EasyManua.ls Logo

Aruba 2530 - Best Practices; Limitations; Features; High Availability

Aruba 2530
479 pages
Save Page as PDF
Print Icon
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
Best Practices
Use the Port Bounce VSA via a CoA message, instead of the Disconnect message, to cause the second
RADIUS authentication to occur during the Captive Portal exchange. This is the more reliable method for
forcing a re-DHCP for the client.
Configure Captive Portal such that the first ACCESS_ACCEPT returns a rate limit VSA to reduce the risk of DoS
attacks. This configuration enables rate limiting for the HTTP/HTTPS ACL for traffic sent to CPPM.
Do not use the keyword cpy in any other NAS-Filter-Rules. The keyword cpy in the enforcement profile
attributes is specific to CPPM use. It is only supported with the deny attribute. If you configure the cpy
keyword to permit, no ACL will be applied.
Limitations
Captive Portal will not work with RADIUS configured on a loopback port or on the Out-of-Band Management
(OOBM) port.
Captive Portal is supported in CPPM versions 6.5.5 and later. However, by manually modifying the RADIUS
dictionary files, any CPPM version 6.5.* can be used.
Captive Portal does not support v1 modules, and will not work unless compatibility mode is turned off.
Captive Portal does not support IPv6.
Simultaneous Captive Portal client connections: maximum of 512
Captive Portal does not support web proxy. The permit CPPM ACLs and the steal ACLs only use port 80 and
443. Non-standard ports for HTTP and HTTPS are not supported.
Captive Portal is mutually exclusive with the following web-based authentication mechanisms: Web
Authentication, EWA, MAFR, and BYOD.
URL-string limitation of 253 characters.
Features
High Availability
Captive Portal includes support for High Availability (HA). The Captive Portal configurations (such as enablement,
authenticated clients, and redirect URLs) are replicated to standby or other members.
If the feature is enabled and a failover occurs, clients in the process of onboarding are still redirected to Captive
Portal, and authenticated clients continue to have the same access to the network.
Clients that are in the process of authenticating via MAC or 802.1X authentication will not be replicated to the
standby. Replication of client data is only done when MAC or 802.1X authentication has resulted in a successful
authentication.
Load balancing and redundancy
The following options are available to create load balancing and provide redundancy for CPPM:
Chapter 9 Captive Portal for ClearPass 211

Table of Contents

Related product manuals