Security

Reply
Occasional Contributor II
Posts: 15
Registered: ‎03-25-2013

Cisco URL Redirect

Is there a way to send a Cisco switch a URL redirect to a CPPM captive portal from an enforcement profile?

 

The idea here is if a computer connects to port configured to use 802.1x and not using EAP-TLS, then we will force the client to go to a Captive Portal and register. I see Cisco Downloadable ACLs but I don't see how to tell the device to use the Captive Portal.

 

Thanks in advance for any help

MVP
Posts: 4,271
Registered: ‎07-20-2011

Re: Cisco URL Redirect

Yes this is possible.

What type of switch do you have ? and OS version do you have installed ?

 

It would look something like this:

2014-09-18 00_02_10-ClearPass Policy Manager - Aruba Networks.png

 

And you need to enabled ip http and create an ACL that looks like this:

 

ip access-list extended Onboard_ACL
 deny   tcp any host 192.168.1.102
 permit tcp any any

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 15
Registered: ‎03-25-2013

Re: Cisco URL Redirect

Thank you for the response.
Its a 3750 on the latest IOS, not sure of the exact version
MVP
Posts: 4,271
Registered: ‎07-20-2011

Re: Cisco URL Redirect

That should work

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 15
Registered: ‎03-25-2013

Re: Cisco URL Redirect

The ACL should allow for access to the CPPM server but how do you force the client to the captive portal, dynamically?
MVP
Posts: 4,271
Registered: ‎07-20-2011

Re: Cisco URL Redirect

[ Edited ]

Within your enforcement policy you need to define the condition and based on that condition you will enforce an action (enforcement profile)

 

 Here's an example that I use for my wireless 802.1X:

2014-09-18 13_30_12-ClearPass Policy Manager - Aruba Networks.png

 

In this scenario I want non-domain devices to get onboarded (SmartPhones, Windows, Mac OSX , etc..) and that have authenticated successfully using PEAP authentication 

 

And then will allow to get on the network without getting onboarded if it authenticates using EAP-TLS:

2014-09-18 13_33_25-ClearPass Policy Manager - Aruba Networks.png

 

This doesnt exactly matches your case but I wanted to give you an idea of what you could do and how flexible ClearPass can be.

 

Key things to keep in mind:

- If you want to make decision based on device type you need to add ClearPass as a DHCP relay under your SVIs

2014-09-18 13_42_34-Chrome Remote Desktop.png

- Add the endpoint database as an authorization source

- And enabled the following to be use as roles:

  - 2014-09-18 13_36_48-Greenshot image editor.png

 

So when the device authenticates you can use this as tips roles to make decisions :

2014-09-18 13_39_15-ClearPass Policy Manager - Aruba Networks.png

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 15
Registered: ‎03-25-2013

Re: Cisco URL Redirect

Thank you, I understand that part but how do you send the Cisco switch the URL redirect? I haven't been able to find how to send that.

 

I'm using a Cisco Downloadable Role and I see the AV-Pair where I can use a URL-redirect but I'm not certain that is what I'm looking for. 

 

Andy Clelland

ACMP, ACCP

 

MVP
Posts: 4,271
Registered: ‎07-20-2011

Re: Cisco URL Redirect

In the enforcement profile

 

2014-09-17 23_58_05-ClearPass Policy Manager - Aruba Networks.png

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor I
Posts: 5
Registered: ‎08-25-2009

Re: Cisco URL Redirect

I'm trying this exact thing, and cannot get it to work. 

 

I have an enforcement profile that successfully sends an DACL to the switch, however whenever I attempt to add the Cisco AV-Pair url-redirect the DACL fails to download and the port then enters and odd state

 

This is on a Cisco 2960 running 15.2(4)E lan base.

 

Are there any known caveats for using the url-redirect functionality?  It seems as though a lot of the documentation is surrounding MAB and not 802.1x authenticaiton.

 

I'm trying to use the url-redirect for ONGUARD to point users to CPPM for agent download when the are unhealthy.

 

Thanks!

 

            Interface:  FastEthernet0/18
          MAC Address:  xxxx.xxxx.xxxx
         IPv6 Address:  Unknown
         IPv4 Address:  Unknown
            User-Name:  xxxxxx
               Status:  Unauthorized
               Domain:  DATA
       Oper host mode:  single-host
     Oper control dir:  both
      Session timeout:  N/A
      Restart timeout:  N/A
    Common Session ID:  0AC0400E000000A145E716DB
      Acct Session ID:  Unknown
               Handle:  0xEC000022
       Current Policy:  POLICY_Fa0/18

Local Policies:
       	Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Resultant Policies:

Method status list:
       Method           State

       dot1x            Authc Success
New Contributor
Posts: 4
Registered: ‎06-26-2013

Re: Cisco URL Redirect

I'm trying the same thing (sending the url-redirect via Radius:Cisco:Cisco-AVPair to a Cisco ASA (9.2.2.4).... the AV-Pair attributes don't get to the ASA.

 

The Cisco command:

sh vpn-sessiondb details anyconnect

doesn't show the attribute for that session and the client doesn't get redirected.

Search Airheads
Showing results for 
Search instead for 
Did you mean: