES certificate based authentication or possibly even a full BYOD provisioning through that VPN.  In either case, the VPN would need to be used for at least the authentication, similar to the guest portal issue discussed above. 

 

(I'm having the same issues with going through the VPN to the ClearPass to authenticate employees. However, I haven't fully confirmed it's not something else I'm configuring incorrectly)

 

I've seen a lot of material on using ClearPass with Instant, but most of the time the ClearPass server is located within the local Instant network, or is publicly reachable.

 

 

Regards,

Colin 

 

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: ClearPass Guest captive portal with Instant. ClearPass accessed through Instant VPN to controlle

Colin - 

 

I would suggest you open a case to troubleshoot any issues with your config. In short, Instant using the VPN can work via a single SSID for authenticating users and issuing certs via Clearpass Onboard.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Search Airheads
Showing results for 
Search instead for 
Did you mean: