Security

Reply
Super Contributor I
Posts: 318
Registered: ‎05-09-2013

Cisco URL Redirect - Not removing after enforcement

Running into an issue with CPPM and Cisco Wired captive portal. Machine does MAC authentication successfuly, a redirect-url and redirect-acl is applied from enforcement profile. After user logs into web login page, I'm trying to send back a dACL for "permit ip any any" to replace the captive portal redirect one. However, the captive portal redirect URL and ACL are still applied to the user session and the user gets bounced back to the login page. 

 

Is there a way to clear that out without COA? We are not doing MAC caching because it's a shared machine.

 

Not sure if it's just something I'm missing or misunderstanding.

 

Thanks. 

 

Michael Haring | Network Engineer - ACMP, ACCP
Comm Solutions Company | www.commsolutions.com
Super Contributor I
Posts: 318
Registered: ‎05-09-2013

Re: Cisco URL Redirect - Not removing after enforcement

We've identified that the Cisco switch is not receiving the DACL because the request came from 127.0.0.1 That is where the DACL is being sent. Is there a way to make sure the switch gets the DACL? I'm thinking about trying to add the switch IP to the redirect URL, but not sure what string to use in the initial redirect-URL.

Michael Haring | Network Engineer - ACMP, ACCP
Comm Solutions Company | www.commsolutions.com
Aruba Employee
Posts: 367
Registered: ‎11-04-2011

Re: Cisco URL Redirect - Not removing after enforcement

Michael,

 

Please check this solution on Aruba Solution Exchange: https://ase.arubanetworks.com/solutions/id/93 as it has most of the components you seem to need in it.

 

Looks to me that it makes sense if someone joins you on a call to look together with you to this issue. From the information you provided, it is rather challenging to get good support.

 

You may try a local engineer or ask Aruba TAC to assist you.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC.
Frequent Contributor I
Posts: 84
Registered: ‎01-27-2016

Re: Cisco URL Redirect - Not removing after enforcement

I have this solution mostly operational however I cannot get the WebAuth piece to work correctly. 

 

The Wired Guest is redirected to the Clearpass Guest page with no issue. When they register and Login, the client is just redirected back to the Registration page and there is no hit in Access Tracker for the WebAuth service (proibably becuase it never made it to Clearpass). I am sure this is due to how the WebLogin page is configured in Clearpass Guest. I have tried all sorts of Vendor Settings and cannot get one to work. 

 

How should the WebAuth page in Clearpass be configured? 

 

Thanks!

Guru Elite
Posts: 7,847
Registered: ‎09-08-2010

Re: Cisco URL Redirect - Not removing after enforcement

On the guest side, your self-registration/web login should be configured for server-iniaited logins.

 

In your web auth service, you'll want to use the Cisco Bounce Host Port CoA and also, if you're using MAC-caching, stamp the guest attributes to the endpoints repository.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Frequent Contributor I
Posts: 84
Registered: ‎01-27-2016

Re: Cisco URL Redirect - Not removing after enforcement

Thanks! I though I had tested Server Initiated logins already but I must not have... It is working now. CoA from WebAuth is working as it should. Thanks for the help! 

Search Airheads
Showing results for 
Search instead for 
Did you mean: