So..
I got this working on my lab.
Now - in my setup there is no firewall between the IAP and the Clearpass so all traffic is allowed between them.
You will need to open traffic on ports TCP 80/443, UPD 1812/1813 and UDP 3799 (for CoA).
I'm running software 6.2.0.0-
I'll just run through the highlights..
On the IAP:
Settings / General /
- Add your VC IP (not the same IP as your IAP has - this is the virtual one.. :))
- Dynamic Radius Proxy = Enabled, this you enable to make sure the radius messages are sendt using the VCIP regardless of which IAP in the VC-cluster that sends the radius message..
New Network (or edit existing)
1. WLAN Settings
- Name: instaguest (whatever..)
- Primary usage: Guest
2. VLAN
IP assignment: VC assigned (atleast in my scenario)
3. Security (what I don't mention leave at default value)
- Splash page type: External - RADIUS server
- Auth server 1: Click NEW or Edit. Make sure the ip address and Share secrets are correct. Might want to Enable RFC3576 for CoA.
- Accounting: Enable (if you need accounting info)
- IP or Hostname: "insert ip of CPPM/CPGUEST"
- URL: /landing.php/register.php (or whatever your registrationpage is)
- Redirect URL: http://www.google.com (or your homepage or just leave empty)
4. Access
When testing just select Unrestricted at first.
One you got it running, adjust the role and access rules as you want.
On CPPM
Create the IAP as a Radius Device using the VC IP and shared secret as previously entered
- Configuration/Network/Device - Add device..
Now - this next part I'm not able to get as I want. Mobility Controllers send their IP address in the URL as "switchip". This way you can have multiple Controllers using the same login/self-registration by checking the "The controller will send it's IP to submit credentials". This basically redirects the client back to the NAS device to try to login with the credentials supplied.
The IAP however sends "securelogin.arubanetworks.com" with https using the built-in ssl certificate. That might be ok, but it's just different. My IPad didn't complain tho - so it might be ok..
On CP Guest
Edit or create a new login/self-registration
NAS login section
- Check "Enable Guest login to NAS"
- IP Address: securelogin.arubanetworks.com
- Secure Login: Vendor default
And .. That should be it..