Wireless Access

last person joined: an hour ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

APs in Bridge Mode and external server (ClearPass) for Captive Portal authentication?

Jump to Best Answer
This thread has been viewed 30 times
  • 1.  APs in Bridge Mode and external server (ClearPass) for Captive Portal authentication?

    Posted Sep 14, 2015 02:35 AM

    Hi all,

     

    I understand that the basic captive portal authentication isn't supported in Bridge Mode because the captive portal page is hosted by the controller. However should this work with ClearPass?

     

    Many thanks



  • 2.  RE: APs in Bridge Mode and external server (ClearPass) for Captive Portal authentication?

    Posted Sep 14, 2015 03:23 AM

    I don't think so.  The controller still needs to hijack the DNS and redirect the client to the portal, whether it is hosted internally or externally on Clearpass.



  • 3.  RE: APs in Bridge Mode and external server (ClearPass) for Captive Portal authentication?
    Best Answer

    Posted Sep 14, 2015 06:03 AM
    Captive portal in general is not possible in bridge mode.


    Thanks,
    Tim


  • 4.  RE: APs in Bridge Mode and external server (ClearPass) for Captive Portal authentication?

    Posted Sep 15, 2015 10:33 AM

    Thank you guys! Much appriciated!

     

     



  • 5.  RE: APs in Bridge Mode and external server (ClearPass) for Captive Portal authentication?

    Posted Jan 22, 2016 02:33 AM

    Hi,

     

    Do you mean when locally deployed, it is possible it just depends on your underlying network and connectivity.



  • 6.  RE: APs in Bridge Mode and external server (ClearPass) for Captive Portal authentication?

    Posted Jan 22, 2016 07:59 AM

    Captive Portal is not possible when the forwarding mode is bridged.



  • 7.  RE: APs in Bridge Mode and external server (ClearPass) for Captive Portal authentication?

    Posted Jan 22, 2016 08:05 AM

    Well seems like then the limitation is with the Aruba. I managed to get it working with aruba IAP's, juniper WLA in bridge mode, Meru AP's in bridge mode. Both the controller and the CPPM was located in a DC with bidging enabled in all these product vendors.



  • 8.  RE: APs in Bridge Mode and external server (ClearPass) for Captive Portal authentication?

    Posted Jan 22, 2016 08:55 AM
    Yes, captive portal works in bridge on the Instant architecture. If you absolutely need bridge captive portal, Instant is the way to go. 

    Best practice design with controllers is tunnel. 

    Sent from Nine


  • 9.  RE: APs in Bridge Mode and external server (ClearPass) for Captive Portal authentication?

    Posted May 16, 2018 11:38 AM
    Hi,

    Yes it works on Instant architecture, but it also works with other vendors controllers and bridge architecture.
    Big limitation on Aruba controllers :(

    Regards,
    Julián


  • 10.  RE: APs in Bridge Mode and external server (ClearPass) for Captive Portal authentication?

    Posted Nov 15, 2018 12:45 PM

    This still appears to be a limitation? We rolled out ClearPass Guest last year, and just completed the rollout to all remote sites using Cisco APs in FlexConnect mode with local switching, and the Cisco APs handle the CoA captive portal redirect just fine. Now we are looking at Aruba wireless, but we won't be able to do the same thing?

     

    The goal is to drop guest users onto local remote site VLANs to egress to the Internet from the local firewall rather than traversing VPN. Remote sites do not have their own controllers. 



  • 11.  RE: APs in Bridge Mode and external server (ClearPass) for Captive Portal authentication?

    Posted Nov 15, 2018 12:52 PM

    You would deploy Instant APs at that site.  They do not require a controller and would support your use case.



  • 12.  RE: APs in Bridge Mode and external server (ClearPass) for Captive Portal authentication?

    Posted Nov 15, 2018 01:04 PM

    To be clear, Aruba sells UAPs or Universal APs that support either mode (Instant or Campus), so you can support either use case with the same hardware.



