Controllerless Networks

Hi all,

I have a customer that has a guest network that cannot route to the captive portal hosted on ClearPass. I have tried source NATing them through the AP with no luck, the page just times out as if there is still no route. I can ping the ClearPass page from the VC as expected as they talk fine with regular 802.1X networks. Config for the pre-auth role is below:

Enforce captive portal external TWB Clearpass
Allow dhcp to all destinations
Allow dns to all destinations
Allow http on server 10.210.4.17 and change source address to Access Point's
Allow https on server 10.210.4.17 and change source address to Access Point's
Deny any to all destinations + log

When I test it using a VLAN that DOES have a route to ClearPass (without the NAT) the clients successfully get redirected to the Captive Portal so I know the ClearPass config and SSL certificates are trusted.

Client IP asignment is currently set 'Network Assigned' because the default Default Gateway for the Guest VLAN is on a router that has no route to the internal network (also acts as DNS and DHCP server). I can't use 'Virtual Controller Assigned' because the APs do not have a route to the Internet Route that is being used for this solution.

Any ideas?

-Brett

Is your Captive Portal profile pointing to the DNS name or the IP address? If you run a pcap on CPPM, can we confirm the packet never actually arrives at CPPM? Also take a look at 'show datapath session | include [IP ADDRESS] to confirm the traffic is correctly being src-nat and not denied by any ACL.

For Captive Portal to work you would need to ensure that the IAP can resolve the IP the client is trying to reach. You said that the IAP doesn't have access to internet - but does it have access to the DNS server?

On the IAP - can you ping the clearpass server you are trying to redirect to using both dns and IP? I see you allow HTTPS so I'm guessing you are using DNS name..

Hi John,

Yes the IAP can resolve the captive portal.

# ping xxxx.xxxx.xxxx (name removed)
Press 'q' to abort.
PING 10.210.4.17 (10.210.4.17): 56 data bytes
64 bytes from 10.210.4.17: icmp_seq=0 ttl=57 time=19.1 ms
64 bytes from 10.210.4.17: icmp_seq=1 ttl=57 time=19.2 ms
64 bytes from 10.210.4.17: icmp_seq=2 ttl=57 time=19.2 ms
64 bytes from 10.210.4.17: icmp_seq=3 ttl=57 time=18.9 ms
64 bytes from 10.210.4.17: icmp_seq=4 ttl=57 time=18.8 ms

--- 10.210.4.17 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 18.8/19.0/19.2 ms

In the source NAT rule I have also tried to allow the hostname of the captive portal instead of IP address. Even when I source NAT all IP traffic through the AP to the captive portal, the client ping or see any ports other than TCP 8080 open on the server.

-Brett

Hi Craig,

Captive portal uses the FQDN of the ClearPass server. 

When I filter on the IP address in the datapath session for either the client or ClearPass IP. I get no results...

show datapath session | i 172.16.0.9
show datapath session | i 10.210.4.17

Even when I put the guest clients in to a corporate VLAN (where the captive portal flow works fine) I don't see anything in the datapath session for anything guest related. I do see a lot of traffic in the session table for non-captive portal SSIDs.

-Brett

Hi Brett

Weird issue, but probably an easy fix which I wish I could give you ;)

What happens if you connect the client to an SSID without captive portalk which has "Client IP Assignment" set to "Instant AP Assigned" and "Internal VLAN".

Do you get an IP?

Can you resolve say .. microsoft.com with DNS?

Can you resolve the Clearpass DNS?

Hi John,

I'm offsite right now but I actually did exactly what you said as a test and got a private 172.x address from the IAP. I don't think I did a DNS test on the client from memory but I was correctly redirected to the Captive Portal on ClearPass, so I'm guessing there were no DNS issues. The only issue here is the IAP is on the corporate network which is not where I want the clients to route through (different Internet link), so not a permanent solution.

We have logged a job with the ISP (who support manage routers in the network) to make a single host route for ClearPass, but I have no idea what the routing setup looks like for this environment so not sure if it is possible at this stage. If it is possible, it will solve all our probelms.

Even so I would rather solve this issue for future reference.

-Brett

Hi BrettV.

I'm facing the same issue, how did you solve it.

Unfortunately we could never figure this one out. I convinced the customer to add a route to ClearPass from the Guest VLAN (and vice versa), and now the clients access ClearPass natively (no NAT).

Up until that point, I had never had an issues with NAT on the IAPs or Mobility Controllers.

-Brett