Security

last person joined: 19 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass Guest captive portal with Instant. ClearPass accessed through Instant VPN to controller.

This thread has been viewed 0 times

  • 1.  ClearPass Guest captive portal with Instant. ClearPass accessed through Instant VPN to controller.

    Posted Feb 25, 2014 11:37 AM

     

    I'm trying to setup Guest access on an Instant AP using ClearPass Guest.

     

    The IAP has a VPN connection back to a controller, to access "corporate" resources.

    The ClearPass server is on a VLAN accessible through the VPN.

     

    I have a normal Employee SSID setup on the Instant (WPA2 personal), which I have verified that the VPN connection is up and working.  All VLANs can be accessed when on that SSID.

     

    I used the video "Captive Portal Authentication with Aruba Instant and ClearPass"

     

    I'm having trouble with some basic connectivity back through the VPN to my corporate VLANs.  Even if I temporarily set access rules of logon roles to "allow all".

     

    Question would be if the VPN to the controller is not usable from a Guest SSID? 

    If not, is there any alternative, other than moving the ClearPass server to a location accessible outside the "corporate" VLANs.

     

    Regards,

    Colin 

     



  • 2.  RE: ClearPass Guest captive portal with Instant. ClearPass accessed through Instant VPN to controller.

    EMPLOYEE
    Posted Feb 25, 2014 01:47 PM

    It would depend on the guest network and how that is configured.  The VPN on instant is really meant for internal users (employees). However, if you want to make that work, perhaps use split tunneling and NAT the traffic using L3, Local mode of operation on the IAP VPN config on the guest side.  However, use the routing profile to ONLY send the web guest page traffic into the tunnel but NAT everything else out of the instant AP.  

     

    This is an untested theory that may or may not work. 



  • 3.  RE: ClearPass Guest captive portal with Instant. ClearPass accessed through Instant VPN to controller.

    Posted Feb 25, 2014 02:12 PM

    Seth,

     

    Thanks for the information and suggestions.

     

    Given that the VPN is only meant for employees, would that also suggest that it can't be used prior to authentication for any type of network (SSID)?

    I'm asking for the case of using the same setup described in my first post ,except using ClearPass to perform a WPA2-AES certificate based authentication or possibly even a full BYOD provisioning through that VPN.  In either case, the VPN would need to be used for at least the authentication, similar to the guest portal issue discussed above. 

     

    (I'm having the same issues with going through the VPN to the ClearPass to authenticate employees. However, I haven't fully confirmed it's not something else I'm configuring incorrectly)

     

    I've seen a lot of material on using ClearPass with Instant, but most of the time the ClearPass server is located within the local Instant network, or is publicly reachable.

     

     

    Regards,

    Colin 

     



  • 4.  RE: ClearPass Guest captive portal with Instant. ClearPass accessed through Instant VPN to controller.

    EMPLOYEE
    Posted Feb 25, 2014 02:24 PM

    Colin - 

     

    I would suggest you open a case to troubleshoot any issues with your config. In short, Instant using the VPN can work via a single SSID for authenticating users and issuing certs via Clearpass Onboard.