Wireless Access

Hi, 

I am doing POC of Clearpass guest using "self-registration" page in our environment. We have 2 vlan's one for Wireless management (VLAN 10) and one for guest clients (vlan 20). guest vlan 20 is not routed to clearpass servers for obvious security reasons. 

The way it is designed today is.. for intial mac-authentication (radius packet) and captive portal traffic flows thru wireless management network (valn 10) for authentication purposes only using pre-auth role in Aruba IAP.  After captive portal registration is successful we are sending post auth role using radius VSA "Aruba-user-role" in radius response packet back to access points to catch the post auth roles that is configured on IAP side. pre auth roles and post auth roles are configured for vlan enforcements. we are using concepts of dynamic VLAN in aruba central. 

The challenge is clients are authenticated successfully and the "ap-role" is switched to post auth role however, stays in the same IP subnet. not sure where the issue is.. has anyone faced similar issue ? are there any better ways to design this?.. key requirement is to keep guest network isolated. 

Ps: I am seeing radius response packets reaching all the way to access points and there is an active TAC case but not much traction there.. 

please let me know   

If you are trying to change the VLAN for a captive portal user, don't.  The device isn't going to pull a new IP address just because you changed the role.

Hi, 

I am doing POC of Clearpass guest using "self-registration" page in our environment. We have 2 vlan's one for Wireless management (VLAN 10) and one for guest clients (vlan 20). guest vlan 20 is not routed to clearpass servers for obvious security reasons. 

The way it is designed today is.. for intial mac-authentication (radius packet) and captive portal traffic flows thru wireless management network (valn 10) for authentication purposes only using pre-auth role in Aruba IAP.  After captive portal registration is successful we are sending post auth role using radius VSA "Aruba-user-role" in radius response packet back to access points to catch the post auth roles that is configured on IAP side. pre auth roles and post auth roles are configured for vlan enforcements. we are using concepts of dynamic VLAN in aruba central. 

The challenge is clients are authenticated successfully and the "ap-role" is switched to post auth role however, stays in the same IP subnet. not sure where the issue is.. has anyone faced similar issue ? are there any better ways to design this?.. key requirement is to keep guest network isolated. 

Ps: I am seeing radius response packets reaching all the way to access points and there is an active TAC case but not much traction there.. 

please let me know   

Thanks for reply Carson.. 

even if the role is configured to enforce a guest VLAN ? .. In that case, do you happen to know how can we achieve this? 

The requirement is not to route guest vlan to clearpass servers. 

Best, 

If you are trying to change the VLAN for a captive portal user, don't.  The device isn't going to pull a new IP address just because you changed the role.

Hi, 

I am doing POC of Clearpass guest using "self-registration" page in our environment. We have 2 vlan's one for Wireless management (VLAN 10) and one for guest clients (vlan 20). guest vlan 20 is not routed to clearpass servers for obvious security reasons. 

The way it is designed today is.. for intial mac-authentication (radius packet) and captive portal traffic flows thru wireless management network (valn 10) for authentication purposes only using pre-auth role in Aruba IAP.  After captive portal registration is successful we are sending post auth role using radius VSA "Aruba-user-role" in radius response packet back to access points to catch the post auth roles that is configured on IAP side. pre auth roles and post auth roles are configured for vlan enforcements. we are using concepts of dynamic VLAN in aruba central. 

The challenge is clients are authenticated successfully and the "ap-role" is switched to post auth role however, stays in the same IP subnet. not sure where the issue is.. has anyone faced similar issue ? are there any better ways to design this?.. key requirement is to keep guest network isolated. 

Ps: I am seeing radius response packets reaching all the way to access points and there is an active TAC case but not much traction there.. 

please let me know   

Achieve what?  You can't flip the VLAN, that doesn't work.  Whatever VLAN the client starts in, that's the VLAN they need to stay in.

The guest devices have to have a route to ClearPass, that's not negotiable.  The captive portal workflow requires the client device to open the webpage from ClearPass.  You can put that through a firewall (always recommend), utilize the data port on ClearPass (sometimes useful), and set ACLs within ClearPass to restrict access (always recommend), but the client will always need a route to reach the captive portal.

Thanks for reply Carson.. 

even if the role is configured to enforce a guest VLAN ? .. In that case, do you happen to know how can we achieve this? 

The requirement is not to route guest vlan to clearpass servers. 

Best, 

If you are trying to change the VLAN for a captive portal user, don't.  The device isn't going to pull a new IP address just because you changed the role.

