This is a more broad networking concept question but I am just not quite getting it.
We recently implemented ClearPass for guest access. ClearPass server is at 172.21.1.35 internally. We have a LAN guest network at 192.168.1.0/24 (with a Palo Alto as the default gateway doing DHCP) and a wireless guest network (local to the controller and not routed) at 192.168.10.1/24 for which the controller does DHCP.
Guest connects to network, gets 192.168.10.X address and is assigned to clearpass_logon role. In order for them to hit the captive portal at 172.21.1.35 we have to NAT 172.21.1.10 (the controllers path to the internal network) to itself but I am not clear why.
I have to document the connectivity and I see how it works but not why, I am really hung up on why we have to NAT 172.21.1.10 to itself in order to hit the captive portal.