Wireless Access

Reply
Contributor I
Posts: 43
Registered: ‎06-19-2014

ClearPass Captive Portal config

This is a more broad networking concept question but I am just not quite getting it.

 

We recently implemented ClearPass for guest access. ClearPass server is at 172.21.1.35 internally. We have a LAN guest network at 192.168.1.0/24 (with a Palo Alto as the default gateway doing DHCP) and a wireless guest network (local to the controller and not routed) at 192.168.10.1/24 for which the controller does DHCP. 

 

Guest connects to network, gets 192.168.10.X address and is assigned to clearpass_logon role. In order for them to hit the captive portal at 172.21.1.35 we have to NAT 172.21.1.10 (the controllers path to the internal network) to itself but I am not clear why. 

 

I have to document the connectivity and I see how it works but not why, I am really hung up on why we have to NAT 172.21.1.10 to itself in order to hit the captive portal.

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: ClearPass Captive Portal config

The dst-nat process requires a L3 interface on the controller in order to resisted the traffic.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 43
Registered: ‎06-19-2014

Re: ClearPass Captive Portal config

I get that an L3 interface is needed to route the traffic internally, I am not clear why NAT is needed to do this. Cant the L3 interface in 192.168.10.0 (on the controller) route internally by sending to 172.21.1.10 (also on the controller)? 

Search Airheads
Showing results for 
Search instead for 
Did you mean: