Security

last person joined: 12 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Guest Service scenario

This thread has been viewed 0 times

  • 1.  Guest Service scenario

    Posted Oct 21, 2016 03:16 PM

    Hi,

     

    Let me present a Guest access scenario.

     

    Company is using two separate subnets for Corporate (10.x.x.x) and Guest (172.x.x.x) users. ClearPass cluster is providing wireless 802.1X and Guest services. Management port is configured with IP in Corporate subnet, while Data port is configured with IP in Guest one.

     

    WLAN infrastructure is pointing towards Captive Portal page on Guest subnet (https://10.x.x.x/<page_name>.php), and when user connects to Guest SSID CP page with self-registration is displayed. After entering and confirming required details, account info is displayed on the page.

     

    My question is what happened after clicking on "Log In" button on the login page, and how are authentication/RADIUS packets flowing?

     

    My guess is that when user (10.x.x.x) tries to log in, his request is sent to Management port (172.x.x.x) in the form of RADIUS request, processed by Policy Manager, and resulting acceptance/rejection returned back to a user.

     

    So, questions are: a) is that authentication flow correct, or not, b) if correct, what is the purpose of Data port in Guest scenario, c) how would you design this more elegantly.

     

    Thanks everyone in advance.

     

    Cheers,

    Alan



  • 2.  RE: Guest Service scenario
    Best Answer

    Posted Oct 21, 2016 03:26 PM
    My guess is that when user (10.x.x.x) tries to log in, his request is sent to Management port (172.x.x.x) in the form of RADIUS request, processed by Policy Manager, and resulting acceptance/rejection returned back to a user.
    This correct

    One of the use cases is to place the data port in the DMZ to host the captive portal page (Guest , Onguard , Onboard) and that way the guest/quarantine user is not able to reach the internal(management port) interface of the ClearPass appliance


  • 3.  RE: Guest Service scenario

    Posted Oct 21, 2016 03:44 PM

    Thanks Victor,

     

    Much appreciated. One last question, if DMZ doesn't exist in our scenario would removing Data port be good/bad/not making any difference?

     

    I am asking this one as either we move imagined CP page on https://172.x.x.x/<page_name>.php, or not, there will be need for inter-VLAN (10. client to 172. port) traffic to exist (if not on port 80, then at least on 1812/1813), right?

     

     

    Regards,

    Alan



  • 4.  RE: Guest Service scenario

    Posted Oct 21, 2016 03:49 PM
    It really comes down to preference and use case.

    But using just the ClearPass Mgmt port is not bad practice.


  • 5.  RE: Guest Service scenario

    EMPLOYEE


  • 6.  RE: Guest Service scenario

    Posted Oct 21, 2016 05:11 PM

    Thanks Troy, really good document, haven't read it before.

     

    Regards,

    Alan