Accessing guest registration page on clearpass from IAP SSID on a different VLAN
3 weeks ago - last edited 3 weeks ago
I have a question regarding guest registration page on Clearpass and the ability to access it from an instant AP SSID on a different VLAN.
I’m working on setting up Clearpass, and one of the workflows that I’m working on is a use case for multiple segmented environments having the ability for a user to go to a page, enter their credentials, and then add multiple MAC addresses to a list.
There is one SSID with one PSK that multiple users would then connect devices to, and depending on which user registered a MAC address, that would determine which VLAN the device is placed on (for example, if user A registered a MAC, it would get placed on VLAN A, if user B registered a MAC, it would get placed on VLAN B, etc.).
I have that basic workflow working-I created a guest registration page that requires authentication to access. The authentication is a user account that is created in policy manager with the Device Registration role. I then created an authentication source that uses a SQL query to pull the sponsor name associated with a MAC address (if it exists) out of the guest user DB as an attribute that I use to match in policy rules.
The current issue I am trying to address is how we actually get users to access the guest registration page so they can log in and add devices when they are on our guest VLAN/SSID, while the Clearpass server is on our internal VLAN.
The guest registration page is present at https://<device name>/guest_register.php
I created a guest SSID on an instant AP that uses an external captive portal profile and has the redirect set to the URL above.
My issue is that when I log onto that guest SSID, I am redirected to the URL, but that resolves to the Clearpass IP, which is on our internal/private VLAN. Since I’m on the guest VLAN, I can’t reach the Clearpass server.
That brings me to my questions:
• Is it possible to have the IAP “proxy” the guest registration page from Clearpass, so that it is presented to a user on the guest VLAN?
• If not, my other thought initially was to use a firewall to NAT an external IP to the Clearpass’s internal IP on 443.
o But…thinking through that, if the URL for guest registration pages is always in the format https://<device name>/guest_register.php, that means that if I expose 443 on the Clearpass server over the Internet, anyone that goes to https://<device name> would get the login page for the Clearpass appliance. That doesn’t seem ideal.
o Related to that, is it possible some way to have other IPs/interfaces that Clearpass listens on for the guest registration pages? That way I could have an interface in the guest VLAN and expose that as opposed to the mgmt. interface over the Internet.
• Is there a better/easier way to accomplish the workflow that I am trying to set up (having multiple users that can add MAC addresses to a list and then have a given device placed on a VLAN based on which user registered/added it)?
Re: Accessing guest registration page on clearpass from IAP SSID on a different VLAN
Just as a reply/solution to this problem, I ended up using the SSL VPN portal/URL capability of our firewalls to do a URL rewrite and proxy requests back to the guest portal.