Wireless Access

Hi All,

We have Aruba Instant and Clearpass. I would like to know if the following scenario is possible:

1. User is authenticated via EAP-TLS

2. On a successful authentication, users are redirected to a captive portal.

3. Users enter the AD credential to complete the authentication process.

Any response will be appreciated.

Thanks

Nathan

Yes.  The defaut 802.1x role on the controller would have to be some sort of logon role so that successful 802,1x authentication leads to a captive portal when the user opens a browser.  It can be clumsy from a user experience perspective, but it can be done.

Hi Joseph,

Thanks for that.  Actually this is for particular users, normal users would use TLS.

Do I need to create another service within Clearpass for captive portal authentication? And it should be above the TLS service?

I think he wants to do Captive Portal (PAP - not EAP-PEAP), after EAP-TLS.

Again, the scenario of Captive Portal after EAP-TLS  is possible, but presents a bad user experience.  To authenticate captive portal, you would need a separate service that only authenticates via PAP.

Thanks. One more question, how can I set the service rule to match the captive portal authentication? Based on Application name?

Typically you would filter by ESSID, but in this case the SSID is the same, so you cannot.  You would have to combine it all into one sevice by adding PAP as an authentication method. Once again, I do not advise layering Captive Portal on top of encryption, because it is clumsy and becomes more difficult to troubleshoot in the end.

Thanks for the advise. I will try that.

This is a special need from the customer, the SSID is for non-employee however needs access to the internal network.