Hi,
Just want to start off by saying that I am definitely not an expert when it comes to the Controller or CPPM. This is all based on my experience and what I have done to get things going. There could be mistakes and other erros so please test your configuration and read up on anything that isn't clear! Most of what I know I have learned from these forums and through a ton of trial and error.
1. after initial controller config we will on phase 2 implement Clearpass for guest mgmt.
2. How will ClearPass connect to the controller?
I am assuming you already have the controller configured and running. And that you are familar with the general settings for the SSID's.
On your Controller you need to configure the a Server Group, RADIUS Server, and RFC 3576 Server.
1)
This can be done under Security > Authentication > Servers
Create your RADIUS Server, and RFC 3576 Server first, then follow it up by creating your Server Group.
2)
Once you create your Server Group you will need to add the RADIUS Server you created to the Servers list.
In the new settings for the server you created hit new and select the RADIUS Server from the drop down list.
Please note: When you configure your RADIUS Server you need to provide the values for 'Host', 'NAS ID', and 'NAS IP'
- Host - The IP of your CPPM
- NAS ID - The ID of your Controller
- NAS IP - The IP of your Controller
- You are asked to create passwords for the RADIUS Server. Make sure you write this down you will need it later.
3)
Next, create your secure SSID.
On the AAA Profile there is the option for 801.X Authentication Server Group and RFC 3576 server. Make sure that for two options you select the appropriate information created in the part above.
That pretty much covers getting your Controller to talk to the CPPM. You have to make sure that your Controller can talk to the CPPM (ping) before proceeding. Now you need to setup the CPPM to receive the information.
4)
Once you have your Controller setup, head over to your CPPM.
CPPM > Configuration > Network > Devices
Once there select Add Device
Fill in the relevant information from the steps above and hit Add
Your CPPM should now be all setup to receive information from your Controller.
When you attempt to connect to your new SSID all the requests received on the Controller should be forwarded to the CPPM for evaluation.
The SSID's can be either unencrypted (for guests) or encrypted (production). I found it easier to test with a secure SSID first. Then work my way back to setting up the Guest SSID.
3. The guest network should be prior configured on the controller or directly on ClearPass?
A pretty common way of setting up the Guest network is to leave it unencrypted and put a Captive Portal on it. This forces users connecting to the Guest SSID to a default page where you can provide them with more details as to what to do next.
Your Guest SSID could have it's own VLAN so that it is separate from your production network.
When you configure the AAA Profile for your Guest SSID under the option Initial role set this to User Role that has restricted access. I believe there should be an example of this called guest-logon. Take a look at this User Role to get an idea of what the Inital Role for your Guest SSID could look like. It basically gives the users DHCP and DNS access, HTTP access to the CPPM and a few other things.
What this will do is put anyone connecting to the Guest SSID immediately into the User Role guest-logon.
This is how we get users connecting to the Guest SSID to hit our Captive Portal.
To configure your Captive Portal you must first create a Captive Portal on the CPPM. I won't go into a lot of detail with this because this post will be bigger then it already is.
- Go to ClearPass Guest > Configuration > Guest Self-Registration
- Create your registration page and test it.
- Copy the URL for the Guest Self-Registration page
- Back on your Controller create a new Captive Portal Profile. Controller > Congiruation > All Profiles > Wireless LAN > Captive Portal Authentication Profile.
Configure the Captive Portal profile, you will see a parameter for Login Page and this is where you paste the URL copied in Step 3. This will be the Captive Portal page that users see once they connect to the Guest SSID and attempt to browse the web.
Now that you have configured your Captive Portal profile you need to have your User Role guest-logon use it.
- Log into your controller
- Configuration > SECURITY > Access Control
- Edit guest-logon (or whatever User Role you are using for the Initial Role)
- Scroll down to the option Captive Portal Profile
- Select your Captive Portal Profile from the drop down list and hit Change
- Then scroll down and hit Apply
This will get you setup so that your Guest SSID will redirect users to your Captive Portal page as soon as they attempt to browse to any website after connecting to your Guest SSID.
4. After this we need to integrate clearPass with AD ? How can this be done?
We are not using AD so I cannot comment to much on this. I did just do a test with a AD by adding it as a Authentication Source.
That is about the extent of my experience with AD
- Log into the CPPM
- Confgiruation > Authentication > Sources
- Hit Add Authentication Source
- Select Type: Active Directory
- File out the necessary information
- Hit Save
More then likely your setup to use your AD would look something like this...
- You have a secure SSID setup to use WPA2-Enterprise
- It will send it's requests back the CPPM
- You will have a Service that will be setup to use your AD as an Authentication Source
- Your Service will evaluate your users and apply rules based on your requirements.
As mentioned previously be sure to get a handle on the Services and how the other components (Authentication Methods and Sources, Endpoints, Enforment Policies and Profiles) come together to form your Service. If you can get a good handle on this then the CPPM because easier to understand.
If you can get through the inital configuration start by just doing small tests to see how your services react.
If you look in your Event Viewer and see the Service Name column empty it means that there are no Services that have been configured that meet the criteria of the user request.
Hope this helps. I tried to address your questions are directly as possible. If anything isn't clear I'll try my best to clarify.
Cheers