02-18-2015 04:11 AM
We've recently implemented Clearpass Guest with a bunch of Instant APs and the captive portal is working really well for wireless.
We would like to implement the same solution for wired - however, we have a range of different switches (Dell, Cisco) and do not have an Aruba controller (to use the untrusted port method) nor Aruba switches to natively support external captive portal.
Would be interested to hear how others are providing captive portal in these scenarios? Especially in a way that will scale for remote locations (i.e. not having to purchase an Aruba switch for each site?)
Any thoughts / suggestions appreciated.
02-18-2015 04:33 AM - edited 02-18-2015 04:36 AM
02-18-2015 05:08 AM
We mainly have Dell 7048p switch stacks - they do support an internal captive portal, however not external :(.
Remote sites have Cisco switches.
I was thinking of a couple of options as a possible workaround:
- inline bridging from the guest VLAN to a VM of some sort that can provide captive portal functionality, redirecting to the external ClearPass guest portal
- purchasing an Aruba Mobility switch, making it the L3 exit point from the Guest VLAN to provide captive portal (this approach would need an Aruba switch per site, though)
Any thoughts? Thanks!
02-18-2015 05:53 AM
I managed to get a solution working with Brocade switches where 'unknown' mac addresses where placed by Clearpass into a 'guest' VLAN. The guest VLAN had a linux server that acted as a DHCP,http and DNS server. Any DNS requests made returned the IP of the server that would then present a default webpage that had an HTML redirect that would send the user to the CPPM captive portal.
It was a bit of a hack and a nightmare to manage and configure to be honest, but it did work. The Brocades did have a captive portal but this wasn't configurable so we couldn't do a redirect. If we'd been able to alter the html, we could have redirected to CPPM.
The other option would have been to buy a small 600 series controller and put that between the switch and its uplink so we could have implemented user roles to do a standard cp redirect.