Hi, 

I am doing POC of Clearpass guest using "self-registration" page in our environment. We have 2 vlan's one for Wireless management (VLAN 10) and one for guest clients (vlan 20). guest vlan 20 is not routed to clearpass servers for obvious security reasons. 

The way it is designed today is.. for intial mac-authentication (radius packet) and captive portal traffic flows thru wireless management network (valn 10) for authentication purposes only using pre-auth role in Aruba IAP.  After captive portal registration is successful we are sending post auth role using radius VSA "Aruba-user-role" in radius response packet back to access points to catch the post auth roles that is configured on IAP side. pre auth roles and post auth roles are configured for vlan enforcements. we are using concepts of dynamic VLAN in aruba central. 

The challenge is clients are authenticated successfully and the "ap-role" is switched to post auth role however, stays in the same IP subnet. not sure where the issue is.. has anyone faced similar issue ? are there any better ways to design this?.. key requirement is to keep guest network isolated. 

Ps: I am seeing radius response packets reaching all the way to access points and there is an active TAC case but not much traction there.. 

please let me know   

In this case - what's the recommended design patterns to isolate the guest-wifi traffic from the corporate network while meeting zero trust requirements. Is there an Aruba "best practice" design document or reference architecture to reivew for implementing Clear Pass in Azure with guest-wifi?

Achieve what?  You can't flip the VLAN, that doesn't work.  Whatever VLAN the client starts in, that's the VLAN they need to stay in.

The guest devices have to have a route to ClearPass, that's not negotiable.  The captive portal workflow requires the client device to open the webpage from ClearPass.  You can put that through a firewall (always recommend), utilize the data port on ClearPass (sometimes useful), and set ACLs within ClearPass to restrict access (always recommend), but the client will always need a route to reach the captive portal.

Thanks for reply Carson.. 

even if the role is configured to enforce a guest VLAN ? .. In that case, do you happen to know how can we achieve this? 

The requirement is not to route guest vlan to clearpass servers. 

Best, 

If you are trying to change the VLAN for a captive portal user, don't.  The device isn't going to pull a new IP address just because you changed the role.

Hi, 

I am doing POC of Clearpass guest using "self-registration" page in our environment. We have 2 vlan's one for Wireless management (VLAN 10) and one for guest clients (vlan 20). guest vlan 20 is not routed to clearpass servers for obvious security reasons. 

The way it is designed today is.. for intial mac-authentication (radius packet) and captive portal traffic flows thru wireless management network (valn 10) for authentication purposes only using pre-auth role in Aruba IAP.  After captive portal registration is successful we are sending post auth role using radius VSA "Aruba-user-role" in radius response packet back to access points to catch the post auth roles that is configured on IAP side. pre auth roles and post auth roles are configured for vlan enforcements. we are using concepts of dynamic VLAN in aruba central. 

The challenge is clients are authenticated successfully and the "ap-role" is switched to post auth role however, stays in the same IP subnet. not sure where the issue is.. has anyone faced similar issue ? are there any better ways to design this?.. key requirement is to keep guest network isolated. 

Ps: I am seeing radius response packets reaching all the way to access points and there is an active TAC case but not much traction there.. 

please let me know   

In this case - what's the recommended design patterns to isolate the guest-wifi traffic from the corporate network while meeting zero trust requirements. Is there an Aruba "best practice" design document or reference architecture to reivew for implementing Clear Pass in Azure with guest-wifi?

Original Message:
Sent: Jul 31, 2024 01:45 PM
From: chulcher
Subject: Clearpass guest with Aruba AOS8

Achieve what?  You can't flip the VLAN, that doesn't work.  Whatever VLAN the client starts in, that's the VLAN they need to stay in.

The guest devices have to have a route to ClearPass, that's not negotiable.  The captive portal workflow requires the client device to open the webpage from ClearPass.  You can put that through a firewall (always recommend), utilize the data port on ClearPass (sometimes useful), and set ACLs within ClearPass to restrict access (always recommend), but the client will always need a route to reach the captive portal.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Jul 31, 2024 01:38 PM
From: Netbuzz
Subject: Clearpass guest with Aruba AOS8

Thanks for reply Carson.. 

even if the role is configured to enforce a guest VLAN ? .. In that case, do you happen to know how can we achieve this? 

The requirement is not to route guest vlan to clearpass servers. 

Best, 

------------------------------
[Akshay][Vishwas]

Original Message:
Sent: Jul 31, 2024 01:27 PM
From: Carson Hulcher
Subject: Clearpass guest with Aruba AOS8

If you are trying to change the VLAN for a captive portal user, don't.  The device isn't going to pull a new IP address just because you changed the role.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Jul 31, 2024 12:45 PM
From: Netbuzz
Subject: Clearpass guest with Aruba AOS8

Hi, 

I am doing POC of Clearpass guest using "self-registration" page in our environment. We have 2 vlan's one for Wireless management (VLAN 10) and one for guest clients (vlan 20). guest vlan 20 is not routed to clearpass servers for obvious security reasons. 

The way it is designed today is.. for intial mac-authentication (radius packet) and captive portal traffic flows thru wireless management network (valn 10) for authentication purposes only using pre-auth role in Aruba IAP.  After captive portal registration is successful we are sending post auth role using radius VSA "Aruba-user-role" in radius response packet back to access points to catch the post auth roles that is configured on IAP side. pre auth roles and post auth roles are configured for vlan enforcements. we are using concepts of dynamic VLAN in aruba central. 

The challenge is clients are authenticated successfully and the "ap-role" is switched to post auth role however, stays in the same IP subnet. not sure where the issue is.. has anyone faced similar issue ? are there any better ways to design this?.. key requirement is to keep guest network isolated. 

Ps: I am seeing radius response packets reaching all the way to access points and there is an active TAC case but not much traction there.. 

please let me know   

------------------------------
[Akshay][Vishwas]
------------------------------

If I remember correctly, with Instant AP (AOS8 with Central), while the guest client is in the captive portal state, it's traffic is being proxied out through the management interface. I would expect that if you just put the clients in the guest network, that traffic to ClearPass goes out on the management interface already.

And let me repeat: don't switch VLANs with captive portal, it will not work or if it works you are lucky and at some point in time it will likely break.

In this case - what's the recommended design patterns to isolate the guest-wifi traffic from the corporate network while meeting zero trust requirements. Is there an Aruba "best practice" design document or reference architecture to reivew for implementing Clear Pass in Azure with guest-wifi?

Achieve what?  You can't flip the VLAN, that doesn't work.  Whatever VLAN the client starts in, that's the VLAN they need to stay in.

The guest devices have to have a route to ClearPass, that's not negotiable.  The captive portal workflow requires the client device to open the webpage from ClearPass.  You can put that through a firewall (always recommend), utilize the data port on ClearPass (sometimes useful), and set ACLs within ClearPass to restrict access (always recommend), but the client will always need a route to reach the captive portal.

Thanks for reply Carson.. 

even if the role is configured to enforce a guest VLAN ? .. In that case, do you happen to know how can we achieve this? 

The requirement is not to route guest vlan to clearpass servers. 

Best, 

If you are trying to change the VLAN for a captive portal user, don't.  The device isn't going to pull a new IP address just because you changed the role.

Hi, 

I am doing POC of Clearpass guest using "self-registration" page in our environment. We have 2 vlan's one for Wireless management (VLAN 10) and one for guest clients (vlan 20). guest vlan 20 is not routed to clearpass servers for obvious security reasons. 

The way it is designed today is.. for intial mac-authentication (radius packet) and captive portal traffic flows thru wireless management network (valn 10) for authentication purposes only using pre-auth role in Aruba IAP.  After captive portal registration is successful we are sending post auth role using radius VSA "Aruba-user-role" in radius response packet back to access points to catch the post auth roles that is configured on IAP side. pre auth roles and post auth roles are configured for vlan enforcements. we are using concepts of dynamic VLAN in aruba central. 

The challenge is clients are authenticated successfully and the "ap-role" is switched to post auth role however, stays in the same IP subnet. not sure where the issue is.. has anyone faced similar issue ? are there any better ways to design this?.. key requirement is to keep guest network isolated. 

Ps: I am seeing radius response packets reaching all the way to access points and there is an active TAC case but not much traction there.. 

please let me know   

Nothing is proxied.  If using the magic VLAN, all traffic uses NAT with the AP's IP address.  If using a standard VLAN, all traffic is bridged/routed as normal on the network.

If I remember correctly, with Instant AP (AOS8 with Central), while the guest client is in the captive portal state, it's traffic is being proxied out through the management interface. I would expect that if you just put the clients in the guest network, that traffic to ClearPass goes out on the management interface already.

And let me repeat: don't switch VLANs with captive portal, it will not work or if it works you are lucky and at some point in time it will likely break.

In this case - what's the recommended design patterns to isolate the guest-wifi traffic from the corporate network while meeting zero trust requirements. Is there an Aruba "best practice" design document or reference architecture to reivew for implementing Clear Pass in Azure with guest-wifi?

Achieve what?  You can't flip the VLAN, that doesn't work.  Whatever VLAN the client starts in, that's the VLAN they need to stay in.