  • 13.  RE: APs in Bridge Mode and external server (ClearPass) for Captive Portal authentication?

    Posted Nov 15, 2018 01:10 PM

    Sure, then we lose mobility master, live upgrade, and all those campus AP features. We are evaluating Central for remote sites and IAPs, so that would really be a requirement then for this use case. 

     

    Also, when I configured an AP in wired bridge mode (in MM), i get a warning: "802.1X and Captive portal authentication is not supported in wired Bridge mode". However I do not see the 802.1x limitation listed in the 8.3 user guide under 'forwarding mode features not supported', and i also just tested it with 802.1x auth and it worked fine. Is that a bogus warning message (for 802.1x) in the MM UI? Or is that referencing 802.1x specifically for captive portal/CoA?



  • 14.  RE: APs in Bridge Mode and external server (ClearPass) for Captive Portal authentication?

    Posted Nov 15, 2018 01:16 PM

    One more related question, what if the AP is in 'wired bridge mode' (for example a mesh AP supporting point to point bridge), but then I add our Guest WLAN that is set for Tunneled mode onto that AP. Does that also break captive portal, or as long as the WLAN is in Tunneled mode, it will work?



  • 15.  RE: APs in Bridge Mode and external server (ClearPass) for Captive Portal authentication?

    Posted Nov 15, 2018 01:51 PM
    Hi,

    I always wanted to test this, but haven't so dont know yet if it does. Some things to maybe look at, if your Clearpass or portal is central, you need to make sure there is full routing between the client and captive portal when doing bridge mode. Perhaps look at split tunnel aswell, redirect to portal using tunnel all else local. I will be setting up a test lab soon to test this. Will share the outcome.

    Get Outlook for Android


  • 16.  RE: APs in Bridge Mode and external server (ClearPass) for Captive Portal authentication?

    Posted Nov 15, 2018 03:51 PM

    @cm119 wrote:

    One more related question, what if the AP is in 'wired bridge mode' (for example a mesh AP supporting point to point bridge), but then I add our Guest WLAN that is set for Tunneled mode onto that AP. Does that also break captive portal, or as long as the WLAN is in Tunneled mode, it will work?


    As long as the SSID is tunneled, Captive Portal should work.  It is discouraged from supporting clients on the mesh radio, however.



  • 17.  RE: APs in Bridge Mode and external server (ClearPass) for Captive Portal authentication?

    Posted Feb 02, 2021 05:16 PM
    Is this still valid? My question is due to this information for 8.7.0:

    Captive Portal Aruba OS now supports captive portal authentication for VAPs in the bridge forwarding mode. This feature is supported for wirelessusers on all Campus AP and RemoteAP models incluster and non-clustertopology. Tosupportcaptiveportalauthenticationinthebridgeforwardingmode,itisrequiredtoenabletheageout-bridge-userparameterintheaaaprofilecommand

    Thanks

    ------------------------------
    Ivan Torres
    ------------------------------



  • 18.  RE: APs in Bridge Mode and external server (ClearPass) for Captive Portal authentication?

    Posted Feb 03, 2021 06:21 AM
    You can check the documentation here for what can be done. The documentation mentioned the feature added in ArubaOS 8.7.0.0.

    Please note that Bridge mode is still deprecated in controller deployments, and unsupported with 30+ APs in a single broadcast domain. If you want to bridge traffic, Aruba Instant is the preferred choice.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 19.  RE: APs in Bridge Mode and external server (ClearPass) for Captive Portal authentication?

    Posted Jul 07, 2021 10:35 AM
    Hi

    @Herman Robers, does the above still apply please? Captive portal is still not working when using bridge mode CAP? ​

    ------------------------------
    Sara Zarb
    ------------------------------



  • 20.  RE: APs in Bridge Mode and external server (ClearPass) for Captive Portal authentication?

    Posted Jul 07, 2021 10:42 AM
    I have not tried it. If the documentation for your version tells it is supported, and it does not work, contact Aruba Support.

    Before you do that, check the referred documentation that you only use the mentioned supported features.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------