Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Captive portal

This thread has been viewed 13 times

  • 1.  Captive portal

    EMPLOYEE
    Posted Nov 01, 2018 12:36 PM

    Hi Team,

     

    A customer is seeking to segment their guest traffic tunneled to DMZ instead of using the central ClearPass for authentication and captive portal. There is a choice of using just the controllers in the DMZ to enable this feature.

     

    I was looking for some document which talks about the difference or advantages of using a dedicated ClearPass instead of hosting the captive portal on the controllers. That way the customer can choose to go for another ClearPass or settle for controllers. 

     

    Many thanks in advance!!



  • 2.  RE: Captive portal

    EMPLOYEE
    Posted Nov 01, 2018 03:40 PM

    Hi,

     

    The captive portal in the controllers is limited, also the amout of guest accounts.

    I would advise to use ClearPass (best practise, a seperate one in the DMZ). With ClearPass the captive portal has many features and different looks. Also the type of guest account can be different and has more options on ClearPass.

    You can use multizone if you are running ArubaOS to setup the guest part with controllers in the DMZ.

     

    Not really a document, but some differences.

     

     



  • 3.  RE: Captive portal

    EMPLOYEE
    Posted Nov 02, 2018 08:36 AM

    Thanks Frank, we had planned to use Multizoning for guests in DMZ but the customer wants the guests to be completely separated including their authentications as well. Thanks for the support...



  • 4.  RE: Captive portal

    EMPLOYEE
    Posted Nov 02, 2018 01:38 PM
    Hi

    With Multizone you need a separate clearpass for guest in the DMZ. So that will work for this case.



  • 5.  RE: Captive portal
    Best Answer

    EMPLOYEE
    Posted Nov 02, 2018 02:11 PM
    @manish.modi wrote:

    Thanks Frank, we had planned to use Multizoning for guests in DMZ but the customer wants the guests to be completely separated including their authentications as well. Thanks for the support...

    Whether or not you use ClearPass in the DMZ will be determined by the featureset of guest authentication that is needed.  If all of your guest simply will be clicking on "Accept", the Controller Internal Guest page will suffice, since you can import HTML and make it look any way that you want.  If you want guests to be able to automatically be able to request and create accounts, that will require ClearPass in the DMZ.  If your guests were to be managed via the same ClearPass instance as Your internal network, guests are stored in a different database than employees and authentication can easily be differentiated Via NAS-IP address or a number of other radius attributes.  I suggest you speak to your ClearPass Specialist to understand your full options about deploying guest traffic in your DMZ.