Security

I'm realtively new to CPPM and have run into a situation I hope someone can help me with.  I have created a guest self registration page with clearpass guest.  I have pointed the login page under the guest captive portal profile on my controller to the guest login page but I cannot pull up the login page.  Here is what I'm running into:

I have a broadband cable mode plugged into a port on my controller.  This port is in vlan 150.  I have the VAP for my guest bound to vlan 150.  So when a user connects to the guest SSID they pull a 10.1.10.x IP address.  This IP address is non-routable on my internal network.  My clearpass server has an IP that is routable on my internal network, 172.18.49.211, therefore, the guest user will never be able to reach my clearpass server to get the login page.  I have created rule in my logon-control policy that src nats the traffic to the clearpass server using a NAT pool but that isn't working either.

Any suggestions on how to get this working?

Do you have by any chance a static or default route that allows the controller to know how to reach the clearpass server ?

Is the wireless client able to ping the broadband gateway ?

DId you pointed the  Captive Portal Authentication Profile >  to your ClearPass server ?

And under your logon-control / captive-portal ACL do you have the following rule ?

On the face of it, you would need to:

(1) Create a layer3 GRE tunnel from the controller to the ClearPass Policy Manager Box.

(2) Write an ACL on the controller redirecting user traffic in the "logon" role that is destined to the ClearPass Policy Manager Box to the tunnel

Is the src-nat IP address routable from the Clearpass server? Can you ping it?

Are you using mutliple IP addresses in the NAT pool or just one?

You could not enter a NAT pool and allow the controller to use the interface address the packet is being routed out of.

ip access-list session temp

  user host x.x.x.x svc-https src-nat

  user any svc-https permit

Can you post the ACL doing the src-nat so we can review?

The NAT pool is using the interface IP of the controller, so yes, it is pingable.

msales,

If you want, you can contact support can help you with this.  It is typical that guest traffic will not be routable to the web server that it needs to serve up user traffic.   The GRE tunnel to Amigopod solution has been done for quite sometime.  The controller can tunnel traffic to the ClearPass box over GRE, and you would only have to write a rule in your "logon" role that sends traffic to the ip address of the clearpass box through the tunnel..  It is fairly straightforward.

Just for testing purposes I have set my test guest ssid to a vlan that can reach the clearpass server.  When I open a web brower I never get the Clearpass guest login page.  If I manually type in the URL for the Guest login page I can pull it up.  The initial role I get has a policy to allow http & https to the clearpass IP address, logon-control, and captiveportal.  This initial role is also tied to a captive portal profile that has the IP address of the clearpass server for the login page.

Colin, I talked to TAC and they directed me to use a route src nat firewall policy instead of using GRE.  I have created a firewall policy that allows me to route src nat to my clearpass server on icmp, http, and https.  I also have the same policy set to allow the same access to one additional server.  I can ping my servers just fine from my guest network, however I cannot access them on http or https.  What I have found is the tcp 3 way handshake never completes.  The wireless client  sends and receives the syn, syn ack, and ack however the server side never gets the ack.  Have you ever seen this behavior?

msales,

Which setup did you settle on?