I'm having serveral Instant Clusters in branches with the same SSIDs and a Central ClearPass Installation. I am in the process of designing a ClearPass Guest Selfregistration Solution.
I have just studied the excellent ClearPass Workshop Training Video Series from Herman Robers about ClearPass Setup, but this Series is based on Controller-Initiated Login Configurations.
What are the benefits when I decide to use the Server-initiated (CoA) Login Method with Instand Clusters instead?
Do I still need Captive Portal Certificates on my Instant clusters in this case?
What is the best practise?
Can I configure just one Guest Service for all Instant Clusters?
Is there a configuration example around here with the Server-initiated Login Method with CoA and Instant Clusters?
Many thanks in advance for your ideas!
Thank you for the fast reply - this is also my opinion, and in addition I'm familiar with the controller-initiated solution.
It's always good to get a second opinion from an expert...
I will go further with the controller-initiated login method in this case.
Is there anything I have to take care when designing a single Guest Service for several Instant Clusters?
Bringing up an older post, but my short question to your statement is why? Why do you recommend doing controller-initiated login for Aruba Wireless? Is there a potential security breach in doing CoA to change the role?
I've been using server-initiated login for years with great sucess because it is more flexible, seems to scale better and less prone to Certificate error messages during all the redirects. What am I missing? Other than not being able to use the Clearpass Guest with mac-caching Wizard.. ;)
I having the same though. As server-initiated login method provide better user experience as its "less prone to Certificate error messages during all the redirects" which I often faced when using controller-initiated login method.
The issue with server initiated is you end up with a lot of webauth rejects during that process. RADIUS is much cleaned but I agree with the cert issues. I have my certs set up correctly and I'm still ending up with certificate errors on android devies when using entrust publicly signed certificates signed by L1K and G2 root.
I am required to do a self-sponsored login. The initial setup was not done by me, but what basically happens is they hit the MAC auth service first which allows all MACs. If they have a valid account, they are authenticated. If not, they are sent back a role with a captive portal.
They must supply an e-mail address and name. They register and then are sent a CoA to disconnect them so they reconnect via the MAC service. It is clunky and doesn't work well imo. They get a free 10m of access to activate their account at that point.
Using a controller-initiated workflow with a session timeout I find works much cleaner and consistently. I haven't really messed around with the server-initiated one on the production system to see if I could make it better but instead redid it.
Are you still using server initiated workflow? In that scheme, do you think it´s possible to enable also a change of VLAN for user already authenticated by means of CoA?
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.