To configure the authentication server, perform the following steps:
- In the upper right corner of the Instant GUI, click Security.
- On the Authentication Servers tab, click New.
- Enter the Name, IP address, and Shared key for the W-ClearPass server.
Figure 75. Authentication server settings
- From the RFC 3576 field, select Enabled from the drop-down list.
- Click OK.
External Captive Portal configuration
To configure the External Captive Portal, perform the following steps:
- Continuing within the Security settings, click the External Captive Portal tab.
- Click New to add a new captive portal.
- Enter the information corresponding to the web login page created in the W-ClearPass Guest configurations in the previous section. The final configuration should resemble the following image.
Figure 76. Instant Captive Portal settings
- Click OK.
Note: The URL is case-sensitive. Verify that the page name from the web login configuration is the same as the URL entered in the captive portal.
Configure user roles
To configure the user roles:
- Click the Roles tab.
- Click New to add a role.
- Enter the Employee and click OK.
Note: The default access rules are Allow all to all destinations. Similar to the controller-based example, this example uses the Allow all rules. Administrators must add access rules for their employee roles to comply with their specific security policy.
- To add a role, click New under the Roles section. This role is the quarantine role that directs users to the captive portal to access OnGuard information and links.
- Enter the name OnGuard-redirect and click OK.
- From the Access Rules section, click New.
- Under Rule type, select Captive portal.
- Under Splash page type, select External.
- Under Captive portal profile, select the profile created in the previous step.
Figure 77. Instant role settings – Captive Portal Rule
- From the Access Rules screen, click New.
- Under Rule type, select Access control.
- From the Service section, select Network and then http from the drop-down list.
- Under the Action listing, keep Allow.
- From the Destination listing, select to a particular server from the drop-down list.
- In the IP address field, enter the IP address of the W-ClearPass server.
Figure 78. Instant role settings – Access control rule
- Click OK.
- Repeat the steps in this section for the https rule configuration.
Note: Administrators must add rules to this firewall policy to enable access to services and hosts that are key to joining and authenticating to the network. One example of a service needed to communicate while in this quarantine role is DHCP and RADIUS. The following image shows only the http or https rules with examples for dhcp and dns.
Figure 79. Instant role settings – Quarantine role
Employee network configuration
If there is not a WLAN network configured, you can create one now.
Note: If you are editing an existing network, click the network name and then click Edit.
- Go to the WLAN Settings tab – Employee.
- Click Next.
- From the VLAN tab, select Virtual controller managed, and Default.
- Click Next.
- From the Security tab, select Enterprise on the sliding bar to the left.
- Within the Key management option, select WPA-2 Enterprise.
- For Authentication server 1, choose the authentication server configured at the beginning of this section, for example ClearPass.
Figure 80. Instant WLAN Network Settings – Security tab
- Click Next.
- For the Access Rules, leave it as Unrestricted. During the 802.1X authentication, W-ClearPass assigns either the Employee role, or the OnGuard-redirect quarantine role.
- Click Finish.
Note: In this example, the Employee_CPDG SSID is configured to be the same as the SSID in the controller-based example. Using the same SSID in two independent systems within range of each other is not recommended. This document assumes only one system is running at a time.
Configuration of the Instant access point is complete.