The guest devices have to have a route to ClearPass, that's not negotiable.  The captive portal workflow requires the client device to open the webpage from ClearPass.  You can put that through a firewall (always recommend), utilize the data port on ClearPass (sometimes useful), and set ACLs within ClearPass to restrict access (always recommend), but the client will always need a route to reach the captive portal.

Thanks for reply Carson.. 

even if the role is configured to enforce a guest VLAN ? .. In that case, do you happen to know how can we achieve this? 

The requirement is not to route guest vlan to clearpass servers. 

Best, 

If you are trying to change the VLAN for a captive portal user, don't.  The device isn't going to pull a new IP address just because you changed the role.

Hi, 

I am doing POC of Clearpass guest using "self-registration" page in our environment. We have 2 vlan's one for Wireless management (VLAN 10) and one for guest clients (vlan 20). guest vlan 20 is not routed to clearpass servers for obvious security reasons. 

The way it is designed today is.. for intial mac-authentication (radius packet) and captive portal traffic flows thru wireless management network (valn 10) for authentication purposes only using pre-auth role in Aruba IAP.  After captive portal registration is successful we are sending post auth role using radius VSA "Aruba-user-role" in radius response packet back to access points to catch the post auth roles that is configured on IAP side. pre auth roles and post auth roles are configured for vlan enforcements. we are using concepts of dynamic VLAN in aruba central. 

The challenge is clients are authenticated successfully and the "ap-role" is switched to post auth role however, stays in the same IP subnet. not sure where the issue is.. has anyone faced similar issue ? are there any better ways to design this?.. key requirement is to keep guest network isolated. 

Ps: I am seeing radius response packets reaching all the way to access points and there is an active TAC case but not much traction there.. 

please let me know   

thank you both!

yes, only radius packet goes out of the wireless management network and captive portal traffic is through the guest network by default. unless there is config item that I am missing.. 

we might have to route the guest network to Clearpass but not ideal for security review. 

Nothing is proxied.  If using the magic VLAN, all traffic uses NAT with the AP's IP address.  If using a standard VLAN, all traffic is bridged/routed as normal on the network.

If I remember correctly, with Instant AP (AOS8 with Central), while the guest client is in the captive portal state, it's traffic is being proxied out through the management interface. I would expect that if you just put the clients in the guest network, that traffic to ClearPass goes out on the management interface already.

And let me repeat: don't switch VLANs with captive portal, it will not work or if it works you are lucky and at some point in time it will likely break.

In this case - what's the recommended design patterns to isolate the guest-wifi traffic from the corporate network while meeting zero trust requirements. Is there an Aruba "best practice" design document or reference architecture to reivew for implementing Clear Pass in Azure with guest-wifi?

Achieve what?  You can't flip the VLAN, that doesn't work.  Whatever VLAN the client starts in, that's the VLAN they need to stay in.

The guest devices have to have a route to ClearPass, that's not negotiable.  The captive portal workflow requires the client device to open the webpage from ClearPass.  You can put that through a firewall (always recommend), utilize the data port on ClearPass (sometimes useful), and set ACLs within ClearPass to restrict access (always recommend), but the client will always need a route to reach the captive portal.

Thanks for reply Carson.. 

even if the role is configured to enforce a guest VLAN ? .. In that case, do you happen to know how can we achieve this? 

The requirement is not to route guest vlan to clearpass servers. 

Best, 

If you are trying to change the VLAN for a captive portal user, don't.  The device isn't going to pull a new IP address just because you changed the role.

Hi, 

I am doing POC of Clearpass guest using "self-registration" page in our environment. We have 2 vlan's one for Wireless management (VLAN 10) and one for guest clients (vlan 20). guest vlan 20 is not routed to clearpass servers for obvious security reasons. 

The way it is designed today is.. for intial mac-authentication (radius packet) and captive portal traffic flows thru wireless management network (valn 10) for authentication purposes only using pre-auth role in Aruba IAP.  After captive portal registration is successful we are sending post auth role using radius VSA "Aruba-user-role" in radius response packet back to access points to catch the post auth roles that is configured on IAP side. pre auth roles and post auth roles are configured for vlan enforcements. we are using concepts of dynamic VLAN in aruba central. 

The challenge is clients are authenticated successfully and the "ap-role" is switched to post auth role however, stays in the same IP subnet. not sure where the issue is.. has anyone faced similar issue ? are there any better ways to design this?.. key requirement is to keep guest network isolated. 

Ps: I am seeing radius response packets reaching all the way to access points and there is an active TAC case but not much traction there.. 

please let me know