Clearpass and F5
04-03-2020 07:03 AM
I hope everyone is well.
I am working on a new project to build out a clearpass box on our DMZ to provide external facing services for pre-registration of guest users and instructions to get a certificate (through an external PKI provider) for authorized users. So these clearpass boxes will be doing pre-registration for users externally (while also allowing them to activate their account when not being on our network) as well as serving the captive portal for guest users on the network.
Our external DMZ is served via an F5. So we have an external DMZ and an internal DMZ. The clearpass box management IPs are assigned on the internal DMZ network. Some example subnets for our networks changed for security reasons.
External DMZ: 220.127.116.11/24
Internal DMZ: 18.104.22.168/24
Clearpass Box #1: 22.214.171.124
Clearpass Box #2: 126.96.36.199
Clearpass VIP: 188.8.131.52
We want the URL for the captive portal to be the same on the inside and the outside. Except on the outside they get a slightly different page workflow because we want the guest registration to be just registration and not allow login. That's all fine, I got that working without issue using the F5 to forward to the proper URI.
My question is this, what is the proper way to forward clearpass traffic for the captive portal through the F5 on the inside? The issue is, on the inside, if people try to go to wificonnect.domain.xyz, I do NOT want them hitting the homepage of the clearpass box, I want them directed to the proper URI (our portal). I can't see of a way of doing a URL redirection on clearpass so putting the VIP on the internal DMZ F5 seems like the right way to go. But then I don't want the F5 messing with captive portal users. Was wondering if any of you have experience with this and might be able to shine a light on how best to handle this.
Any thoughts would be appreciated.