Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Wired Captive Portal with Clearpass Guest, Instant APs and non-Aruba switches

This thread has been viewed 0 times

  • 1.  Wired Captive Portal with Clearpass Guest, Instant APs and non-Aruba switches

    Posted Feb 18, 2015 07:12 AM

    Hello all,

     

    We've recently implemented  Clearpass Guest with a bunch of Instant APs and the captive portal is working really well for wireless.

     

    We would like to implement the same solution for wired - however, we have a range of different switches (Dell, Cisco) and do not have an Aruba controller (to use the untrusted port method) nor Aruba switches to natively support external captive portal.

     

    Would be interested to hear how others are providing captive portal in these scenarios?  Especially in a way that will scale for remote locations (i.e. not having to purchase an Aruba switch for each site?)

     

    Any thoughts / suggestions appreciated.

     

    Thank you



  • 2.  RE: Wired Captive Portal with Clearpass Guest, Instant APs and non-Aruba switches

    EMPLOYEE
    Posted Feb 18, 2015 07:33 AM
    Are you working with an Aruba partner? Captive portal on switches is code and vendor dependent and can somewhat complex if you have multiple switch vendors.

    Thanks, 
    Tim


  • 3.  RE: Wired Captive Portal with Clearpass Guest, Instant APs and non-Aruba switches

    Posted Feb 18, 2015 08:09 AM

    Thanks Tim,

     

    We mainly have Dell 7048p switch stacks - they do support an internal captive portal, however not external :(.

     

    Remote sites have Cisco switches.

     

    I was thinking of a couple of options as a possible workaround:

    - inline bridging from the guest VLAN to a VM of some sort that can provide captive portal functionality, redirecting to the external ClearPass guest portal

    - purchasing an Aruba Mobility switch, making it the L3 exit point from the Guest VLAN to provide captive portal (this approach would need an Aruba switch per site, though)

     

    Any thoughts?  Thanks!

     

     



  • 4.  RE: Wired Captive Portal with Clearpass Guest, Instant APs and non-Aruba switches

    Posted Feb 18, 2015 08:54 AM

    I managed to get a solution working with Brocade switches where 'unknown' mac addresses where placed by Clearpass into a 'guest' VLAN. The guest VLAN had a linux server that acted as a DHCP,http and DNS server. Any DNS requests made returned the IP of the server that would then present a default webpage that had an HTML redirect that would send the user to the CPPM captive portal.

     

    It was a bit of a hack and a nightmare to manage and configure to be honest, but it did work. The Brocades did have a captive portal but this wasn't configurable so we couldn't do a redirect. If we'd been able to alter the html, we could have redirected to CPPM.

     

    The other option would have been to buy a small 600 series controller and put that between the switch and its uplink so we could have implemented user roles to do a standard cp redirect.