last person joined: 27 minutes ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Separate guests registration

  • 1.  Separate guests registration

    Posted Oct 03, 2014 11:04 AM



    We want a separate portal voor Guests at some office location through a fully separated DSL internet connection. The current is used with selfregistration integrated with sms and for the new one we want to let some group of people create users for guests and have some printout or e-mail or something like that. The network wil be separated by vlan on the controllers and we use a different SSID.


    So i already created some network and tested this (just with regular WPA2), the network is already configured and can be used wireless.


    Beside to change some part at the Aruba Controllers, I think i have the following steps to do for Clearpass:


    1 Connect the CPPM virtual server with the new VLAN and give it an ip address in the new network (to allow guests to reach the welcome/login pages);
    2 Create a a new Service in CCPM for guest access;
    3 Create some new welcome page/login page for guests at Clearpass Guest;
    4 Create some posibility for a group of people to allow to create guest accounts.


    For 1 i think that i can add a vlan from the server configuration -> server properties -> Network -> Create VLAN, and i need to add this vlan to the VMWare Virtual machine, the hosts, etc.
    Is this correct? Or is there another way to arange this, maybe by adding a separate NIC to the VM? Or can i somehow let traffic handled by the Aruba Controller throug another vlan?


    For 2 i can just create a new service. But can i have a separate local guest database?


    For 3, this should be possible, i can create some page i think from the "pages" part in the

    Guest configuration is this correct?


    For 4, can i have some separate web portal where i can allow some superusers to create/manage guests, but only for the guest for this service? They are not allowed to create guests for the existing guest service.


    Is that what i want possible? And how should i handle this?


    Any help is appriciated.


    Thank you in advance.


    Best regards,

  • 2.  RE: Separate guests registration

    Posted Oct 12, 2014 06:58 AM

    1) no joying the clearpass to multiple VLANs isnt really something that is done often (not even sure if it possible), just route the traffic to it from the controller is more common.


    2) i would advise you to use the clearpass templates to add a captive portal setup, perhaps with mac caching if you want. you can probably select on the aruba ssid to seperate from the other ssid


    3) yep and make sure you use that ip / url in your controller l3 auth profile


    4) should be possible, but can't guide you exactly on how to make the seperation.


  • 3.  RE: Separate guests registration

    Posted Oct 12, 2014 04:09 PM

    1. I'm not familiar with how CP handles multiple VLAN, but it might be possible as you suggest.
    I normally just have CP placed in the server network and route/fw traffic back and forth from multiple guest vlans to either a single ip or a NAT'ed ip to CP.

    2. CP has a very good way of handling different restrictions for different operators. You will want to create a new registration/login page for the new ssid, a new Operator role and check the various filter options in the role so operators in that role only administer their clients.

    3. Yes. Might be easier for you to Duplicate your first one if they are very similar. You can then choose to have the first one as parent (so changes there is reflected in the new one) or no parent)

    4. Yes. See #2. You can choose to create a custom version of all the operator pages and views. In the Operator Role config you then select these to replace the default ones with your new ones.

  • 4.  RE: Separate guests registration

    Posted Oct 15, 2014 03:36 AM

    Hello "Boneyard" and John,

    Okay, i prefered to prevent the use of the existing infrastucture for this new network. This to prevent traffic flows from the seperate network to the production network and the otherway around, but yeah, technically i should be able the seperate network, change the default 192.168.1.x network to a company ip range and route traffic to and from clearpass. But then i need to speccify the traffic that is needed and block other traffic. Can this routing and firewalling also be done by the controller for the partly physical and partly wireless network? I need to look into the documentation for where to find  this, i don specific use routing at the controller and firewalling is currently only used for wireless netwerk based on role.

    I can indeed copy sthe existing service or just create a new one and compare settings, the operator role and filters i need to look into to seperate the administration of the environments.

    The welcom page/login page can also be duplicated (or recreated), important is then to create the custom versions of all pages and views and select the correct operator role config, as mentioned by John.

    So overall this is going to take some time to correctly configure, but this seems all possible.

    Thanks for you support, if you have some additional remarks/tips about the above, please let me know. Next step for me is to find more information about the routing/firewalling part.