Wireless Access

Contributor II

ClearPass Captive Portal config

This is a more broad networking concept question but I am just not quite getting it.


We recently implemented ClearPass for guest access. ClearPass server is at internally. We have a LAN guest network at (with a Palo Alto as the default gateway doing DHCP) and a wireless guest network (local to the controller and not routed) at for which the controller does DHCP. 


Guest connects to network, gets 192.168.10.X address and is assigned to clearpass_logon role. In order for them to hit the captive portal at we have to NAT (the controllers path to the internal network) to itself but I am not clear why. 


I have to document the connectivity and I see how it works but not why, I am really hung up on why we have to NAT to itself in order to hit the captive portal.

Guru Elite

Re: ClearPass Captive Portal config

The dst-nat process requires a L3 interface on the controller in order to resisted the traffic.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: ClearPass Captive Portal config

I get that an L3 interface is needed to route the traffic internally, I am not clear why NAT is needed to do this. Cant the L3 interface in (on the controller) route internally by sending to (also on the controller)? 

Search Airheads
Showing results for 
Search instead for 
Did you mean: