Security

Hi:

Is there a way to allow users who connect to the Clearpass Guest captive portal to access another website? (without acquiring guest credentials)

 

We have a password manager web app setup that allows students to reset their password.

If they could get there from the Guest network captive portal, it would allow them to easily reset their password before connecting to the dot1x network. (and save on helpdesk calls)

 

I've tried adding a firewall rule to the captive portal role that allows this access, but the captive portal keeps redirecting.

 

Thanks,

Tony

 

 

Yes. Create a netdestination with the domain name and then add it to the whitelist in the captive portal profile.

 

Once you click apply on the captive portal profile, it will dynamically build an ACL that allows 80/443 to that destination and put it at the top of the user-role.

 

Hi Tim:

Thanks for the reply.

 

I added the destination to the whitelist, but I'm still getting redirected.

 

I can ping the server, so I know it's not a routing issue.

 

Is there anything else that needs to be set?

 

Thanks.

In your netedestination, did you do DNS names or IPs? If names, be sure your controller has DNS lookups enabled and has DNS servers defined.

I used an IP address.

(the controller won't allow me to enter a name)

If you run:

Show rights

Do you see the white-list ACL at the top?

Here's the output:

(I'm not sure where the apple.com came from, but that's not causing any harm at this point)

Thanks.

 

(ArubaMaster) #show rights Guest-cp-prof

Derived Role = 'Guest-cp-prof'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 78/0
Max Sessions = 65535

Check CP Profile for Accounting = TRUE
Captive Portal profile = Guest-cp-prof

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 Guest-cp-prof_list_operations session

Guest-cp-prof_list_operations
----------------------------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user apple.com svc-http permit Low 4
2 user apple.com svc-https permit Low 4
3 user pwmanager svc-http permit Low 4
4 user pwmanager svc-https permit Low 4

Expired Policies (due to time constraints) = 0

Interesting. Can you check the datapath session table while you are trying to visit the site?

Show datapath session table | include

Interesting:

It looks like traffic is getting there and back, but I keep getting redirected to the CP.

 

(ArubaLocal1) #show datapath session table | include 172.16.243.65
172.31.0.104 172.16.243.65 6 443 51939 0/0 0 0 5 tunnel 56 51 0 0
172.16.243.65 172.31.0.104 6 51939 443 0/0 0 0 4 tunnel 56 52 0 0 C

Thanks for your persistence on this.

 

It turned out that the site I was redirecting to was doing a re-direction of its own, which then triggered the captive portal redirect, all too quickly for me to spot.

 

Thanks again,

 

Tony