Security

Is there a way to send a Cisco switch a URL redirect to a CPPM captive portal from an enforcement profile?

The idea here is if a computer connects to port configured to use 802.1x and not using EAP-TLS, then we will force the client to go to a Captive Portal and register. I see Cisco Downloadable ACLs but I don't see how to tell the device to use the Captive Portal.

Thanks in advance for any help

Yes this is possible.

What type of switch do you have ? and OS version do you have installed ?

It would look something like this:

And you need to enabled ip http and create an ACL that looks like this:

ip access-list extended Onboard_ACL
 deny   tcp any host 192.168.1.102
 permit tcp any any

That should work

Within your enforcement policy you need to define the condition and based on that condition you will enforce an action (enforcement profile)

 Here's an example that I use for my wireless 802.1X:

In this scenario I want non-domain devices to get onboarded (SmartPhones, Windows, Mac OSX , etc..) and that have authenticated successfully using PEAP authentication 

And then will allow to get on the network without getting onboarded if it authenticates using EAP-TLS:

This doesnt exactly matches your case but I wanted to give you an idea of what you could do and how flexible ClearPass can be.

Key things to keep in mind:

- If you want to make decision based on device type you need to add ClearPass as a DHCP relay under your SVIs

- Add the endpoint database as an authorization source

- And enabled the following to be use as roles:

  - 

So when the device authenticates you can use this as tips roles to make decisions :

Thank you, I understand that part but how do you send the Cisco switch the URL redirect? I haven't been able to find how to send that.

I'm using a Cisco Downloadable Role and I see the AV-Pair where I can use a URL-redirect but I'm not certain that is what I'm looking for. 

Andy Clelland

ACMP, ACCP

In the enforcement profile

I'm trying this exact thing, and cannot get it to work. 

I have an enforcement profile that successfully sends an DACL to the switch, however whenever I attempt to add the Cisco AV-Pair url-redirect the DACL fails to download and the port then enters and odd state

This is on a Cisco 2960 running 15.2(4)E lan base.

Are there any known caveats for using the url-redirect functionality?  It seems as though a lot of the documentation is surrounding MAB and not 802.1x authenticaiton.

I'm trying to use the url-redirect for ONGUARD to point users to CPPM for agent download when the are unhealthy.

Thanks!

            Interface:  FastEthernet0/18
          MAC Address:  xxxx.xxxx.xxxx
         IPv6 Address:  Unknown
         IPv4 Address:  Unknown
            User-Name:  xxxxxx
               Status:  Unauthorized
               Domain:  DATA
       Oper host mode:  single-host
     Oper control dir:  both
      Session timeout:  N/A
      Restart timeout:  N/A
    Common Session ID:  0AC0400E000000A145E716DB
      Acct Session ID:  Unknown
               Handle:  0xEC000022
       Current Policy:  POLICY_Fa0/18

Local Policies:
       	Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Resultant Policies:

Method status list:
       Method           State

       dot1x            Authc Success

I'm trying the same thing (sending the url-redirect via Radius:Cisco:Cisco-AVPair to a Cisco ASA (9.2.2.4).... the AV-Pair attributes don't get to the ASA.

The Cisco command:

sh vpn-sessiondb details anyconnect

doesn't show the attribute for that session and the client doesn't get redirected.

Thanks Victor. I can see your Cisco AV-pair for captive portal redirect uses HTTPS. Does you wired client complain about any untrusted certificates. My wired client complains about a untrusted certificate which happens to be the certificate on the switch.

Dear @Victor Fabian,

is this still valid sir ? i used cisco c9200 switch with IOS-XE Version 17.9.1r [FC8] but still not triggering to open pop up captive portal,

kindly need advise, thanks

ip access-list extended Onboard_ACL deny   tcp any host 192.168.1.102 permit tcp any any