Controllerless Networks

last person joined: 3 hours ago 

Aruba Instant Wi-Fi: Meet the controllerless Wi-Fi solution that's easy to set-up, is loaded with security and smarts, and won't break your budget.
Expand all | Collapse all

IAP guest clients NAT to captive portal

Jump to Best Answer
  • 1.  IAP guest clients NAT to captive portal

    Posted Sep 30, 2019 09:53 PM

    Hi all,

     

    I have a customer that has a guest network that cannot route to the captive portal hosted on ClearPass. I have tried source NATing them through the AP with no luck, the page just times out as if there is still no route. I can ping the ClearPass page from the VC as expected as they talk fine with regular 802.1X networks. Config for the pre-auth role is below:

     

    Enforce captive portal external TWB Clearpass
    Allow dhcp to all destinations
    Allow dns to all destinations
    Allow http on server 10.210.4.17 and change source address to Access Point's
    Allow https on server 10.210.4.17 and change source address to Access Point's
    Deny any to all destinations + log

     

    When I test it using a VLAN that DOES have a route to ClearPass (without the NAT) the clients successfully get redirected to the Captive Portal so I know the ClearPass config and SSL certificates are trusted.

     

    Client IP asignment is currently set 'Network Assigned' because the default Default Gateway for the Guest VLAN is on a router that has no route to the internal network (also acts as DNS and DHCP server). I can't use 'Virtual Controller Assigned' because the APs do not have a route to the Internet Route that is being used for this solution.

     

    Any ideas?

     

    -Brett

     

     

     



  • 2.  RE: IAP guest clients NAT to captive portal

    Posted Oct 01, 2019 03:36 AM

    Is your Captive Portal profile pointing to the DNS name or the IP address? If you run a pcap on CPPM, can we confirm the packet never actually arrives at CPPM? Also take a look at 'show datapath session | include [IP ADDRESS] to confirm the traffic is correctly being src-nat and not denied by any ACL.



  • 3.  RE: IAP guest clients NAT to captive portal

    Posted Oct 01, 2019 06:05 AM

    For Captive Portal to work you would need to ensure that the IAP can resolve the IP the client is trying to reach. You said that the IAP doesn't have access to internet - but does it have access to the DNS server?

     

    On the IAP - can you ping the clearpass server you are trying to redirect to using both dns and IP? I see you allow HTTPS so I'm guessing you are using DNS name..



  • 4.  RE: IAP guest clients NAT to captive portal

    Posted Oct 01, 2019 08:02 PM

    Hi John,

     

    Yes the IAP can resolve the captive portal.

     

     

    # ping xxxx.xxxx.xxxx (name removed)
    Press 'q' to abort.
    PING 10.210.4.17 (10.210.4.17): 56 data bytes
    64 bytes from 10.210.4.17: icmp_seq=0 ttl=57 time=19.1 ms
    64 bytes from 10.210.4.17: icmp_seq=1 ttl=57 time=19.2 ms
    64 bytes from 10.210.4.17: icmp_seq=2 ttl=57 time=19.2 ms
    64 bytes from 10.210.4.17: icmp_seq=3 ttl=57 time=18.9 ms
    64 bytes from 10.210.4.17: icmp_seq=4 ttl=57 time=18.8 ms
    
    --- 10.210.4.17 ping statistics ---
    5 packets transmitted, 5 packets received, 0% packet loss
    round-trip min/avg/max = 18.8/19.0/19.2 ms

     

     

    In the source NAT rule I have also tried to allow the hostname of the captive portal instead of IP address. Even when I source NAT all IP traffic through the AP to the captive portal, the client ping or see any ports other than TCP 8080 open on the server.

     

    -Brett

     

     



  • 5.  RE: IAP guest clients NAT to captive portal

    Posted Oct 01, 2019 08:21 PM

    Hi Craig,

     

    Captive portal uses the FQDN of the ClearPass server. 

     

    When I filter on the IP address in the datapath session for either the client or ClearPass IP. I get no results...

     

    show datapath session | i 172.16.0.9
    show datapath session | i 10.210.4.17

     

    Even when I put the guest clients in to a corporate VLAN (where the captive portal flow works fine) I don't see anything in the datapath session for anything guest related. I do see a lot of traffic in the session table for non-captive portal SSIDs.

     

    -Brett



  • 6.  RE: IAP guest clients NAT to captive portal

    Posted Oct 02, 2019 07:38 AM

    Hi Brett

     

    Weird issue, but probably an easy fix which I wish I could give you ;)

     

    What happens if you connect the client to an SSID without captive portalk which has "Client IP Assignment" set to "Instant AP Assigned" and "Internal VLAN".

    Do you get an IP?

    Can you resolve say .. microsoft.com with DNS?

    Can you resolve the Clearpass DNS?



  • 7.  RE: IAP guest clients NAT to captive portal

    Posted Oct 02, 2019 10:49 PM

    Hi John,

     

    I'm offsite right now but I actually did exactly what you said as a test and got a private 172.x address from the IAP. I don't think I did a DNS test on the client from memory but I was correctly redirected to the Captive Portal on ClearPass, so I'm guessing there were no DNS issues. The only issue here is the IAP is on the corporate network which is not where I want the clients to route through (different Internet link), so not a permanent solution.

     

    We have logged a job with the ISP (who support manage routers in the network) to make a single host route for ClearPass, but I have no idea what the routing setup looks like for this environment so not sure if it is possible at this stage. If it is possible, it will solve all our probelms.

     

    Even so I would rather solve this issue for future reference.

     

    -Brett



  • 8.  RE: IAP guest clients NAT to captive portal

    Posted Oct 25, 2020 12:10 PM

    Hi BrettV.

    I'm facing the same issue, how did you solve it.



  • 9.  RE: IAP guest clients NAT to captive portal
    Best Answer

    Posted Oct 26, 2020 07:51 PM

    Unfortunately we could never figure this one out. I convinced the customer to add a route to ClearPass from the Guest VLAN (and vice versa), and now the clients access ClearPass natively (no NAT).

     

    Up until that point, I had never had an issues with NAT on the IAPs or Mobility Controllers.

     

    -Brett