Cloud Managed Networks

 View Only
last person joined: yesterday 

Forum to discuss all things related to HPE Aruba Networking Central and UXI Network Management, including deployment of managed networks, configuration, best practices, APIs, Cloud Guest, AIOps, Presence Analytics, and other included Applications
Expand all | Collapse all

Clearpass Guest with Aruba AOS8

This thread has been viewed 5 times
  • 1.  Clearpass Guest with Aruba AOS8

    Posted Jul 31, 2024 12:45 PM

    Hi, 

    I am doing POC of Clearpass guest using "self-registration" page in our environment. We have 2 vlan's one for Wireless management (VLAN 10) and one for guest clients (vlan 20). guest vlan 20 is not routed to clearpass servers for obvious security reasons. 

    The way it is designed today is.. for intial mac-authentication (radius packet) and captive portal traffic flows thru wireless management network (valn 10) for authentication purposes only using pre-auth role in Aruba IAP.  After captive portal registration is successful we are sending post auth role using radius VSA "Aruba-user-role" in radius response packet back to access points to catch the post auth roles that is configured on IAP side. pre auth roles and post auth roles are configured for vlan enforcements. we are using concepts of dynamic VLAN in aruba central. 

    The challenge is clients are authenticated successfully and the "ap-role" is switched to post auth role however, stays in the same IP subnet. not sure where the issue is.. has anyone faced similar issue ? are there any better ways to design this?.. key requirement is to keep guest network isolated. 

    Ps: I am seeing radius response packets reaching all the way to access points and there is an active TAC case but not much traction there.. 

    please let me know   

     



    ------------------------------
    [Akshay]
    ------------------------------


  • 2.  RE: Clearpass Guest with Aruba AOS8

    Posted Aug 01, 2024 08:12 AM

    You should not change VLAN during a captive portal authentication, as the client will not know that it was moved to another VLAN.

    Keep clients in the same VLAN, and your 'luck' in this case is that if you place the clients in your guest VLAN, the Instant AP will automatically proxy the captive portal traffic over the management interface to your ClearPass. But key is not to change VLANs during the captive portal process.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Clearpass Guest with Aruba AOS8

    Posted Aug 05, 2024 11:17 AM

    Hi,

    Please send an [Aruba Wireless Terminate Session] in the captive portal authentication enforcement. This will trigger a fresh MAC authentication where you can assign the post authentication role if the client has logged in on the captive portal successfully. This is similar to the Server Initiated workflow we configure on ClearPass sometimes.

    Workflow:

    1. Client connects to Guest SSID for the first time. A MAC authentication request is sent by the IAP to ClearPass and is rejected since the client is Unknown and has not processed the captive portal yet. Client falls in the pre-auth role configured under the Access tab in the SSID configuration on the IAP.
    2. Client registers and logs in on the captive portal. Which processing this request, use an enforcement profile to attach the MAC Caching timestamp to the endpoint, mark the Endpoint as Known and enforce an [Aruba Wireless Terminate Session]. Set the CoA timer to greater than 3 seconds giving ClearPass ample time to update the endpoint DB.
    3. During the second MAC auth triggered as a result of the CoA, MAC Caching will be valid and the post-auth role must be returned to the IAP.

    Regards,

    Thiyagarajan Palanisamy