Security

Reply
Occasional Contributor II

Clearpass Guest Authentication through a Firewall

I have an Aruba Controller and Clearpass install where I am unable to get Guests on the network through the Clearpass guest portal.

The Clearpass server is a VM with a singe interface on the trusted network on the inside of a Fortigate firewall and is being used successfully for WPA2 Enterprise/802.1X authentication of corporate users.  The controller has an interface on both the trusted network and in the Guest network DMZ which is seperated from the corporate network by the firewall.

The Clearpass Guest portal is configured to use a single guest user and the basic "I accept" button.  If I hide the guest network behind a source-nat on the controller, everything seems to work normally.  When I remove the NAT and allow preauth guest clients to exist in the Guest DMZ subnet, they can get to the Clearpass portal page but clicking the accept buton does not change their role on the controller and they are simply looped back to the guest portal.

Ports 80, 443, 1812, 1813 and 3799 have been opened between the guest network and the Clearpass server and as I mentioned preauth clients on the Guest DMZ subnet can get to the Clearpass Portal page.

I unfortunately cannot post the configurations at this time but wanted to see if there is anything basic that I might be forgetting.

Re: Clearpass Guest Authentication through a Firewall

Hi Bill,

 

Thanks much for your post. Please make sure Clearpass servers are allowed in the initial role on the controller say for example, if the initial role is logon role to get the CP page; make sure you allow the clearpass servers. something like below.

 

user alias clearpass any svc-http permit 

user alias clearpass any svc-https permit

 

Also make sure post auth role doesnt contain the dst-nat acls as that would re-direct loop back to captive portal page. Check for access tracker on the clearpass if there is any role returned to controller.

 

Thank you,

Sriram

Occasional Contributor II

Re: Clearpass Guest Authentication through a Firewall

Thanks Sriram.  Can you think of anything that would cause an authenticated guest user to be redirected to the IP address of the controller? 

 

Re: Clearpass Guest Authentication through a Firewall

Bill,

 

Please look for DNS resolution on your non-working client to understand why it re-directs back to controller.

 

Thank you,

Sriram

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: