Security

Hi,

I saw the topic   How does captive portal authentication really work with ClearPass Guest?  But I need to know how does captive portal authentication works with builtin configuration.

Other question: Does it need the controller have  an IP address of the guest network to work the captive portal?

So, first off is YES you do need to have an IP on the guest's network.  This is because the controller will use this to proxy a http/https request from the client to present the captive portal.  Whether it is external (Clearpass) or internal on the controller, the process is similar.  

See this document for the overview - http://www.arubanetworks.com/vrd/GuestAccessAppNote/wwhelp/wwhimpl/js/html/wwhelp.htm

Basically this, but crucially DNS must be working for you to get the captive portal.

• client opens browser and does a dns lookup for whatever site.
• response received from dns.
• Then client opens http to site.
• controller hijacks the http and sends a http-redierect back to client which says "site has moved to securelogin.arubanetworks.com".
• client does a dns lookup for securelogin.arubanetworks.com
• controller spoofs the response and gives it's own address.
• client opens http to controller and captive portal is presented.

It's neat to see it in action if you can get a wireshark capture of the whole process.