Security

Reply
Contributor II
Posts: 41
Registered: ‎05-17-2016

Guest Service scenario

Hi,

 

Let me present a Guest access scenario.

 

Company is using two separate subnets for Corporate (10.x.x.x) and Guest (172.x.x.x) users. ClearPass cluster is providing wireless 802.1X and Guest services. Management port is configured with IP in Corporate subnet, while Data port is configured with IP in Guest one.

 

WLAN infrastructure is pointing towards Captive Portal page on Guest subnet (https://10.x.x.x/<page_name>.php), and when user connects to Guest SSID CP page with self-registration is displayed. After entering and confirming required details, account info is displayed on the page.

 

My question is what happened after clicking on "Log In" button on the login page, and how are authentication/RADIUS packets flowing?

 

My guess is that when user (10.x.x.x) tries to log in, his request is sent to Management port (172.x.x.x) in the form of RADIUS request, processed by Policy Manager, and resulting acceptance/rejection returned back to a user.

 

So, questions are: a) is that authentication flow correct, or not, b) if correct, what is the purpose of Data port in Guest scenario, c) how would you design this more elegantly.

 

Thanks everyone in advance.

 

Cheers,

Alan

Kind regards,
AlanFord
MVP
Posts: 4,309
Registered: ‎07-20-2011

Re: Guest Service scenario

My guess is that when user (10.x.x.x) tries to log in, his request is sent to Management port (172.x.x.x) in the form of RADIUS request, processed by Policy Manager, and resulting acceptance/rejection returned back to a user.
This correct

One of the use cases is to place the data port in the DMZ to host the captive portal page (Guest , Onguard , Onboard) and that way the guest/quarantine user is not able to reach the internal(management port) interface of the ClearPass appliance
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II
Posts: 41
Registered: ‎05-17-2016

Re: Guest Service scenario

Thanks Victor,

 

Much appreciated. One last question, if DMZ doesn't exist in our scenario would removing Data port be good/bad/not making any difference?

 

I am asking this one as either we move imagined CP page on https://172.x.x.x/<page_name>.php, or not, there will be need for inter-VLAN (10. client to 172. port) traffic to exist (if not on port 80, then at least on 1812/1813), right?

 

 

Regards,

Alan

Kind regards,
AlanFord
MVP
Posts: 4,309
Registered: ‎07-20-2011

Re: Guest Service scenario

It really comes down to preference and use case.

But using just the ClearPass Mgmt port is not bad practice.
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Aruba
Posts: 1,548
Registered: ‎06-12-2012

Re: Guest Service scenario

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=20523

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Contributor II
Posts: 41
Registered: ‎05-17-2016

Re: Guest Service scenario

Thanks Troy, really good document, haven't read it before.

 

Regards,

Alan

Kind regards,
AlanFord
Search Airheads
Showing results for 
Search instead for 
Did you mean: