Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Captive portal with both interfaces in use

This thread has been viewed 3 times

  • 1.  Captive portal with both interfaces in use

    Posted Jul 19, 2014 10:19 PM

    Hello;

     

    I'm currently preparing to implement a captive portal guest authentication with Clearpass, and I've been reading through the forums to hopefully learn from other people's problems in advance. :)

     

    One thing I've seen are several references to only using one interface on the Clearpass server. Can anyone tell me whether this is a design limitation, or is it possible to set up the captive portal with both interfaces active?

     

    Andrew



  • 2.  RE: Captive portal with both interfaces in use

    EMPLOYEE
    Posted Jul 19, 2014 11:41 PM

    From the ClearpassPolicy Manager user guide

     

    cppm.JPG



  • 3.  RE: Captive portal with both interfaces in use

    Posted Jul 19, 2014 11:54 PM

    Thanks.  That is how I have it configured and working (just CPPM, not CP yet).

     

    From this post: http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/clearpass-guest-wih-captive-portal/td-p/78254

     

    The first question asked in the first respones was "Are you using only one network interface on the CPPM?"

     

    So, I guess my question is better phrased as "are there any factors I need to consider when using CP on a Clearpass appliance with 2 network interfaces vs 1"?

     

    Andrew



  • 4.  RE: Captive portal with both interfaces in use
    Best Answer

    EMPLOYEE
    Posted Jul 20, 2014 11:34 AM

    I can only guess that was a troubleshooting step just in case the routing was inconsistent.  Please feel free to ask the user in the original thread what he meant.



  • 5.  RE: Captive portal with both interfaces in use

    Posted Jul 20, 2014 12:08 PM
    Thanks for that. I'll assume that the CP URL just needs to resolve to the data interface and carry on from there.

    Thanks

    Andrew


  • 6.  RE: Captive portal with both interfaces in use

    EMPLOYEE
    Posted Jul 20, 2014 12:08 PM

    Correct.



  • 7.  RE: Captive portal with both interfaces in use

    Posted Jul 20, 2014 12:47 PM
      |   view attached

    OK, routing makes my life more intesting. :)

     

    The CP will be used both for traffic from an Aruba controller (residences) and for wired traffic (campus). 

     

    I'm assuming (there's that word again) that the first page load coming from the wireless side will be redirected to the CP by the controller regardless of where the default gateway and DNS are pointing, since the controller sees all.

     

    But how do I get the wired traffic on the campus to the Clearpass box?  There is a firewall and router between the client and Clearpass right now, but I do have some flexibility in the design.

     

    I've attached a quick overview.  The firewall is providing DHCP and NAT to the residences.

     

    Andrew



  • 8.  RE: Captive portal with both interfaces in use

    EMPLOYEE
    Posted Jul 20, 2014 12:57 PM

    What do you plan to be doing with the wired traffic on ClearPass?

     



  • 9.  RE: Captive portal with both interfaces in use

    Posted Jul 20, 2014 01:30 PM

    The overall goal is to allow devices to authenticate to the campus network with macauth or 802.1x, with unauthenticated users going to a terms and conditons page and then to the Internet instead.

     

    "Wired" traffic also refers to wireless traffic from a guest SSID egressed onto a specific VLAN, but that's managed by an HP controller so it's probably out of scope for this forum.

     

    Andrew