Security

Reply
Frequent Contributor I
Posts: 64
Registered: ‎12-07-2015

ClearPass - Captive Portal after failed 802.1x wired auth

Hi All,

 

I'm trying to get captive portal sponsorship working after a device fails 802.1x authentication. 

 

I have everything configured and working properly minus a few issues that I am trying to understand/work out. The first is the requirement of having:

 

authentication open

 

enabled on the cisco switch port. Without this configuration the captive portal does not launch, I see the weburl get placed in the browser but that is all.

 

This is my redirect ACL on the switch:

 

ip access-list extended CPR
deny udp any eq bootpc any eq bootps
deny udp any any eq 53
deny ip any host 192.168.20.10 <cppm IP>
deny ip any host 192.168.20.11 <cppm cluster IP>
permit tcp any any eq 80
permit tcp any any eq 443

 

Based on my understanding, the permit in the above ACL is what actually gets redirected. Anything that is a "deny" should get allowed through.

 

When I place a: deny icmp any any, I cannot ping out from a device that is being redirected. 

 

So main question, can this setup work without the "authentication open" command?

 

N

Guru Elite
Posts: 8,036
Registered: ‎09-08-2010

Re: ClearPass - Captive Portal after failed 802.1x wired auth

Please post your full switchport config. You need to leverage MAB for this.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Frequent Contributor I
Posts: 64
Registered: ‎12-07-2015

Re: ClearPass - Captive Portal after failed 802.1x wired auth

aaa new-model

aaa authentication password-prompt "Enter Password:"
aaa authentication username-prompt "Enter Username:"
aaa authentication login default group tacacs+ local enable
aaa authentication login admin group tacacs+ local enable
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group radius
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ local if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+

 

aaa server radius dynamic-author
client 192.168.20.11 server-key 7 123456
port 3799
auth-type all

ignore session-key

ignore server-key

 

no ip domain-lookup
no ip bootp server
ip device tracking probe delay 10
ip dhcp snooping vlan 9
ip dhcp bootp ignore

 

dot1x system-auth-control

 

interface GigabitEthernet3/12
switchport access vlan 9
switchport mode access
switchport voice vlan 13
switchport port-security maximum 5
switchport port-security violation restrict
switchport port-security aging time 1440
switchport port-security aging type inactivity
switchport port-security
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 10
dot1x max-req 3
dot1x max-reauth-req 10
spanning-tree portfast edge
!

interface Vlan9
description testvlan
ip address 192.168.9.1 255.255.255.0
ip access-group Data out
ip helper-address 192.168.20.11
ip helper-address 192.168.10.3
ip helper-address 192.168.10.4
!

ip http server
ip http access-class 10
ip http authentication aaa
ip http secure-server
!

ip access-list extended CPR
deny udp any eq bootpc any eq bootps
deny udp any any eq 53
deny ip any host 192.168.20.10 <cppm IP>
deny ip any host 192.168.20.11 <cppm cluster IP>
permit tcp any any eq 80
permit tcp any any eq 443


ip access-list extended Data
deny icmp any any timestamp-request
deny icmp any any timestamp-reply
deny tcp any any eq lpd
deny tcp any any range 5800 5809
deny tcp any any range 5900 5909
deny tcp any any range 6000 6009
permit ip any any

 

radius server CPPM
address ipv4 192.168.20.11 auth-port 1812 acct-port 1813
key 7 123456
!

access-list 10 permit 192.168.20.0 0.0.0.255

access-list 10 permit 192.168.9.0 0.0.0.255

access-list 10 permit 192.168.10.0 0.0.0.255


radius-server vsa send authentication

 

 

MVP
Posts: 4,114
Registered: ‎07-20-2011

Re: ClearPass - Captive Portal after failed 802.1x wired auth

Make sure to include the "ip device tracking" command as well
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor I
Posts: 64
Registered: ‎12-07-2015

Re: ClearPass - Captive Portal after failed 802.1x wired auth

Hi Victor, 

 

I believe it is added above as:

 

ip device tracking probe delay 10

 

N

MVP
Posts: 4,114
Registered: ‎07-20-2011

Re: ClearPass - Captive Portal after failed 802.1x wired auth

If you do a show ip access-list on the switch do you see hitting that ACL ?

 

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor I
Posts: 64
Registered: ‎12-07-2015

Re: ClearPass - Captive Portal after failed 802.1x wired auth

Yes, the matches count for:

 

190 permit tcp any any eq www (507 matches)
200 permit tcp any any eq 443 (582 matches)

 

increases

Search Airheads
Showing results for 
Search instead for 
Did you mean: