We run a captive portal Guest SSID which is set up on ClearPass (social login (including Azure) or self-reg). Our AOS cluster (with conductor and standby conductor) is running 18.104.22.168
We have a requirement to treat a subset of our Guest users differently (probably by S-NAT'ing them to a specific address(es)), this is to allow those particular users access to journals that have IP based access restrictions (not our design!)).
Identifying them is no problem - they are members of a particular group in Azure AD, so our plan was for the ClearPass service to match on that group and give them a special role, and then use a NAT rule in that role on AOS to have the controller NAT them. However we must log the translations and we aren't sure if AOS will do that (we also need to keep those records for 90 days). Does anyone know if that logging is possible on AOS?
If AOS can't do this for us then another possibility might be to see if ClearPass can integrate with our Fortigate firewall in a dynamic per-user way that could achieve the same result - does anyone have any experience of doing something like that?
Or we're certainly open to other suggestions. At the moment our default fallback will be to broadcast a separate SSID for these users, which would do the job, but we'd prefer to avoid if we can.
I think you should be able to perform the action src-nat and then use extended action of "log"
ip access-list session <accname><source> <dest> <service> <action> [<extended action>]ipv6 <source> <dest> <service> <action> [<extended action>]
you can refer to the CLI user guide here
search for "ip access-list session"
Thank you, I'll give that a try and see if the logging includes what we need.
As ariyap has mentioned you can use a source NAT policy at the end of the new guest user role, enable log to have the ACL hits logged.
Since you are doing the authentication on ClearPass, you may want to configure a ClearPass Insight report. This should give you much more information / accounting.
Thanks, I'll try that.
Are there any instructions on how to set the S-NAT up? Does the NAT pool just need to be a routable IP address(es)? Does that address need to exist on the controller(s)? I created a pool which is just a single unused address that is in the same range as the controller IP (for testing only), there is no interface using that address anywhere.
I've looked at the user guide but it doesn't really go into any detail (unless I was looking in the wrong place). I have added a rule in the ACL for the user role like:
user any any src-nat pool my-pool_snat log
I get an IP address but then there's no connectivity, and there's no evidence that NAT is happening. But I might be doing this all wrong!
Original Message:Sent: Sep 16, 2023 04:13 AMFrom: cauliflowerSubject: NATing certain users on Guest to a particular address/subnet AOS/ClearPass/Fortigate
Original Message:Sent: Sep 15, 2023 10:48 PMFrom: ariyapSubject: NATing certain users on Guest to a particular address/subnet AOS/ClearPass/Fortigate
------------------------------If my post was useful accept solution and/or give kudos.Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.Original Message:Sent: Sep 15, 2023 01:50 PMFrom: cauliflowerSubject: NATing certain users on Guest to a particular address/subnet AOS/ClearPass/Fortigate
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.