Security

Hi!

 

I am doing a lab where I have a Clearpass on vlan 13, my switch has an IP on the management vlan (12) and the guests are going to vlan 100.

 

I wasn't able to get a proper Captive Portal redirection until I added an IP address on the Guest Vlan on my Cisco 2960.

 

can someone enlighten me and explain the reason why the switch needs an IP address on the guest Vlan to get the clients redirected to clearpass captive portal?

 

the guest gateway is my firewall.

 

thank you!!

The VLAN must have an IP address so that traffic can be routed to VLAN 13
where ClearPass lives. Otherwise, it's just a private VLAN where traffic
can't exit.

Still confused.

 

the guests have their gateway on the upstream firewall.

 

the process of http redirection is not very clear to me.

 

I understand that the switch captures the request and sends a 301 code saying "your webpage changed! Please go to clearpass"...

 

but why can't this work without the IP address on the guest Vlan? :)

 

thank you

Because the client needs IP connectivity to ClearPass.

Hi!

 

The Guest Gateway has routes to CPPM so in terms of pure routing everything is "prepared" to let the guest clients to reach CPPM

In my environment we put the guest VLANs on the controller and the Corp VLANs on the Cisco.  From the Cisco we trunk the corp VLANs and the management VLAN to the controller and route the guest VLAN to the controller.  On the controller we have a default route on the controller pointing to the switch.  No need to have any guest vlans on the switch but as others have said you still have to route.