Security

I am trying to get users redirected to my new clearpass guest server.  The role the user receives  contains:

Allow user 80 and 443 to CP server

2. Logon Control

3 Captive Portal

ip access-list session captiveportal
  user   alias controller svc-https  dst-nat 8081 
  user any svc-http  dst-nat 8080 
  user any svc-https  dst-nat 8081 
  user any svc-http-proxy1  dst-nat 8088 
  user any svc-http-proxy2  dst-nat 8088 
  user any svc-http-proxy3  dst-nat 8088 
!

and the proper captive portal profile is selected.

I have Policy enforcement firewall if that is a concern.

I am a little fuzzy on how the captive portal policy is suppose to redirect, should I have additional line in there that says something like:

user any servce http https  send to captive portal ??

Currently the user gets DHCP and can access nothing else execpt to browse to the CP server, but is not forced there.

Couple of things to check:

- Is DNS working properly?  Can the client do an nslookup?   Try connecting to an IP (any IP; 1.1.1.1) to force a redirect

- Does your controller have an IP on the the guest network (required for captive portal)?

- The What URL do you have defined in the CP profile; does it look like the client is even attempting to access it at all?

When you you look at the datapath sessions of that user, does it show any redirects?

show user ip x.x.x.x (look at the firewall sessions at the top of the output).....you'll need to run this right when the client is attempting to access.

The captive portal profile is fine as is; the dst-nat entries handle the redirct; but the controller reuqires an IP on that VLAN.

No the controller does not have a IP address on this vlan, that is different then my other captive portal config I have, and probably is the culprit. thanks so much.

Thanks Clembo. :smileyhappy:

This helps me with my configuration too!   You made my day.