YOu will need the following created in the Instant Cluster...
Authentication Server created for Captive Portal - This will contain the URL for the Webpage you want the client to land on after EAP-TLS is complete.
Need a role with Access Rules - NOte the name of this role - Something like ACME-Guest-Logon
- 1st Rule - Enforce Captive Portal
- 2nd Rule - Allow DNS
- 3rd Rule - Allow DHCP
- Next set of rules - Allow only HTTP/HTTPS to the IP of Clearpass - Create a rule for each Clearpass server
Do not attempt to switch VLANs during enforcement. That gets ugly.
In Clearpass, create an Enforcement Profile for Aruba User Role and set the Value to ACME-Guest-Logon
COnfigure the EAP-TLS Service / Enforcement policy to send the new Enforcement Profile when EAP-TLS has been completed successfully.
Test
YOur users should not be re-directed to the Captive Portal after EAP-TLS
I would be sure to test your Captive Portal functionality without EAP-TLS in play first to make sure it functions OK. To test that Certificates are correct, the re-direct works, DNS, etc. Once you confirm it is good, THEN attempt the EAP-TLS stuff above.
------------------------------
Philip Wightman, ACEX (AMFX) #69. Aruba Partner Ambassador
------------------------------
Original Message:
Sent: Sep 16, 2021 11:07 PM
From: Ahmad Enaya
Subject: EAP-TLS + Captive Portal
My Instant is running 8.6.0.13 and I am trying to setup Captive Portal authentication after EAP-TLS authentication. the idea is to use EAP-TLS to authenticate device, then captive portal to authenticate users. I can see that captive portal users in Instant get default role of "External CP" but I am not able to modify this role or even edit it. I want EAP-TLS authenticated users to get captive portal pre-auth role.
Radius server is ClearPass
any one tested this before? anyway to customize captive-portal pre-auth role and send it from ClearPass after EAP-TLS authentication?
------------------------------
Ahmad Enaya
------------------------------