Security

I am working on a POC of a solution that will be provide WiFi coverage by deploying Aruba instant access points (IAP) in 100 plus sites.On each site Internet will be provided by 4G Modem Dongles connected to USB port of an Access Point. All IAPs will be managed by Aruba Central and Guest Wi-Fi services will be provided by ClearPass Guest.

 

Network Diagram

 

User Connectivity Flow

 

1. User connects to Visitor SSID.
2. SSID will automatically redirect to ClearPass Captive Portal Page.
3. User have to click on “Please click here to Register yourself” to submit user information.
4. User will then submit a form.
5. User will then be redirected to demo.feag-games.com.

For POC demonstration we don’t have public IP addresses so we are working on the following way around.

 

 

But in this scenario we are facing issues as when a user connects to the SSID it only assigns user IP address and did not redirect user to the ClearPass captive portal for authentication as a result user remains in Pre authentication role.

 

If we remove 4G Dongle then everything works fine.

 

I have also attached user connectivety flow document.

When the client is facing the issue, are they able to perform a nslookup and receive a response from a working DNS server? The Captive Portal re-direct will not work if there is no valid DNS server.

Hi 

 

Yes user is geting  response from 4G Modem DNS server.

Do you see this in the datapath? What do you have configured in your
initial role?

Below is the configuration of Preauthentication role.

192.168.1.251 is CPPM IP address on LAN.

Below is the configuration of Preauthentication role.

192.168.1.251 is CPPM IP address on LAN.

Hi, in your nslookup screenshot it does not show if the client is able to successfully perform a nslookup whilst in your initial role.

Do you see the User Traffic arriving at the CPPM when the issue occurring? You can run a packet capture under Server Configuration to confirm this.

This is the detail answer to your question regarding DNS.

Hi, in the latest screenshots DNS does not appear to be working. Can you set the client to use a public DNS such as 8.8.8.8 and test again? 

To be on the same page below is network diagram of the setup.

 

Below is the result after changing DNS to 8.8.8.8

 

Can the wireless client browse to the ip address of the clearpass server using http or https?

 

EDIT:

 

Your POC design needs to allow the client to be able to browse to the ip address of clearpass and bring up the page via https://<ip address of clearpass>/guest/blahblah, before DNS even comes into play. 

 

Ultimately to make this solution work with 100 sites, you might have to have  to consider ClearPass be on the public internet so that it would be reachable by 100 sites that only have connectivity via a 4g dongle.

No it cannot browse to clearpass IP in initail role.

 

Yes you are right but for the POC purposes wolud this POC is possible to work without Public IP addresses.

I am working on this setup.

When i use below setup every thing works fine.

For the reference AP ip address configuration is mentioned below.

 

Can you SSH into the access point and ping the clearpass server?  Your POC design is complicated by having a dual-connected access point.

Yes CPPM is pingable from IAP.

 

You should attempt to browse to the clearpass server from the wireless client (https://<ip address of clearpass server) and type "show datapath session" on the IAP to see what happens to the client traffic.

 

Ultimately you should  work with a ClearPass Partner on your POC design to come up with something scaleable that meets your requirements.  It is difficult  to help someone trobleshoot a problematic design.