Hello Kevin
Many different solutions here and I'm sure you're just as confused as when you started.
These are two decent ways of implementing Guest access:
* Controller initiated - this is the most normal usecase and authentication is done by your client doing a http post towards the login.html of the Controller. Works on all Aruba WLC's and All Cisco WLC's except 3850/5760 using IOS XE
* Server initiated - this involves MAC-authentication and Radius CoA and is quite confusing to implement. The documents listed in previous post in regards of Wired Cisco is all about this, but they are not complete so try the first method before trying this. This method is a requirement for Cisco WLC using IOS XE (3850/5760).
Controller initated works more or less right out of the box with ClearPass when using Cisco 2504 WLC on 7.6.x
* Click Configuration - Start here
* Select the Guest Access template, go through and fill in the variables. Save..
Make sure this new template is above the old ones you've created.
Since you're using self-registration there is no need for a pre-auth (webauth) service, but with a normal web-login you have a Radius or Local pre-auth and need to create a service for this.
* Click Configuration - Start here
* Select the Guest Access Web Login template, go through and fill in the variables. Save..
* Move this template above the other Guest template just to keep things clean.
In Guest
- Under Authentication change the NAS Type to Cisco Systems (RFC3756 support)
- In the login use
For the Cisco setup you should just google for "cisco wlc external web auth" and find the multiple guides that exist out there (not CWA as this use CoA and mac-auth). You can follow a guide using Cisco ISE
On the Cisco:
* Create your pre-auth ACL "web_auth" (Security - Access Controll Lists) more or less like this:
- Permit 0.0.0.0/0 - 192.168.1.210/23
- Permit 192.168.1.210/23 -> 0.0.0.0/0
Define your AAA servers
* Security - RADIUS - Authentication
- Call Station Type: "System MAC address"
- MAC Delimiter: "Colon"
- Add the 192.168.1.210 with shared secret and RFC 3576 enabled
* Security - RADIUS - accounting
- Add 192.168.1.210 - with MAC delimiter "Colon"
Create your WLAN and edit the SSID to your liking, selec the appropriate interface
Edit the NAS-ID to something - if you want to use that in the CPPM Service later
* Security
- Layer 2 - none
- Layer 3 - Web Policy (authentication), preauth ACL = "web_auth"
- Enable "over-ride global congi" - External (= redirect to external server)
- URL = Input your clearpass redirect URL here
- AAA servers, server 1: 192.168.1.210 (Auth and Acc)
Advanced
- DHCP addr. assignment required
Try it out and let us know how it turns out.