Controllerless Networks

Reply
Contributor II

IAP guest clients NAT to captive portal

Hi all,

 

I have a customer that has a guest network that cannot route to the captive portal hosted on ClearPass. I have tried source NATing them through the AP with no luck, the page just times out as if there is still no route. I can ping the ClearPass page from the VC as expected as they talk fine with regular 802.1X networks. Config for the pre-auth role is below:

 

Enforce captive portal external TWB Clearpass
Allow dhcp to all destinations
Allow dns to all destinations
Allow http on server 10.210.4.17 and change source address to Access Point's
Allow https on server 10.210.4.17 and change source address to Access Point's
Deny any to all destinations + log

 

When I test it using a VLAN that DOES have a route to ClearPass (without the NAT) the clients successfully get redirected to the Captive Portal so I know the ClearPass config and SSL certificates are trusted.

 

Client IP asignment is currently set 'Network Assigned' because the default Default Gateway for the Guest VLAN is on a router that has no route to the internal network (also acts as DNS and DHCP server). I can't use 'Virtual Controller Assigned' because the APs do not have a route to the Internet Route that is being used for this solution.

 

Any ideas?

 

-Brett

 

 

 

MVP Guru

Re: IAP guest clients NAT to captive portal

Is your Captive Portal profile pointing to the DNS name or the IP address? If you run a pcap on CPPM, can we confirm the packet never actually arrives at CPPM? Also take a look at 'show datapath session | include [IP ADDRESS] to confirm the traffic is correctly being src-nat and not denied by any ACL.


ACMP, ACSA, ACDX #985
If my post addresses your query, give kudos:)
MVP Expert

Re: IAP guest clients NAT to captive portal

For Captive Portal to work you would need to ensure that the IAP can resolve the IP the client is trying to reach. You said that the IAP doesn't have access to internet - but does it have access to the DNS server?

 

On the IAP - can you ping the clearpass server you are trying to redirect to using both dns and IP? I see you allow HTTPS so I'm guessing you are using DNS name..


Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Contributor II

Re: IAP guest clients NAT to captive portal

Hi John,

 

Yes the IAP can resolve the captive portal.

 

 

# ping xxxx.xxxx.xxxx (name removed)
Press 'q' to abort.
PING 10.210.4.17 (10.210.4.17): 56 data bytes
64 bytes from 10.210.4.17: icmp_seq=0 ttl=57 time=19.1 ms
64 bytes from 10.210.4.17: icmp_seq=1 ttl=57 time=19.2 ms
64 bytes from 10.210.4.17: icmp_seq=2 ttl=57 time=19.2 ms
64 bytes from 10.210.4.17: icmp_seq=3 ttl=57 time=18.9 ms
64 bytes from 10.210.4.17: icmp_seq=4 ttl=57 time=18.8 ms

--- 10.210.4.17 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 18.8/19.0/19.2 ms

 

 

In the source NAT rule I have also tried to allow the hostname of the captive portal instead of IP address. Even when I source NAT all IP traffic through the AP to the captive portal, the client ping or see any ports other than TCP 8080 open on the server.

 

-Brett

 

 

Contributor II

Re: IAP guest clients NAT to captive portal

Hi Craig,

 

Captive portal uses the FQDN of the ClearPass server. 

 

When I filter on the IP address in the datapath session for either the client or ClearPass IP. I get no results...

 

show datapath session | i 172.16.0.9
show datapath session | i 10.210.4.17

 

Even when I put the guest clients in to a corporate VLAN (where the captive portal flow works fine) I don't see anything in the datapath session for anything guest related. I do see a lot of traffic in the session table for non-captive portal SSIDs.

 

-Brett

Highlighted
MVP Expert

Re: IAP guest clients NAT to captive portal

Hi Brett

 

Weird issue, but probably an easy fix which I wish I could give you ;)

 

What happens if you connect the client to an SSID without captive portalk which has "Client IP Assignment" set to "Instant AP Assigned" and "Internal VLAN".

Do you get an IP?

Can you resolve say .. microsoft.com with DNS?

Can you resolve the Clearpass DNS?


Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Contributor II

Re: IAP guest clients NAT to captive portal

Hi John,

 

I'm offsite right now but I actually did exactly what you said as a test and got a private 172.x address from the IAP. I don't think I did a DNS test on the client from memory but I was correctly redirected to the Captive Portal on ClearPass, so I'm guessing there were no DNS issues. The only issue here is the IAP is on the corporate network which is not where I want the clients to route through (different Internet link), so not a permanent solution.

 

We have logged a job with the ISP (who support manage routers in the network) to make a single host route for ClearPass, but I have no idea what the routing setup looks like for this environment so not sure if it is possible at this stage. If it is possible, it will solve all our probelms.

 

Even so I would rather solve this issue for future reference.

 

-Brett

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: