Security

Reply
Highlighted
New Contributor

Help needed. Clearpass and Mobility controller

Hi Airheads, 

 

I'm new here so dont blame me for asking stupid questions. 

 

I would like to create a WPA2 SSID which then forwards the user to a captive portal where they should accept terms and conditions. 

 

How should I go about configuring this using mobility controller and clearpass. Any step-by-step guide would be greatly appreciated. 

 

Best Regards, 

MVP Expert

Re: Help needed. Clearpass and Mobility controller

TLDR: do not do it, you will regret it!

 

Not a step by step but..

 

on controller, configure dot1x SSID as per usual but change it's default dot1x role to a captive portal role. (If you meant to sat WPA2-PSK, then you would use the initial role.)

 

This captive portal role will only be given after 802.1x auth and will then trigger the portal.

 

On Clearpass side you need 2 services.

1) basic dot1x service, might want to return the aruba-user-role attribute guest-logon (or whatever captive portal role you use)

2) basic guest user auth.

 

Mind you, this realy seems pretty useless as you will be authenticating twice.

Are you sure you need this?  Guests will bugger you non-stop because they won't trust your radius server. Internal folks will be even worse if forced to do a captive portal auth each and every time.

 

If you REALY, absolutely, must do this and only after disagreeing 3 times with those forcing this upon you, make sure with step 2 to save something to the endpoint repository and use that next time in service 1 so they don't get your portal every 5 mins thety've been offline.

 

 

 

 


Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
New Contributor

Re: Help needed. Clearpass and Mobility controller

Thanks for replying.

I actually did mean wpa2-psk. I agree with radius for guests it would be way too much authentication.

If we are talking about wpa2-psk could you tell me how should I configure clearpass?

Honestly I'm finding clearpass to be quite confusing.

Best Regards,
Super Contributor I

Re: Help needed. Clearpass and Mobility controller

Add the controller:
- create a WPA2 SSID
- set the initial role to a User role that contains a captive portal url that redirects the User to clearpass

In Clearpass:
- create a captive portal page in guest
- in policy manager create a service that will authenticate the User when login to the captive portal. Use the wizards in clearpass for this

There is no big difference with an open network or psk network when using a captive portal. The User role is leading

Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
New Contributor

Re: Help needed. Clearpass and Mobility controller

I'm a little bit stuck on configuring clearpass. 

 

I have configured captive portal with mac auth. Right now I am having trouble finding how a user role or SSID is linked to a certain captive portal page. 

 

Best Regards, 

 

Artur 

Super Contributor I

Re: Help needed. Clearpass and Mobility controller

By default the ClearPass guest wizards will reject a device that is unknow. The MC will assign the initial role (configured in the AAA profile) because the of reject. After authentication a different role will be returned.

Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: