04-12-2017 11:11 AM
I'm trying to get wired captive portal guest access working with a Cisco switch.
I realize this needs two services. The initial mac-auth service is working fine... returning the redirect-url and redirect-url-acl to the switch.
But I'm having problems with the captive portal.
We are browsing to http://<clearpassIP>/guest/ciscowiredguest.php?mac=11:22:33:44:55:66, and that brings up the login form.
But when I enter a known guest account and click submit, Access Tracker shows a REJECT. The message is: "Failed to classify request to service" The autentication attempt comes in with just the user name - no other info.
I have an active service of type "Web-based Authentication" and the rule is:
Host - Checktype - MATCHES_ANY - Authentication.
Is there some other rule I need to make this work?
Is there a special configuration needed for the captive portal login page?
Am I correct in understanding that the switch is not involved in this part of the transaction (until it succeeds, of course, at which point it gets a CoA Terminate session)?
Solved! Go to Solution.
04-12-2017 11:23 AM
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
04-12-2017 11:36 AM
I've tried several different options...
right now it's set to:
Vendor Settings: Cisco Systems
Login method: Server Initiated - Change of Authorization (RFC 3576) sent to controller.
What should it be set to?
04-12-2017 11:53 AM
04-14-2017 10:37 AM
Thanks for all your help.
I found the Webauth service problems: I had inadvertantly selected a Pre-Auth-Check parameter in the guest login page.
Once I set that to "None-no extra checks will be made," the webauth service is being hit successfully.
05-17-2017 12:22 PM
Do you have any writeup that you can share? Looking at doing the same and don't want to reinvent the wheel.