Hi,
Let me present a Guest access scenario.
Company is using two separate subnets for Corporate (10.x.x.x) and Guest (172.x.x.x) users. ClearPass cluster is providing wireless 802.1X and Guest services. Management port is configured with IP in Corporate subnet, while Data port is configured with IP in Guest one.
WLAN infrastructure is pointing towards Captive Portal page on Guest subnet (https://10.x.x.x/<page_name>.php), and when user connects to Guest SSID CP page with self-registration is displayed. After entering and confirming required details, account info is displayed on the page.
My question is what happened after clicking on "Log In" button on the login page, and how are authentication/RADIUS packets flowing?
My guess is that when user (10.x.x.x) tries to log in, his request is sent to Management port (172.x.x.x) in the form of RADIUS request, processed by Policy Manager, and resulting acceptance/rejection returned back to a user.
So, questions are: a) is that authentication flow correct, or not, b) if correct, what is the purpose of Data port in Guest scenario, c) how would you design this more elegantly.
Thanks everyone in advance.
Cheers,
Alan