Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Captive Portal on WLC, AAA to clearpass guest

This thread has been viewed 3 times

  • 1.  Captive Portal on WLC, AAA to clearpass guest

    Posted May 16, 2018 12:54 AM

    Hi All,

     

    Has anyone implemented or seen implemented keeping the captive portal on the wireless controller, and merely using clearpass guest server as an authentication source? Also still configuring guest accounts via clearpass guest?

     

    The idea would be to keep the potentially "insecure/attackable" portion of the process kept in a DMZ controller, and allowing clearpass to be used for other corporate (TLS, PEAP etc) AAA without also hosting the captive portal which needs to be exposed to unauthenticated guest users.

     

    Any caveats or concerns discovered via this approach? Is this even possible with clearpass guest?



  • 2.  RE: Captive Portal on WLC, AAA to clearpass guest

    EMPLOYEE
    Posted May 16, 2018 01:19 AM

    you could stick a clearpass server into the DMZ.  You would use the Data interface on the DMZ CP for captive portal access, and the management port for internal access i.e. CP cluster connectivity.

     

    if you are keeping the portal on the DMZ MC, then you would do a RADIUS auth to the internal CP.



  • 3.  RE: Captive Portal on WLC, AAA to clearpass guest

    Posted May 16, 2018 01:31 AM

    If we put the CPPM in the DMZ, can't we then not utilise it in the future for corporate TLS etc if we're being very security-conservative? It is my understanding that radius binds to the data interface, which would then be shared with guest captive portal.

     

    This is currently a single-box solution.

     

    Is the best "pure security/risk" play therefore to just have two separate boxes or clusters - one only for guests and one only for all other corporate AAA ?

     



  • 4.  RE: Captive Portal on WLC, AAA to clearpass guest

    EMPLOYEE
    Posted May 16, 2018 02:39 AM

    you would need a CP server in the internal enviroment as well as DMZ.

    else yes, just use the captive portal on the controller and auth against your internal CP.



  • 5.  RE: Captive Portal on WLC, AAA to clearpass guest

    EMPLOYEE
    Posted May 16, 2018 04:27 AM

    Separating the internal ClearPass servers (AAA, AD integration) and DMZ ClearPass servers (Guest, OnBoard) is where most security conscious deployments end up with.

     

    If you don't use the guest registration workflows, and use operators from inside the organization (from the trusted network) to create guest accounts, you can use the built-in captive portal of the controller, but probably even better is to host your captive portal on an external web server that is white-listed for the captive portal role. If you host that page on the corporate website, you even have all branding included.

     

    Required HTML code for the authentication post can be retrieved from the internal captive portal of you IAP or controller, or check this post to get you started.

     

    Having a ClearPass for guest in the DMZ allows you to do the fancy guest workflows and provide better user feedback on authentication errors like bad password, too many devices, traffic volume exceeded.