Upcoming community maintenance Oct. 27th through Oct. 29th
For more info click here
Occasional Contributor I

Accessing guest registration page on clearpass from IAP SSID on a different VLAN


I have a question regarding guest registration page on Clearpass and the ability to access it from an instant AP SSID on a different VLAN.


I’m working on setting up Clearpass, and one of the workflows that I’m working on is a use case for multiple segmented environments having the ability for a user to go to a page, enter their credentials, and then add multiple MAC addresses to a list.


There is one SSID with one PSK that multiple users would then connect devices to, and depending on which user registered a MAC address, that would determine which VLAN the device is placed on (for example, if user A registered a MAC, it would get placed on VLAN A, if user B registered a MAC, it would get placed on VLAN B, etc.).


I have that basic workflow working-I created a guest registration page that requires authentication to access. The authentication is a user account that is created in policy manager with the Device Registration role. I then created an authentication source that uses a SQL query to pull the sponsor name associated with a MAC address (if it exists) out of the guest user DB as an attribute that I use to match in policy rules.


The current issue I am trying to address is how we actually get users to access the guest registration page so they can log in and add devices when they are on our guest VLAN/SSID, while the Clearpass server is on our internal VLAN.


The guest registration page is present at https://<device name>/guest_register.php

I created a guest SSID on an instant AP that uses an external captive portal profile and has the redirect set to the URL above.


My issue is that when I log onto that guest SSID, I am redirected to the URL, but that resolves to the Clearpass IP, which is on our internal/private VLAN. Since I’m on the guest VLAN, I can’t reach the Clearpass server.

That brings me to my questions:


• Is it possible to have the IAP “proxy” the guest registration page from Clearpass, so that it is presented to a user on the guest VLAN?

• If not, my other thought initially was to use a firewall to NAT an external IP to the Clearpass’s internal IP on 443.

o But…thinking through that, if the URL for guest registration pages is always in the format https://<device name>/guest_register.php, that means that if I expose 443 on the Clearpass server over the Internet, anyone that goes to https://<device name> would get the login page for the Clearpass appliance. That doesn’t seem ideal.

o Related to that, is it possible some way to have other IPs/interfaces that Clearpass listens on for the guest registration pages? That way I could have an interface in the guest VLAN and expose that as opposed to the mgmt. interface over the Internet.

• Is there a better/easier way to accomplish the workflow that I am trying to set up (having multiple users that can add MAC addresses to a list and then have a given device placed on a VLAN based on which user registered/added it)?



Occasional Contributor I

Re: Accessing guest registration page on clearpass from IAP SSID on a different VLAN

Just as a reply/solution to this problem, I ended up using the SSL VPN portal/URL capability of our firewalls to do a URL rewrite and proxy requests back to the guest portal.

Search Airheads
Showing results for 
Search instead for 
Did you mean: