Security

Reply
New Contributor

Clearpass onboard with Cisco WLC 2500 controller

Hello,

We have Clearpass 6.6.8 and we configured cisco WLC 2500 controller as well.

Clearpass= 802.1x + onguard service configured, with Cisco- AVpair = Url-redirect=Http and Cisco-AVpair-acl=PreAuth

 

Cisco WLC: We configured ACL(PreAuth) = 0.0.0.0 --> 10.66.16.251 and 10.66.16.251 --> 0.0.0.0 permit

       Deny 0.0.0.0 --> 0.0.0.0

 Layer3 Security = we apply conditional redirect and apply ACL

 

My Concern:

When the User try to connect AP,

1: 802.1x  Authenticated -OK

2: Connected to SSID -OK

3: Clearpass will do the redirect to onguard download -OK

4:Access to internet deny

 because of ACL on WLC, Can't access Internet (deny 0.0.0.0--> 0.0.0.0)

 

Moreover,If i opened the ACL as Permit on WLC.

0.0.0.0  -> 0.0.0.0 permit

 

Please find my observation:

1: 802.1x  Authenticated -OK

2: Connected to SSID -OK

3: Clearpass will not do the redirect to onguard download -NOK

But because of ACL on WLC, access Internet

WLC permit the traffic and forward to firewall.

 

" Cisco WLC does not offer hostname based ACL rules such as Aruba so it is not possible to restrict access to only Google Play's hostnames, "android.clients.google.com" and "ggpht.com".  The effect of allowing Google's entire address range is that users in the pre-onboard ACL will not redirect to the captive portal page if they request any Google-owned web addresses such as google.com and gmail.com.  These requests will go straight through the firewall as allowed."

 

In my case it happened, My need is the user should get the redirect page for Onguard according to the service, if the user is healthy it should get the Internet access directly.

 

Could you please provide any solution on this issue.

 

Regards

Vishesh Anand

New Contributor

Re: Clearpass onboard with Cisco WLC 2500 controller

Is their any one can reply me on this issue

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: