How to integrate IAP with CPPM to perform Captive Portal authentication
This Article explains about-
i) adding the Aruba IAP as NAD device.
ii) Integrating Aruba Controller with CPPM to perform Captive portal authentication.
iii) Configuring service on CPPM to handle this request.
Environment : This Article is written for CPPM 6.2.0 and greater.
Below are the detailed steps.
1: Adding Aruba Controller as NAD device on CPPM.
Navigate to Configuration > Network > Devices
Click Add Device
Add the device as shown below.
The Vendor name should be selected as Aruba and COA enabled.
also Make sure that we configure the same Radius Shared secret on the VC as well.
2: Integrate Aruba IAP with CPPM to perform Captive Portal.
Click on "System" and fill the below details.
Give an IP to the Virtual Controller and enable Dynamic radius Proxy. This will forward all the radius packets ( from any IAP in the cluster) to CPPM with the VC's IP.
Click on " Security - >Authentication Servers " and add a new radius Server.
Create a new SSID.
Click on "New" and give a name to the SSID.
We will set the Primary Usage as Guest as this is for Guest access.
On next page, select the Client IP assignment.
We can have it either VC assigned or Network Assigned based on our requirements.
On the Next page,
Splash page type : Must be set as "External- Radius Authentication"
Auth Server : select the CPPM from the drop down.
Enable radius accounting and set accounting interval as 10 minutes.
IP or Hostname is the IP/Hostname of the CPPM server.
URL is the URL of the guest login page from the CP Guest server.
On this page, create a new Preauth role as per the details below.
The Preauth role must have HTTP and HTTPS access to the CPPM server. The authenticated role (it gets created by default with the SSID's name) could be customised to control access.
We can Save and Exit and this completes the configuration on the Iap.
3: Configuration of CPPM
Login to Clear Pass Guest and navigate to Home » Configuration » Authentication and enble the HTTPS for Guest access as below.
Navigate to Home » Configuration » Web Logins on CPG and create a new page.
The name should be exactly same as the name provided in the IAP configuration.
We can leave the other configuration items as default on this page apart from inserting the Guest self registering link in the header or footer and save the page.
Click on the page and hit test to check the page look and view.
This completes the congiguration on the CP Guest.
Now, we will add a Service to handle this request.
Navigate to "Configuration » Service Templates" use the template for "Guest Access".
On the page, fill in the details as below to autofill the configuration.
Hit "Add Service" and the service is added.
We can then connect a client and check.