Campus Switching and Routing

Reply
Contributor I
Posts: 80
Registered: ‎04-29-2013

trying to get automatic redirection for captive portal with MAS

Hey all!

Big background up front: I had a lab with an HP switch for users, a MAS 1500 for redirection (maybe) and head-end, and a 7005 controller. this is all segregated via Cisco ASA to simulate a remote office. Our ClearPass appliance is not in this segregated lab, since it is a VM and we don't have a big enough lab/budget to have VM in the lab. With this setup, everything seemed to be working fine - although I am almost positive that it was actually the controller handling all of the redirection rather than the MAS. 

Part II

Well, since our remote sites DO have MAS switches, but DO NOT have controllers, I have moved the controller to the other side of the firewall with the VM, thus ensuring that I am both emulating a remote site, and that I am indeed doing the redirection with the MAS rather than the controller. This SEEMS to be working.

Part III

However, when the controller was doing the redirection, it was seamless: open IE, go directly to ClearPass login page. Now, with the MAS doing redirection, when you open IE you are given an "Authentication Required, Click here to proceed" page. Of course, we want to remove that manual step and have the redirection be seamless again.

 

Other than the config below, is there any other info I can provide to help with finding a solution?

 

Thanks,

 

Russell

 

 

Config:

interface gigabitethernet "1/0/0"
switching-profile "trunk"
!
interface gigabitethernet "1/0/1"
aaa-profile "CLEARPASS-BYODLOGIN-AAA"
switching-profile "vlan426"
no trusted port
!
interface gigabitethernet "1/0/2"
aaa-profile "CLEARPASS-POSTURE-AAA"
switching-profile "vlan526"
no trusted port
!

interface-profile switching-profile "trunk"
switchport-mode trunk
native-vlan 427
trunk allowed vlan 427-429,527
!

interface-profile switching-profile "vlan426"
access-vlan 426
!
interface-profile switching-profile "vlan526"
access-vlan 526
!

aaa authentication captive-portal "CLEARPASS-BYODLOGIN-PORTAL"
default-role "authenticated"
server-group "LAB-CPPM-GROUP"
redirect-pause 0
protocol-http
login-page "https://qa01vacppm01.hmcorp.local/guest/byod.php"
!
aaa authentication captive-portal "CLEARPASS-POSTURE-PORTAL"
default-role "authenticated"
server-group "LAB-CPPM-GROUP"
redirect-pause 0
protocol-http
login-page "https://qa01vacppm01.hmcorp.local/guest/posture.php"

!

aaa profile "CLEARPASS-BYODLOGIN-AAA"
initial-role "CLEARPASS-WIRED-BYODLOGIN-ROLE"
radius-accounting "LAB-CPPM-GROUP"
rfc-3576-server "10.1.254.10"
!
aaa profile "CLEARPASS-POSTURE-AAA"
initial-role "CLEARPASS-POSTURE-ROLE"
radius-accounting "LAB-CPPM-GROUP"
rfc-3576-server "10.1.254.10"
!

user-role CLEARPASS-POSTURE-ROLE
vlan 526
captive-portal "CLEARPASS-POSTURE-PORTAL"
!
user-role CLEARPASS-WIRED-BYODLOGIN-ROLE
vlan 426
captive-portal "CLEARPASS-BYODLOGIN-PORTAL"
!

Guru Elite
Posts: 8,633
Registered: ‎09-08-2010

Re: trying to get automatic redirection for captive portal with MAS

Are you running 7.4 code?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 80
Registered: ‎04-29-2013

Re: trying to get automatic redirection for captive portal with MAS

yep:

 

Aruba Operating System Software.
ArubaOS (MODEL: ArubaS1500-12P), Version 7.4.0.0

Guru Elite
Posts: 8,633
Registered: ‎09-08-2010

Re: trying to get automatic redirection for captive portal with MAS

Please upgrade to 7.4.0.3+ and the interstitial redirect should be gone.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 80
Registered: ‎04-29-2013

Re: trying to get automatic redirection for captive portal with MAS

that did it!

Search Airheads
Showing results for 
Search instead for 
Did you mean: