08-09-2016 10:59 AM - edited 08-09-2016 11:01 AM
I was hoping that someone could look over what I've done and suggest ways to make it better... or explain how I'm actually re-inventing the wheel and could have done it in fewer steps.
We have a single SSID, call it 'guest', (and we only want to use single SSID for this sort of thing).
What I want, though, is multiple captive portals accessible from this one SSID for, say, multiple simultaneous conferences in different locations.
I could have a 'menu' web page as the captive portal page with links to each conference CP but that requires users to know which conference they're at and I don't want to assume that level of cognitive ability.
So, I put together a configuration in Clearpass (my first as it happens) which does this:
1. Controller is configured with a logon role which does MAC authentication to Clearpass CPPM.
2. The associated Clearpass Service is 'Allow all MAC AUTH' and acts as a way of obtaining information such as 'AP Name' from the RADIUS request.
3. The Enforcement Policy for this Service says something like "if the Connection:AP-Name
begins with AP-CONF1 then use Enforcement profile 'Conf1 Captive Portal' or 'if the Connection:AP-Name begins with AP-CONF2 then use Enforcement profile 'Conf2 Captive Portal'.
4. The 'ConfX Captive Portal' profiles send back the RADIUS attribute Aruba-User-Role with the value of 'confX-captive-portal-logon', where X represents a conference.
5. On the controller are matching user roles with L3 Captive Portal authentication profiles of 'Conf1', 'Conf2' etc. etc.
6. These Captive Portal profiles each have a Login Page URL entry corresponding to a Web Login page on Clearpass Guest.
7. Each Web Login page is specific to a particular conference.
Thus, when a client connects Clearpass spots the AP Name and sends back a user role which corresponds to the conference being held using those AP. (In this example the APs are named for their buildings and we only have one conference at a time per building.) Then the client's web request is redirected to the captive portal for that conference.
The approach is a bit simplistic in its logic but for each conference it requires
1. An edit to the Enforcement Policy to add/remove the conditions
2. An Enforcement Profile
3. A user Role on the controller
4. An L3 Captive Portal Authentication profile on the controller
5. A Web Login page on Clearpass Guest.
Is there a more efficient and elegant way of doing this, preferably that doesn't require steps 3 and 4? It would be nice if the Enforcement Policy could simply say 'If Name begins XXXX sent back generic-captive-portal-role' and then have a generic-captive-portal-role on the controller which redirects to a generic captive portal URL and that page picks up some saved attribute associated with the MAC AUTH to say 'redirect to the appropriate Web Login'.
08-09-2016 11:04 AM
to do it.
You can create generic role names and captive portal profiles to make it
Aaa authentication captive-portal conf-a
Makes it easier to track everything.
08-09-2016 01:12 PM
Thanks for that. Good to know I'm on the right path.
Is it likely that a future version of Clearpass will implement a way to support multiple captive portal like this internally, without the need for special controller config?
08-09-2016 01:16 PM
Something that would make your policy a bit more simple would be to leverage AP group names instead of trying to match on individual names.
08-29-2016 07:12 AM
Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com