Security

Reply
MVP
Posts: 360
Registered: ‎05-09-2013

Modify NAS IP in wired web-redirect

[ Edited ]

Hi all,

 

So I'm trying to get a wired web-login working from a Cisco switch to ClearPass, however, I keep running into the problem where the NAS IP is CPPM (127.0.0.1) and not the switch. Is there a way to modify the redirect-URL to include a NAS-IP field, I already have switch IP and MAC address included in the URL.

 

I have the web login page set to Server Initiated, if we set it to Controller-initiated the login never succeeds, probably due to same issue. Essentially we see (2) requests for the same authentication:

1. RADIUS

2. WebAuth 

 

both have the 127.0.0.1 IP address, if we can get the IP to be the switch or send a COA to the switch some how via enforcement profile, the device would then successfully mac auth and no more ACL redirect on port. 

 

In the Computed Attributes of the request, I have the following:

Application: WebLoginURL:switchip 10.23.128.31

 

So I know the information is there, just how do i reference it to send a terminate session or ACL update?

 

Any ideas? 


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
MVP
Posts: 360
Registered: ‎05-09-2013

Re: Modify NAS IP in wired web-redirect

[ Edited ]

 

Would prefer to have the request show the correct NAS IP, but if I can send an enforcement referencing that computed attribute, that works too., 

 


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
Occasional Contributor II
Posts: 12
Registered: ‎12-10-2010

Re: Modify NAS IP in wired web-redirect

[ Edited ]

For Cisco switches I also use Server-Initiated.

 

To make this work create a RADIUS enforcement profile that returns Cisco av-pair = url-redirect=http://FQDN/guest/guestwebloginwired.php?switchip=%{Radius:IETF:NAS-IP-Address}&mac=%{Connection:Client-Mac-Address-NoDelim}&

 

Also, in the same RADIUS enforcement profile return a reference to an ACL with another Cisco-AVPair = url-redirect-acl=Guest-Web-Redirect

 

I dont use DACLs so the access list must be created on the switch.

ip access-list extended Guest-Web-Redirect
deny ip any host <ClearPass IP Address>
deny udp any any eq domain
permit ip any any

MVP
Posts: 360
Registered: ‎05-09-2013

Re: Modify NAS IP in wired web-redirect

Excellent, I will try to implement. I was able to temporarily resolve the issue by changing the COA from the Web Auth request to the RADIUS request, which still seems to maintain the original switch information. Essentially we do MAC auth, captive portal  login (RADIUS+WebAuth) and then bounce in background while at landing page with loading bar for 10 seconds, then re-mac auth successfully for full access. 

 

I will look into optimizing it with the recommendations. Thank you for the help.


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
Search Airheads
Showing results for 
Search instead for 
Did you mean: