Clearpass Guest - Not working with IP of IAP
02-12-2019 11:10 PM
Previously i had publicly signed certificate which i installed on my Clearpass server and IAP and followed the process given in youtube videos by Herman on ABC channel. Everything worked like a charm.
This time i am trying with fresh installation of Clearpass/IAP without any certificates installed, both clearpass and IAP are with their default certificates (i know about securelogin cert issue). I followed the same procedure but this time i entered IP instead of FQDN when creating the guest self registration page. It never works. This is what happens
1) my laptop (windows 8) connects to guest ssid
2) Gets the role of guest-redirect (for lab purpose, its permit any), correct vlan and ip address
3) Even though role dictates permit any, i am not able to ping my gateway. When i opened the website for dns query, i am successfully redirected to guest self registration page, but when i try to ping the CP server, GW etc, nothing is reachable. When i explicitly permitted in the role such as permit icmp any, only in that case i am able to ping. I thought permit any should have catered this. I tried this with 8.4 and downgraded to 184.108.40.206, still same issue.
4) I register myself, get to next screen that shows username and password, when i click login, i am redirected to IAP admin page (192.168.30.28, same IP i gave while creating guest self page)
Not sure what i am missing? any hints? isnt it supposed to work with IPs?
Re: Clearpass Guest - Not working with IP of IAP
02-25-2019 09:21 AM
You can't do HTTPS to a (private) IP address without certificate warnings. And I never tried to redirect based on IP address, while I expect that if you have the default self-signed certificate, and do a DNS lookup from the guest-redirect role to that address, you should be able to connect to that IP.
I would recommend using certificates as it is not possible (as far as I'm aware) to make this work without certificates and without certificate warnings. If you are using Aruba Central, you can provision a valid certificate from there, or if you have a domain you might use Letsencrypt to generate a 90-day trusted cert for free, for your lab if you can't spend a few dollars on a 1-year certificate.
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).