Security

We have multiple locations with RAPs broadcasting multiple SSIDs all in bridge mode.  We would like to setup a captive portal login for our guest SSID using ClearPass, but my understanding is that this will not work in bridge mode.

The clients at each location are setup with an RFC1918 IP that is not routable over our internal network.

Currently, our controllers are at our data center and only accessible from the internal network and ClearPass is in a DMZ and accessible from internet or internally.

Is there any way to make this work without tunneling all of the client traffic to the controller at our data center?  I'm okay with the auth happening over a tunnel, but we need all of the client traffic to be bridged so it goes out the local internet connection.

Can you expand on how I would use them as IAPs?  Does that mean instead of connecting our RAPs to our controller at our data center, we would connect to the Aruba Cloud Controller?

Not possible in bridge mode, but it is possible if you set the VAP to split-tunnel.

That is what we are currently looking at, but it's getting messy because the current client IPs are not routable over our MPLS, so we we've been looking at moving the DHCP to the controller or implement some kind of NAT.