Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass - Captive Portal after failed 802.1x wired auth

This thread has been viewed 3 times

  • 1.  ClearPass - Captive Portal after failed 802.1x wired auth

    Posted Aug 25, 2016 01:00 PM

    Hi All,

     

    I'm trying to get captive portal sponsorship working after a device fails 802.1x authentication. 

     

    I have everything configured and working properly minus a few issues that I am trying to understand/work out. The first is the requirement of having:

     

    authentication open

     

    enabled on the cisco switch port. Without this configuration the captive portal does not launch, I see the weburl get placed in the browser but that is all.

     

    This is my redirect ACL on the switch:

     

    ip access-list extended CPR
    deny udp any eq bootpc any eq bootps
    deny udp any any eq 53
    deny ip any host 192.168.20.10 <cppm IP>
    deny ip any host 192.168.20.11 <cppm cluster IP>
    permit tcp any any eq 80
    permit tcp any any eq 443

     

    Based on my understanding, the permit in the above ACL is what actually gets redirected. Anything that is a "deny" should get allowed through.

     

    When I place a: deny icmp any any, I cannot ping out from a device that is being redirected. 

     

    So main question, can this setup work without the "authentication open" command?

     

    N



  • 2.  RE: ClearPass - Captive Portal after failed 802.1x wired auth

    EMPLOYEE
    Posted Aug 25, 2016 01:02 PM
    Please post your full switchport config. You need to leverage MAB for this.


  • 3.  RE: ClearPass - Captive Portal after failed 802.1x wired auth

    Posted Aug 25, 2016 01:52 PM

    aaa new-model

    aaa authentication password-prompt "Enter Password:"
    aaa authentication username-prompt "Enter Username:"
    aaa authentication login default group tacacs+ local enable
    aaa authentication login admin group tacacs+ local enable
    aaa authentication enable default group tacacs+ enable
    aaa authentication dot1x default group radius
    aaa authorization exec default group tacacs+ local if-authenticated
    aaa authorization commands 1 default group tacacs+ local if-authenticated
    aaa authorization commands 15 default group tacacs+ local if-authenticated
    aaa authorization network default group radius
    aaa authorization auth-proxy default group radius
    aaa accounting dot1x default start-stop group radius
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 1 default stop-only group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting network default start-stop group tacacs+
    aaa accounting connection default start-stop group tacacs+
    aaa accounting system default start-stop group tacacs+

     

    aaa server radius dynamic-author
    client 192.168.20.11 server-key 7 123456
    port 3799
    auth-type all

    ignore session-key

    ignore server-key

     

    no ip domain-lookup
    no ip bootp server
    ip device tracking probe delay 10
    ip dhcp snooping vlan 9
    ip dhcp bootp ignore

     

    dot1x system-auth-control

     

    interface GigabitEthernet3/12
    switchport access vlan 9
    switchport mode access
    switchport voice vlan 13
    switchport port-security maximum 5
    switchport port-security violation restrict
    switchport port-security aging time 1440
    switchport port-security aging type inactivity
    switchport port-security
    authentication order dot1x mab
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    mab
    dot1x pae authenticator
    dot1x timeout server-timeout 30
    dot1x timeout tx-period 10
    dot1x max-req 3
    dot1x max-reauth-req 10
    spanning-tree portfast edge
    !

    interface Vlan9
    description testvlan
    ip address 192.168.9.1 255.255.255.0
    ip access-group Data out
    ip helper-address 192.168.20.11
    ip helper-address 192.168.10.3
    ip helper-address 192.168.10.4
    !

    ip http server
    ip http access-class 10
    ip http authentication aaa
    ip http secure-server
    !

    ip access-list extended CPR
    deny udp any eq bootpc any eq bootps
    deny udp any any eq 53
    deny ip any host 192.168.20.10 <cppm IP>
    deny ip any host 192.168.20.11 <cppm cluster IP>
    permit tcp any any eq 80
    permit tcp any any eq 443


    ip access-list extended Data
    deny icmp any any timestamp-request
    deny icmp any any timestamp-reply
    deny tcp any any eq lpd
    deny tcp any any range 5800 5809
    deny tcp any any range 5900 5909
    deny tcp any any range 6000 6009
    permit ip any any

     

    radius server CPPM
    address ipv4 192.168.20.11 auth-port 1812 acct-port 1813
    key 7 123456
    !

    access-list 10 permit 192.168.20.0 0.0.0.255

    access-list 10 permit 192.168.9.0 0.0.0.255

    access-list 10 permit 192.168.10.0 0.0.0.255


    radius-server vsa send authentication

     

     



  • 4.  RE: ClearPass - Captive Portal after failed 802.1x wired auth

    Posted Aug 25, 2016 02:53 PM
    Make sure to include the "ip device tracking" command as well


  • 5.  RE: ClearPass - Captive Portal after failed 802.1x wired auth

    Posted Aug 25, 2016 02:56 PM

    Hi Victor, 

     

    I believe it is added above as:

     

    ip device tracking probe delay 10

     

    N



  • 6.  RE: ClearPass - Captive Portal after failed 802.1x wired auth

    Posted Aug 25, 2016 03:34 PM

    If you do a show ip access-list on the switch do you see hitting that ACL ?

     

     



  • 7.  RE: ClearPass - Captive Portal after failed 802.1x wired auth

    Posted Aug 25, 2016 03:40 PM

    Yes, the matches count for:

     

    190 permit tcp any any eq www (507 matches)
    200 permit tcp any any eq 443 (582 matches)

     

    increases