Security

Reply
Occasional Contributor I
Posts: 9
Registered: ‎02-15-2015

Wired Captive Portal with Clearpass Guest, Instant APs and non-Aruba switches

Hello all,

 

We've recently implemented  Clearpass Guest with a bunch of Instant APs and the captive portal is working really well for wireless.

 

We would like to implement the same solution for wired - however, we have a range of different switches (Dell, Cisco) and do not have an Aruba controller (to use the untrusted port method) nor Aruba switches to natively support external captive portal.

 

Would be interested to hear how others are providing captive portal in these scenarios?  Especially in a way that will scale for remote locations (i.e. not having to purchase an Aruba switch for each site?)

 

Any thoughts / suggestions appreciated.

 

Thank you

Guru Elite
Posts: 7,837
Registered: ‎09-08-2010

Re: Wired Captive Portal with Clearpass Guest, Instant APs and non-Aruba switches

[ Edited ]
Are you working with an Aruba partner? Captive portal on switches is code and vendor dependent and can somewhat complex if you have multiple switch vendors.

Thanks, 
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor I
Posts: 9
Registered: ‎02-15-2015

Re: Wired Captive Portal with Clearpass Guest, Instant APs and non-Aruba switches

Thanks Tim,

 

We mainly have Dell 7048p switch stacks - they do support an internal captive portal, however not external :(.

 

Remote sites have Cisco switches.

 

I was thinking of a couple of options as a possible workaround:

- inline bridging from the guest VLAN to a VM of some sort that can provide captive portal functionality, redirecting to the external ClearPass guest portal

- purchasing an Aruba Mobility switch, making it the L3 exit point from the Guest VLAN to provide captive portal (this approach would need an Aruba switch per site, though)

 

Any thoughts?  Thanks!

 

 

Contributor II
Posts: 36
Registered: ‎11-18-2014

Re: Wired Captive Portal with Clearpass Guest, Instant APs and non-Aruba switches

I managed to get a solution working with Brocade switches where 'unknown' mac addresses where placed by Clearpass into a 'guest' VLAN. The guest VLAN had a linux server that acted as a DHCP,http and DNS server. Any DNS requests made returned the IP of the server that would then present a default webpage that had an HTML redirect that would send the user to the CPPM captive portal.

 

It was a bit of a hack and a nightmare to manage and configure to be honest, but it did work. The Brocades did have a captive portal but this wasn't configurable so we couldn't do a redirect. If we'd been able to alter the html, we could have redirected to CPPM.

 

The other option would have been to buy a small 600 series controller and put that between the switch and its uplink so we could have implemented user roles to do a standard cp redirect.

Search Airheads
Showing results for 
Search instead for 
Did you mean: