New Contributor

Clearpass guest without inside DNS

I've been searching around the forums and there is a lot of good information but I haven't found a solution for this.


I'm not sure of the proper way to setup my guest wireless access. It seems that I either have to choose to allow them access to the internal dns or allow access to clearpass from a public IP address. This is what is happening.


The controller and clearpass both sit on the inside network and the clearpass server has a hostname of I have a guest VLAN setup that only gives access to the internet and uses google's dns servers of and I have the controller using clearpass captiveportal  located at


What happens is that when a guest user connects the controller tries to send it to and that is not found by the public DNS. I can add that domain name to the public DNS  but then doesn't that open up my clearpass server to anybody on the internet? If I have the controller route to the IP address of the clearpass server it works fine but they get a certificate error message as it's not going to the FQDN.


Alternativly I can give my guest users access to my internal DNS server and they can get to clearpass but I really don't want to allow any access to internal DNS.


Is there anyway to have guest access without either allowing internal DNS or public access to the clearpass server?


Thank you!

Guru Elite

Re: Clearpass guest without inside DNS

Just adding a public DNS entry for a server doesn't necessarily give everyone access to it.


Are you doing any NAT or does ClearPass have a public IP? Is there a firewall involved?


For example, you can have a DNS entry of that points to a private address of You can resolve that address from outside, but that address is not routable on the public internet and thus can't be accessed from outside your border router.

Tim Cappalli | Aruba Security
@timcappalli | | ACMX #367 / ACCX #480
New Contributor

Re: Clearpass guest without inside DNS

I'm trying to do NAT so that the public IP will be directed to the clearpass internal server but I could give clearpass a public IP if that would make it easier/better. There is a Cisco 6500 firewall involved that I do not know alot about yet. I'm pretty new to all of this so I apologize but if my public DNS i pointing to IP address of say how do I get it to the internal server of Do I need to have the public DNS record pointing to or do I use NAT or internal DNS records to accomplish this.


Thank yo so much for responding, I really appreciate your assistance with this.

Guru Elite

Re: Clearpass guest without inside DNS

The simplest and quickest fix (but not necessarily networking best practice) would be to create a DNS entry for for the internal (private) IP.


Are you using an SSL cert for your captive portal? If not, you can disable SSL for the captive portal and then simply use the IP address in the CP URL and avoid a DNS entry all together. Many times, SSL isn't necessarily needed if you aren't capturing sensitive information and are issuing short-term, temporary password.


Also, keep in mind that ClearPass needs some way to talk to the outside world for fingerprint, posture and software updates. You can do this with either a proxy or NAT translation.


Tim Cappalli | Aruba Security
@timcappalli | | ACMX #367 / ACCX #480
New Contributor

Re: Clearpass guest without inside DNS

We are using SSL cert that points to so I would like to use the hostname if possible. Do ISPs add local domain names to their DNS that resolve to private addresses? When I asked to have point directly to the address I was told that it was not valid and that it could only point to a public IP address. This was from a co-worker though and not the ISP company.


I can add to my local DNS servers but then that gets be back to the issue of  wanting to only use public DNS for guests.


Sorry again, I'm trying to understand this all. Thank you so much!

Guru Elite

Re: Clearpass guest without inside DNS

It is not best practice to have private addresses in public DNS. If you are using another company to host your public domain name, they have every right to say no.


I'm going to let some other people chime in. Hopefully someone has a similar setup!



Tim Cappalli | Aruba Security
@timcappalli | | ACMX #367 / ACCX #480
Trusted Contributor I

Re: Clearpass guest without inside DNS

We recently came up with the idea of assigning a public IP address to the DNS record and then setting a NAT policy that translates the external IP to the internal IP for guests.  The firewall would allow the traffic from the guest zone to the inside where CP resides, but access to CP from the outside to CP would not be allowed.


A different way to handle this is if your DNS servers are capable of DNS views.  Essentially, you setup your DNS servers to respond with different IPs depending on if the DNS request comes from the inside or outside.

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.

Re: Clearpass guest without inside DNS

Have you tried to dst-nat the request?   When using a name entry within a netdestination you can dst-nat requests to a name on to another IP .   For example:


First create an alias for your Clearpass hostname and add a "name" entry:





Then within the policy setup a dst-nat rule for https requests to


user alias svc-https dst-nat x.x.x.x 443 (where x.x.x.x is the internal IP)


You'll also have to add an entry to allow https to the internal IP of Clearpass if you have not already (to avoid a redirect loop of the captive portal redirect).


user host x.x.x.x svc-https permit   (or use an alias)


Systems Engineer, Northeast USA

New Contributor

Re: Clearpass guest without inside DNS

Thank you for the suggestions! That is exactly the kind of ideas I was looking for but wasn't sure how to implement. 


I'm going to give these a try tomorrow.


I sincerely appreciate everyone's input and help with this! 

Aruba Employee

Re: Clearpass guest without inside DNS

Hi Clembo,


I tried to do it but this doesn't work, my guest client can't browse the guest page because he haven't the answer for the FQDN of my clearpass.


I do this

add name nat-dst in the firewall destination of my mobility controler, like this



add one new rules in a new policie and apply to my un auth role, like this :


add one new rules in my captive portal policie and apply to my un auth role, like this :


And after i reorder my policies :



My guest client have :

Gateway -> My Controler IP in the Guest VLAN

DNS ->


Maybe i forget something ?

Could you help me ?


Thansk a lot






Search Airheads
Showing results for 
Search instead for 
Did you mean: