Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass Guest Authentication through a Firewall

This thread has been viewed 6 times

  • 1.  Clearpass Guest Authentication through a Firewall

    Posted Jun 21, 2016 12:37 PM

    I have an Aruba Controller and Clearpass install where I am unable to get Guests on the network through the Clearpass guest portal.

    The Clearpass server is a VM with a singe interface on the trusted network on the inside of a Fortigate firewall and is being used successfully for WPA2 Enterprise/802.1X authentication of corporate users.  The controller has an interface on both the trusted network and in the Guest network DMZ which is seperated from the corporate network by the firewall.

    The Clearpass Guest portal is configured to use a single guest user and the basic "I accept" button.  If I hide the guest network behind a source-nat on the controller, everything seems to work normally.  When I remove the NAT and allow preauth guest clients to exist in the Guest DMZ subnet, they can get to the Clearpass portal page but clicking the accept buton does not change their role on the controller and they are simply looped back to the guest portal.

    Ports 80, 443, 1812, 1813 and 3799 have been opened between the guest network and the Clearpass server and as I mentioned preauth clients on the Guest DMZ subnet can get to the Clearpass Portal page.

    I unfortunately cannot post the configurations at this time but wanted to see if there is anything basic that I might be forgetting.



  • 2.  RE: Clearpass Guest Authentication through a Firewall

    Posted Jun 21, 2016 01:26 PM

    Hi Bill,

     

    Thanks much for your post. Please make sure Clearpass servers are allowed in the initial role on the controller say for example, if the initial role is logon role to get the CP page; make sure you allow the clearpass servers. something like below.

     

    user alias clearpass any svc-http permit 

    user alias clearpass any svc-https permit

     

    Also make sure post auth role doesnt contain the dst-nat acls as that would re-direct loop back to captive portal page. Check for access tracker on the clearpass if there is any role returned to controller.

     

    Thank you,

    Sriram



  • 3.  RE: Clearpass Guest Authentication through a Firewall

    Posted Jun 21, 2016 01:37 PM

    Thanks Sriram.  Can you think of anything that would cause an authenticated guest user to be redirected to the IP address of the controller? 

     


  • 4.  RE: Clearpass Guest Authentication through a Firewall

    Posted Jun 21, 2016 01:55 PM

    Bill,

     

    Please look for DNS resolution on your non-working client to understand why it re-directs back to controller.

     

    Thank you,

    Sriram