Security

Would you be able to have the web traffic from the client to ClearPass go through a proxy? If not you would have to do captive portal via Local Controller Portal.

------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022-2023
If my post was useful accept solution and/or give kudos
------------------------------

Original Message:
Sent: Mar 20, 2024 02:44 PM
From: ng12
Subject: Clearpass Guest - no routing to clearpass from guest network

Hi guys,

we are implementing a clearpass solution for a customer with two virtual controllers.

 

Below is the configuration:

2x Virtual Mobility Conductor with ip on vlan 900

2x Virtual Mobility Conductor with 2eth, the first in trunk connected to the core switch behind checkpoint firewall (native vlan 900 for mgmt + other customer vlans), the second in access directly connected to an isolated watchguard firewall (guest network). The two controllers have ip/vip on vlan 900 and one ip each on the guest network.

2x Clearpass VM with ip(vip on vlan 900

 

The solution involves configuring 3ssid:

-CORPORATE WPA3-Enterprise (EAP-TLS), different roles/vlan are enforced based on the type of authentication (machine, user, machine+user) and the group the user belongs to in AD --> OK

-BYOD WPA3-SAE and Captive Portal with mac-caching, the user authenticates with AD credentials and is assigned a role based on the group he belongs to --> OK

-GUEST Enhanced Open and Captive Portal with mac-caching, self registration is used to create guest users.

 

I've a problem with the Guest SSID: since the guest network is behind a different fw there is no routing towards the customer network, consequently it is not possible to reach the cppm and therefore redirect to the captive portal (clearpass.domain.com). The customer doesn't want to configure any port forwarding in the fw checkpoints to allow the clearpass to be reachable from the outside, even if limited only to the public IP of the connectivity connected to the fw watchguard.

Is there any solution for this type of implementation?

Hello,

This can be a case where using the second interface on Clearpass can help.

Put the CPPM Data interface in the same DMZ as the Guests and adjust the CPPM routing accordingly (all management & AD traffic via the Mgmt interface)
and also add ACL to CPPM to prevent Guests accessing Clearpass management Web

Kind regards

Christian Chautems

Original Message:
Sent: Mar 20, 2024 05:24 PM
From: DB86
Subject: Clearpass Guest - no routing to clearpass from guest network

Would you be able to have the web traffic from the client to ClearPass go through a proxy? If not you would have to do captive portal via Local Controller Portal.

------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022-2023
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Mar 20, 2024 02:44 PM
From: ng12
Subject: Clearpass Guest - no routing to clearpass from guest network

Hi guys,

we are implementing a clearpass solution for a customer with two virtual controllers.

 

Below is the configuration:

2x Virtual Mobility Conductor with ip on vlan 900

2x Virtual Mobility Conductor with 2eth, the first in trunk connected to the core switch behind checkpoint firewall (native vlan 900 for mgmt + other customer vlans), the second in access directly connected to an isolated watchguard firewall (guest network). The two controllers have ip/vip on vlan 900 and one ip each on the guest network.

2x Clearpass VM with ip(vip on vlan 900

 

The solution involves configuring 3ssid:

-CORPORATE WPA3-Enterprise (EAP-TLS), different roles/vlan are enforced based on the type of authentication (machine, user, machine+user) and the group the user belongs to in AD --> OK

-BYOD WPA3-SAE and Captive Portal with mac-caching, the user authenticates with AD credentials and is assigned a role based on the group he belongs to --> OK

-GUEST Enhanced Open and Captive Portal with mac-caching, self registration is used to create guest users.

 

I've a problem with the Guest SSID: since the guest network is behind a different fw there is no routing towards the customer network, consequently it is not possible to reach the cppm and therefore redirect to the captive portal (clearpass.domain.com). The customer doesn't want to configure any port forwarding in the fw checkpoints to allow the clearpass to be reachable from the outside, even if limited only to the public IP of the connectivity connected to the fw watchguard.

Is there any solution for this type of implementation?

Yet another option to work around the routing problem is to implement a second ClearPass cluster just for the guest registration. Obviously this will require quite a lot of work and new servers and also separate licenses.

But in a situation where the customer doesn't like the idea of routing guest traffic to the segment where you have the current ClearPass servers, it's also quite possible they don't like the idea of a secondary interface on ClearPass servers and this way causing a multihomed server to be a potential bridge between the separate networks.

If the separate guest ClearPass servers are placed in a DMZ without any connection to the internal network you can't do sponsor lookup for example, but everything not dependent on Active Direcory or other internal sources will work normally.

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Original Message:
Sent: Mar 20, 2024 02:44 PM
From: ng12
Subject: Clearpass Guest - no routing to clearpass from guest network

Hi guys,

we are implementing a clearpass solution for a customer with two virtual controllers.

 

Below is the configuration:

2x Virtual Mobility Conductor with ip on vlan 900

2x Virtual Mobility Conductor with 2eth, the first in trunk connected to the core switch behind checkpoint firewall (native vlan 900 for mgmt + other customer vlans), the second in access directly connected to an isolated watchguard firewall (guest network). The two controllers have ip/vip on vlan 900 and one ip each on the guest network.

2x Clearpass VM with ip(vip on vlan 900

 

The solution involves configuring 3ssid:

-CORPORATE WPA3-Enterprise (EAP-TLS), different roles/vlan are enforced based on the type of authentication (machine, user, machine+user) and the group the user belongs to in AD --> OK

-BYOD WPA3-SAE and Captive Portal with mac-caching, the user authenticates with AD credentials and is assigned a role based on the group he belongs to --> OK

-GUEST Enhanced Open and Captive Portal with mac-caching, self registration is used to create guest users.

 

I've a problem with the Guest SSID: since the guest network is behind a different fw there is no routing towards the customer network, consequently it is not possible to reach the cppm and therefore redirect to the captive portal (clearpass.domain.com). The customer doesn't want to configure any port forwarding in the fw checkpoints to allow the clearpass to be reachable from the outside, even if limited only to the public IP of the connectivity connected to the fw watchguard.

Is there any solution for this type of implementation?