You should not change VLAN during a captive portal authentication, as the client will not know that it was moved to another VLAN.
Keep clients in the same VLAN, and your 'luck' in this case is that if you place the clients in your guest VLAN, the Instant AP will automatically proxy the captive portal traffic over the management interface to your ClearPass. But key is not to change VLANs during the captive portal process.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Jul 31, 2024 12:45 PM
From: Netbuzz
Subject: Clearpass Guest with Aruba AOS8
Hi,
I am doing POC of Clearpass guest using "self-registration" page in our environment. We have 2 vlan's one for Wireless management (VLAN 10) and one for guest clients (vlan 20). guest vlan 20 is not routed to clearpass servers for obvious security reasons.
The way it is designed today is.. for intial mac-authentication (radius packet) and captive portal traffic flows thru wireless management network (valn 10) for authentication purposes only using pre-auth role in Aruba IAP. After captive portal registration is successful we are sending post auth role using radius VSA "Aruba-user-role" in radius response packet back to access points to catch the post auth roles that is configured on IAP side. pre auth roles and post auth roles are configured for vlan enforcements. we are using concepts of dynamic VLAN in aruba central.
The challenge is clients are authenticated successfully and the "ap-role" is switched to post auth role however, stays in the same IP subnet. not sure where the issue is.. has anyone faced similar issue ? are there any better ways to design this?.. key requirement is to keep guest network isolated.
Ps: I am seeing radius response packets reaching all the way to access points and there is an active TAC case but not much traction there..
please let me know
------------------------------
[Akshay]
------------------------------