07-19-13 Expert Day

Aruba Employee

ClearPass Guest and BlueCoat HTTP proxy (Inline mode)

Hello Experts!


Anybody know, how to integrate Clearpass guest with Blue Coat Proxy SG.

Proxy wants authorization of users. (Inline mode)

In Clearpass proxy configured as NAS device.

In BlueCoat configured Clearpass as Radius server.

If I configure browser with proxy settings - guest gets access trough proxy to Internet.

If guest don't have proxy settings - he don't have access to internet, proxy respond "not authorized".

How to configure controller, Clearpass and BlueCoat to give Internet access to guest after Self-registration ?


For Example:

Снимок экрана 2013-07-19 в 10.21.06.png





Topology of this solution:

Снимок экрана 2013-07-19 в 10.22.49.pngWhen a user authorized on the guest portal via RADIUS, Aruba Clearpass Guest server stores the information in a local Postgresql database, after which the user access policies are applied in the form of:

Снимок экрана 2013-07-19 в 10.24.25.png

Thus, all Internet traffic goes through the proxy user to the Internet and back.

The goal is to pull up the names of customers (guests) from the RADIUS server to Bluecoat Proxy SG for logging to visit the web resources, and replace on proxy clients ip addresses on customers names.


Снимок экрана 2013-07-19 в 10.25.03.png

This picture is made subject to users who did double authorization (username and password entered through guest captive portal, then once again brought to the proxy request for RADIUS authorization).

Need to make so that after authentication on the server Aruba ClearPass Guest, information about his login moved up automatically by the ip or mac address.


Thank you in advance.




Aruba Employee

Re: ClearPass Guest and BlueCoat HTTP proxy (Inline mode)

To configure controller to redirect users to proxy after authentication:


Setup Policy on Controller to Redirect Users to Proxy after Auth:

1. Configure system to place guest users into the “guest-authenticated” (or equivalent) role.

2. Customize a policy in the “guest-authenticated” role to redirect user HTTP and HTTPS traffic to transparent proxy. Sample configuration is below.

3. Customize any other policies in the “guest-authenticated” role to allow other “allowed” services for guests, i.e., VPN, Mail, etc….

Note It should be noted that not all transparent proxies can process HTTPS per the method below. For example, Squid cannot proxy HTTPS when in transparent proxy mode but BlueCoat proxies can. If the proxy cannot support this and HTTPS is required, HTTPS should be configured to “permit” instead of “dst-nat” to allow it to pass by the proxy.

Sample Proxy Redirection Policy:
Note This sample config assumes that the proxy has an IP address of and is listening for requests on port 3128.

(internal) (config)# ip access-list session guest-proxy-redirect
(internal) (config-sess-guest-proxy-redirect)# user any svc-http dst-nat ip 3128
(internal) (config-sess-guest-proxy-redirect)# user any svc-https dst-nat ip 3128
(internal) (config)# user-role guest-authenticated
(internal) (config-role)# session-acl logon-control
(internal) (config-role)# session-acl guest-proxy-redirect

To add other services to this role that bypass the proxy (for example, common VPN services):
(internal) (config)# ip access-list session guest-other-services
(internal) (config-sess-guest-proxy-redirect)# user any svc-esp permit
(internal) (config-sess-guest-proxy-redirect)# user any svc-ike permit
(internal) (config-sess-guest-proxy-redirect)# user any udp 10000 permit
(internal) (config-sess-guest-proxy-redirect)# user any udp 4500 permit
(internal) (config)# user-role guest-authenticated
(internal) (config-role)# session-acl guest-other-services

Using DHCP Option 252 to provide Proxy Settings to Guest clients

DHCP Option 252 is a method used to configure clients with the proper proxy settings without touching each and every client. This method has advantages over the above because it will work with many more protocols than HTTP. The steps below detail how the WPAD.DAT file can be hosted on the Aruba controller's Web Server (used for Captive Portal) but the process is the same for hosting the file elsewhere, just change the location in option 252.

Solution Configuration steps:

1. Configure DHCP Option 252:
The description below applies to a Microsoft DCHP server.

- First add Option 252 as a valid option (it is often not enabled)

- Click Start, point to All Programs, point to Administrative Tools, and then click DHCP
- In the console tree, right-click the applicable DHCP server, click Set Predefined Options, and then click Add.
- In Name, type WPAD
- In Code, type 252.
- In Data type, select String, and then click OK.

- In the original (left hand) window in String, type http://Computer_Name/location:Port/wpad.dat (or http://<ip-address:port/location/wpad.dat>

- In this case the Computer Name is the IP address of the Guest VLAN on the Aruba controller. The port is 8088, as the web server runs on that port, and the directory is /upload, as captive portal pages are uploaded to that directory (see following sections).

▪ Now Create DHCP Option 252 in the pool you have for Guest Wireless Clients on your Windows DHCP server.

2. Create the WPAD.DAT file, and PROXY.PAC file and upload them to Aruba’s Captive Portal.
Example WPAD.DAT

function FindProxyForURL(url, host)
if (isInNet(myIpAddress(), "", ""))
return "PROXY proxy.forwifi.com:8080";
return "DIRECT";
▪ This file will be downloaded to the guest PCs and used by them to decide whether to use a proxy. The PC examines local address, if it is in the subnet , the proxy returned is as shown, with the port that the proxy is running on. In this case if the PC is in subnet then a DNS entry in the site local DNS servers points to the proxy, which has the DNS name of ‘proxy.forwifi.com’.

▪ Upload the WPAD.DAT file. In Captive Portal, ‘maintenance’, Browse for the WPAD.DAT file, and upload it as a content page.

3. Create Aruba Controller Configuration

▪ A destination is created for later use of the Bluecoat Proxy server.
netdestination Bluecoat

▪ In addition a service of bluecoat on port 2454 is defined. This is the port the Bluecoat proxy uses.
netservice "Bluecoat-2454" tcp 2454

▪ The further defined names below refer to the Aruba IP address on the VLAN the Guests are using, and the subnet the hotspot users will be allocated DHCP addresses from.
netdestination hotspot-gw

netdestination hotspot-subnet
▪ The captiveportal policy has a few modifications from standard which are described below
ip access-list session captiveportal
user any tcp 2454 dst-nat 8088 position 1

'Note' As users will be forced to the proxy their web requests will now be sent to port 2454, rather than the usual http port 80.
This addition captures the web traffic now on port 2454 and forces it to the Aruba Captive Portal at port 8088.

user alias hotspot-gw tcp 8088 permit position 2

'Note'Users will be downloading the WPAD.DAT file direct from the Aruba Web server, thus must be allowed access on port 8088.

▪ If the proxy does not know how (or is not allow to) route back to the guest user subnet, add a src-nat rule in your post authenticated role
ip access-list session proxy-nat
user alias hotspot-gw ping src-nat
user alias hotspot-gw tcp 8088 src-nat
user alias Bluecoat "Bluecoat 2454" src-nat

user-role guest
session-acl proxy-nat



About the option to corerelate Guest user with web logging:


Amigopod can receive syslog messages from a  firewall/proxy server and this can be used to correlate information in Amigopod.  


To fetch Guest user information from Amigopod, we can also use XML API call to fetch guest user information from Guest DB to use with Bluecoat server.


Please feel free to open a TAC case for further assistance.


Search Airheads
Showing results for 
Search instead for 
Did you mean: