08-27-2015 12:56 PM
I am doing a lab where I have a Clearpass on vlan 13, my switch has an IP on the management vlan (12) and the guests are going to vlan 100.
I wasn't able to get a proper Captive Portal redirection until I added an IP address on the Guest Vlan on my Cisco 2960.
can someone enlighten me and explain the reason why the switch needs an IP address on the guest Vlan to get the clients redirected to clearpass captive portal?
the guest gateway is my firewall.
08-27-2015 12:57 PM
where ClearPass lives. Otherwise, it's just a private VLAN where traffic
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
08-27-2015 01:02 PM
the guests have their gateway on the upstream firewall.
the process of http redirection is not very clear to me.
I understand that the switch captures the request and sends a 301 code saying "your webpage changed! Please go to clearpass"...
but why can't this work without the IP address on the guest Vlan? :)
08-28-2015 08:34 PM
In my environment we put the guest VLANs on the controller and the Corp VLANs on the Cisco. From the Cisco we trunk the corp VLANs and the management VLAN to the controller and route the guest VLAN to the controller. On the controller we have a default route on the controller pointing to the switch. No need to have any guest vlans on the switch but as others have said you still have to route.