Clearpass Guest Authentication through a Firewall
06-21-2016 09:37 AM
I have an Aruba Controller and Clearpass install where I am unable to get Guests on the network through the Clearpass guest portal.
The Clearpass server is a VM with a singe interface on the trusted network on the inside of a Fortigate firewall and is being used successfully for WPA2 Enterprise/802.1X authentication of corporate users. The controller has an interface on both the trusted network and in the Guest network DMZ which is seperated from the corporate network by the firewall.
The Clearpass Guest portal is configured to use a single guest user and the basic "I accept" button. If I hide the guest network behind a source-nat on the controller, everything seems to work normally. When I remove the NAT and allow preauth guest clients to exist in the Guest DMZ subnet, they can get to the Clearpass portal page but clicking the accept buton does not change their role on the controller and they are simply looped back to the guest portal.
Ports 80, 443, 1812, 1813 and 3799 have been opened between the guest network and the Clearpass server and as I mentioned preauth clients on the Guest DMZ subnet can get to the Clearpass Portal page.
I unfortunately cannot post the configurations at this time but wanted to see if there is anything basic that I might be forgetting.
Re: Clearpass Guest Authentication through a Firewall
06-21-2016 10:26 AM
Thanks much for your post. Please make sure Clearpass servers are allowed in the initial role on the controller say for example, if the initial role is logon role to get the CP page; make sure you allow the clearpass servers. something like below.
user alias clearpass any svc-http permit
user alias clearpass any svc-https permit
Also make sure post auth role doesnt contain the dst-nat acls as that would re-direct loop back to captive portal page. Check for access tracker on the clearpass if there is any role returned to controller.