Security

Reply
New Contributor

Captive Portal on WLC, AAA to clearpass guest

Hi All,

 

Has anyone implemented or seen implemented keeping the captive portal on the wireless controller, and merely using clearpass guest server as an authentication source? Also still configuring guest accounts via clearpass guest?

 

The idea would be to keep the potentially "insecure/attackable" portion of the process kept in a DMZ controller, and allowing clearpass to be used for other corporate (TLS, PEAP etc) AAA without also hosting the captive portal which needs to be exposed to unauthenticated guest users.

 

Any caveats or concerns discovered via this approach? Is this even possible with clearpass guest?

Frequent Contributor I

Re: Captive Portal on WLC, AAA to clearpass guest

you could stick a clearpass server into the DMZ.  You would use the Data interface on the DMZ CP for captive portal access, and the management port for internal access i.e. CP cluster connectivity.

 

if you are keeping the portal on the DMZ MC, then you would do a RADIUS auth to the internal CP.

ACCX#1050 ACMP CWDP CWSP
New Contributor

Re: Captive Portal on WLC, AAA to clearpass guest

If we put the CPPM in the DMZ, can't we then not utilise it in the future for corporate TLS etc if we're being very security-conservative? It is my understanding that radius binds to the data interface, which would then be shared with guest captive portal.

 

This is currently a single-box solution.

 

Is the best "pure security/risk" play therefore to just have two separate boxes or clusters - one only for guests and one only for all other corporate AAA ?

 

Frequent Contributor I

Re: Captive Portal on WLC, AAA to clearpass guest

you would need a CP server in the internal enviroment as well as DMZ.

else yes, just use the captive portal on the controller and auth against your internal CP.

ACCX#1050 ACMP CWDP CWSP

Re: Captive Portal on WLC, AAA to clearpass guest

Separating the internal ClearPass servers (AAA, AD integration) and DMZ ClearPass servers (Guest, OnBoard) is where most security conscious deployments end up with.

 

If you don't use the guest registration workflows, and use operators from inside the organization (from the trusted network) to create guest accounts, you can use the built-in captive portal of the controller, but probably even better is to host your captive portal on an external web server that is white-listed for the captive portal role. If you host that page on the corporate website, you even have all branding included.

 

Required HTML code for the authentication post can be retrieved from the internal captive portal of you IAP or controller, or check this post to get you started.

 

Having a ClearPass for guest in the DMZ allows you to do the fancy guest workflows and provide better user feedback on authentication errors like bad password, too many devices, traffic volume exceeded.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: