Security

 View Only
  • 1.  ClearPass/Captive Portal process

    Posted Aug 29, 2016 11:20 AM

    We are installing a ClearPass server to perform Captive Portal and authentication.  How does the external server change the captive Portal process at the controller?  Does the controller still need a failed DNS query to inject the correct IP address for the client, or will a valid DNS query for the external URL work?  I understand how to configure the controller, I just want to understand what is going on "behind the scenes."



  • 2.  RE: ClearPass/Captive Portal process

    Posted Aug 29, 2016 11:24 AM

    You will need a functioning DNS server if you are to redirect a client that types in a www address.  Everything is the same as it was with the controller.  Please see the ASE solution here:  https://ase.arubanetworks.com/solutions/id/3 for more details.



  • 3.  RE: ClearPass/Captive Portal process

    Posted Aug 29, 2016 11:44 AM

    This does not answer my question.  With controller-based captive portal, the process requires a NXDOMAIN message from a name server in order for the controller to inject its own IP address into the message and send that back to the client.  Does a similar process happen when using external captive portal/clear pass, or does the client get a valid IP from a DNS server after being redirected by the controller?



  • 4.  RE: ClearPass/Captive Portal process

    Posted Aug 29, 2016 12:19 PM
      |   view attached

    @chmiii wrote:

    We are installing a ClearPass server to perform Captive Portal and authentication.  How does the external server change the captive Portal process at the controller? 

     

    Does the controller still need a failed DNS query to inject the correct IP address for the client, or will a valid DNS query for the external URL work?  I understand how to configure the controller, I just want to understand what is going on "behind the scenes."


    - The external server process is not much different from controller-based version.  The main difference is that the "Login Page" parameter in the Captive Portal Authentication Profile on the controller redirects to the ClearPass Page, instead of a URL located on the controller.

     

     

    Please see the attached ArubaOS Guest Appnote for a detailed description of the Captive Portal Authentication Process.  If I do not attach this, I will end up just copy and pasting parts of it into the thread here.

     

     

    Attachment(s)

    pdf
    AOS_GuestAcccess-AppNote.pdf   3.34 MB 1 version


  • 5.  RE: ClearPass/Captive Portal process

    Posted Aug 29, 2016 02:58 PM

     


    @cjoseph wrote:

    ...The main difference is that the "Login Page" parameter in the Captive Portal Authentication Profile on the controller redirects to the ClearPass Page, instead of a URL located on the controller.

    I understand this, and I understand the controller-based process as laid out in the App Note.  Unfortunately, both of these are missing the nugget of information that I need...Do I need a DNS entry for my ClearPass Page in order for the client to get the correct IP address when it is redirected, or does the controller insert the ClearPass IP address (instead of its own) when it receives the NXDOMAIN message back from a name server?

     

    Edit:  Sorry for the duplicate below.



  • 6.  RE: ClearPass/Captive Portal process

    Posted Aug 29, 2016 02:58 PM

     


    @cjoseph wrote:

    ...The main difference is that the "Login Page" parameter in the Captive Portal Authentication Profile on the controller redirects to the ClearPass Page, instead of a URL located on the controller.

    I understand this, and I understand the controller-based process as laid out in the App Note.  Unfortunately, both of these are missing the nugget of information that I need...Do I need a DNS entry for my ClearPass Page in order for the client to get the correct IP address when it is redirected, or does the controller insert the ClearPass IP address (instead of its own) when it receives the NXDOMAIN message back from a name server?

     



  • 7.  RE: ClearPass/Captive Portal process
    Best Answer

    Posted Aug 29, 2016 05:26 PM

    The client needs to be able to resolve the clearpass server's DNS name, yes.



  • 8.  RE: ClearPass/Captive Portal process

    Posted Aug 29, 2016 05:56 PM
    Thank you. That's what I need.