Wireless Access

Reply
Occasional Contributor II

Advice for guest wifi in branch with CPPM captive portal in the DC

Hi everyone. I'm looking for some advice on deploying a new corporate and guest wifi setup in branch and campus locations with ClearPass being used for authentications and for the guest captive portal.

 

The plan is to have a small local controller for each branch and a pair of larger controllers for the campuses running AOS8.x. These would talk back to Mobility Masters sitting in the DC where ClearPass, DNS, DHCP all live. Each site is also going to have its own internet connection so the company would like internet bound traffic to egress out locally and everything else going back to the DC that's internal. I think I have the corporate wifi stuff all figured out in my head in terms of routing and authenticating back to ClearPass. What I'm not too clear on is how can I serve the same guest wifi experience for these locations?

 

I want to have the captive portal sitting on our internal ClearPass in the DC (not on the local controllers) but if I assign a local, non-routable subnet for the guests, how will their device route over to the DC to register? Egressing out to the local internet seems like it would be simple enough meaning their packets don't have to go to the DC for anything. DNS would be external so it follows a default route towards the firewall for NATing.

 

Maybe I'm not knowledgeable enough on how to set this up as I'm still fairly new to this but I'm sort of stuck just at the solutioning phase on how this would work. An alternative that's been brought up is to continue with the DMZ controllers we currently use for guest and have the local controllers tunnel back to them but this doesn't work if the requirement is to force all internet traffic (corp & guest) out locally and not the DC's internet pipes.

 

Appreciate any tips or recommendations.  Thanks.

 

Frequent Contributor I

Re: Advice for guest wifi in branch with CPPM captive portal in the DC

We send all captive portal to ClearPass over the internet. The public IP for ClearPass is front ended on our load balancer that also handles the SSL offload. We also do the same for guest DNS traffic. We also use the ClearPass application ACL to limit access to guest from all of my site IP ranges. Once authenticated, the new role prohibits access to ClearPass.


#AirheadsMobile

Re: Advice for guest wifi in branch with CPPM captive portal in the DC

I had a similar situation to the OP's before and the solution might be suitable for yourselves. Essentially we had the CPPM sitting within the DC and the Guest VLAN on a separate VRF. The only difference is this was an IAP + CPPM deployment, but should still be the same for a Controller + CPPM.

 

There was no way for the Guest VLAN to be able to reach the CPPM within the DC, the result of this was that the Guest VLAN was unable to reach the Captive Portal. The IAP was on a management VLAN which could reach the CPPM.

 

In order to get around this we used a src-nat on the Captive Portal traffic to src-nat/hide behind the IAP so that this traffic traversed the Corporate link. RADIUS traffic from the VC to the CPPM was fine as it went via the Corporate Link, Captive Portal Traffic was src-nat behind the AP (customer agreed to having this Guest traffic on Corporate Links) and the remaining Guest traffic simply was routed locally. The Guest VLAN used public external DNS servers.


ACMP, ACSA, ACDX #985
If my post addresses your query, give kudos:)
Occasional Contributor II

Re: Advice for guest wifi in branch with CPPM captive portal in the DC

I like the NAT idea at the branch/campus side being done by the controller.  In discussing it with another colleauge the only caveat we could see is that the original IP of the guest host device is hidden from the firewalls as everything looks like it's coming from a single IP address.

 

Re: Advice for guest wifi in branch with CPPM captive portal in the DC

Only the HTTP/HTTPS traffic to the Captive Portal is src-nat behind the controller. The rest of the user traffic will be not be src-nat and seen from the guest users IP.


ACMP, ACSA, ACDX #985
If my post addresses your query, give kudos:)
Occasional Contributor II

Re: Advice for guest wifi in branch with CPPM captive portal in the DC

Oh that's actually pretty smart!  I didn't realize that you could choose what destination(s) to src-nat.  Looks like this could be a possible solution for us then.  Thanks!

 

P.S. I assume this can be done with IAPs and the virtual controller as well?

Re: Advice for guest wifi in branch with CPPM captive portal in the DC

Yep, can be done with the IAP too :)

Sent from my iPhone

ACMP, ACSA, ACDX #985
If my post addresses your query, give kudos:)
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: