Security

Reply
New Contributor

ClearPass Captive Portal Guest-Contractor

Hi all,

I have a customer who would like to do Clearpass POC.
They already have Aruba wireless controller (standalone, version 8.5.0.4).
The design they suggested is a little bit unusual for me, so I would like your opinions, suggestions, if this configuration is even possible or I should redesign it.

If a guest or contractor comes to the customer’s company and wants a wireless connection they connect to same SSID (open wifi). They receive the IP address from a temporary DHCP pool (example 192.168.100.0/24) and captive portal opens (self registration).

Guests coming to the costumer’s company will have to fill-in a form(self registration)( add sponsor email address) and wait until sponsor has confirmed their request for Wifi access. After login the guest user should get a new IP address (192.168.101.0/24) and a new user role with ACLs which only allows access to the Internet.

Any contractors also need to open the captive portal but then select the “I already have an account” option at the bottom of the page. A new page then opens up and they log in with a username and password from the Active Directory ( special group in AD). After this is successfully authenticated, they get a new IP address (192.168.102.0/24) and a new user role with ACLs which allows access to specific VLANs (ip segments) in the local network.

I have some concerns about developing this design as per customer request, especially in regards to changing the IP address of user device.

I read that this can be done via CoA bounce switch port or Terminated Session.
Has anyone configured a similar design before? How did the Client (device) react to the change in the IP addresses?

Thank you for your replies.
Regular Contributor I

Re: ClearPass Captive Portal Guest-Contractor

The danger of bouncing the wireless client is that it will not reconnect automaticly (only if the option is checked in windows).

 

Why not use 1 vlan, and different roles? this way you never swap the ip adress during authentication, and the client is just given a correct role with an ACL.

 

 



- - - - Aruba ACCX #748, ACDX #758, ACMP, ACEAP | HPE Master ASE - - - -
- - - - - - - Feel free to give kudos or accept as a solution! - - - - - - - - -
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: