Wireless Access

last person joined: 8 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Clearpass captive portal question

Jump to Best Answer
  • 1.  Clearpass captive portal question

    Posted Mar 28, 2018 02:23 PM

    Hi

    I am quite new to Clearpass. We are about deploy 4 CPPM servers in a single cluster. Regarding the guest captive portal is that load balanced accross all the servers or does it just run on one of them? 

    Do i need to place a load balancer in from of the servers to provide high availabilty of captive portal?

     

    We will be using the latest 6.7 version.



  • 2.  RE: Clearpass captive portal question
    Best Answer

    Posted Mar 28, 2018 02:31 PM

    By using a VIP with your cluster you can make the Captive Portal Page Highly Available.  For load balancing you can use the load balancing feature in ArubaOS under Configuration > Authentication > Servers > Server Group > Load Balancing check box.  Or if you have a load balancer such as an F5 or NetScaler you can run them through that.



  • 3.  RE: Clearpass captive portal question

    Posted Mar 28, 2018 02:32 PM

    Will all four CPPM appliances be reachable by guests so that they can serve as captive portal?

     

    A load balancer could be used, or techniques such as DNS round robin load balancing and/or Virtual IPs on the CPPM appliances to help distribute the load and provide high availablity. Ultimately, you have options available based on your end requirements.



  • 4.  RE: Clearpass captive portal question

    Posted Mar 28, 2018 02:47 PM

    I was planning to have the portal on all 4 of them just for availbility and nothing else. Load wont be very hight but availability is important for us.

     We do have Netscalers so may look to use those.

     

    Now i just neeed to figure out how to get the Guest traffic from a Branch office to the portal :-(



  • 5.  RE: Clearpass captive portal question

    Posted Mar 28, 2018 03:31 PM

    That's always the fun part. :) (Getting traffic from the remote branches back to the internal CPPM appliances)

     

    Some customers will expose one or more CPPM appliances to the Internet, so that guests are the remote branch can reach the portal over the public Internet. Some will tunnel from the branch guest networks back to where CPPM is located. Others still may NAT or otherwise allow guest traffic access to the inside IP addresses of CPPM. 



  • 6.  RE: Clearpass captive portal question

    Posted Mar 28, 2018 03:42 PM

    Hi thanks for your help, I had read about going over the internet and also some people using VRF tunnels. I don't want guest traffic on the internal network so these seem the best options.
    At the moment and based on your feedback I am thinking.

    Data interface of CPPM in DMZ and presenting Captive portal over the internet fronted by a Netscaler. Seems easier than VRF.
    Would you recommend this as an option?






  • 7.  RE: Clearpass captive portal question

    Posted Mar 28, 2018 03:49 PM

    That is one method I've seen used well. The plus side is that connectivity to the captive portal is dependent on the guest Internet connection being available, assuming guest and corporate traffic is segmented at the branch. 



  • 8.  RE: Clearpass captive portal question

    Posted Mar 28, 2018 03:55 PM

    Great, yes corp traffic is all sent back to a central location, guest traffic in branch offices have a local internet breakout. So sounds like it could be a good option.
    Thanks