11-07-2014 12:52 AM - edited 11-07-2014 01:12 AM
I have the following setup:
IAP's [Native VLAN 20, Corporate VLAN 40, Guest VLAN 44]
Clearpass [VLAN 20]
ADSL Router [VLAN 44, ADSL Router is the DHCP server (only in this VLAN)]
My use case is the following:
Corporate Users connect to Corporate SSID via 802.1X and are put in VLAN 40 on successful authentication.
Guest Users connect to the Guest SSID and redirected to Captive Portal. After successful authentication the should be configured to VLAN 44 and the should get an IP of that subnet (ADSL Router).
Is this setup possible? How to configure the redirection?
I know there would be a possibility but I would need to have VLAN 44 on Clearpass. This is not possible at the moment in my setup due to political issues of the customer.
So I'm using the "Virtual Controller assigned" IP feature of Instant. This does a source NATing to Clearpass and works. But after successful authentication on the portal how do I redirect the authenticated guest to VLAN 44?
12-20-2014 11:40 PM
did you get this working?
i worked just too little with IAP to be sure, but i believe that if you just keep your users in vlan44 and the IAP has access to the clearpass via some network interface this will work. have you tried that?
can get the details from your question, but first assigning an ip from vlan x to a user and only after authentication giving and ip from vlan y is probably not what you want. it might work, but in general devices don't like the vlan switch.
12-21-2014 11:27 PM
No, actually this doesn't work. Doesn't matter what or how you configure it... I'm pretty pissed, honestly.
Of course, the way to do that is to have an interface of clearpass in the same subnet/vlan. But in this case this was 'politically' not possible. And my solution was that here would come the cool Aruba Instant NAT feature into the game but then we found out (Swiss Aruba SE involed as well as Aruba TAC Support from India or wherever) that it's maybe called NAT but clearly not working as such a technology a network engineer would expect.
Changing VLAN's and IP's on the fly is not a good idea - a lot of devices don't like that!