Security

Hi Guys,

 

I set up a Captive portal profile today, but the portal couldn't pop up.

After I've checked everything, I found I didn't set up a vlan interface for the user's VLAN.

But I have a MAS as my default route, why should I need a vlan interface IP?

 

 

Please someone tell me why.

 

Thanks.

An IP is required for dst-nat which is used to redirect the user.

Thanks,

And why the user can't use the controller ip to do the dst-nat?

Because the controller IP is not in their datapath.

Thanks, 

Could you tell a little bit more about it?

 

From the Policy, we can see this:

 

358: user any  6  0-65535  80-80   d1f90,0000 f80021:permit dnat  

 

Anyone from the User-table tried to reach any IP with a tcp port 80, then hit this policy.

From the WebUi, it shows dst-nat 8081. 

Does this dst-nat 8081 mean the vlan interface IP only?

 

I'm not sure what you're asking. Traffic destined for port 80 and 443 are dnat'ed to the controller's IP on the user's subnet and ports 8081 or 8082.

This kinda helps me understand why a controller hostsed captive portal config needs an IP on the client VLAN; however, would the same be true if we were redirecting to an external clearpass appliance?  

 

Couldn't I simply have an ACL rule that allows http & https traffic to the clearpass IP?

 

Thanks, 

 

Yes, you need an IP address when doing any kind of redirect.