Security

Reply
Occasional Contributor II
Posts: 57
Registered: ‎04-01-2010

NAC and Cisco 3750

All,

 

We are having issues with the clearpass portal page redirect when using wired-authentication.  When we plug in a PC to the switchport and open a browser we don't get a redirect to the clearpass portal page.  If I manually type in the redirect, i can get to the page fine.  I figure if I pop a browser it should take me there automatically.  Any suggestions are appreciated.

 

Thanks,

 

Bill

Aruba
Posts: 1,643
Registered: ‎04-13-2009

Re: NAC and Cisco 3750

Can you share the Enforcement Profile you are sending back to the switch?   Specifically the Cisco-AVPair response attributes.

 

Also, make sure you have http and https enabled on the switch:

ip http server

ip http secure-server

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor II
Posts: 57
Registered: ‎04-01-2010

Re: NAC and Cisco 3750

Hi clembo,

 

ip http server and ip http secure-server are in the switch config.

 

Here's the enforcement profile we are sending back.

 

 

1.Radius:CiscoCisco-AVPair=url-redirect=https://x.x.x.x/guest/poc_wired_login.php?mac=%{Connection:Client-Mac-Address-Colon}
2.Radius:CiscoCisco-AVPair=url-redirect-acl=CPG

     

 

Aruba
Posts: 1,643
Registered: ‎04-13-2009

Re: NAC and Cisco 3750

Does Access Tracker show the proper RADIUS response and attributes returned on the Output tab?

 

What does the following show for the port you are plugged into.  Does it show the proper URL Redirect and ACL?

show authentication sessions interface <interface>

 


Also, what does your CPG ACL look like?

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Aruba
Posts: 1,643
Registered: ‎04-13-2009

Re: NAC and Cisco 3750

[ Edited ]

One more thing, what IOS version is on the switch?  

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor II
Posts: 57
Registered: ‎04-01-2010

Re: NAC and Cisco 3750

Here's the IOS version.

 

Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 12.2(55)SE8,                                                                              RELEASE SOFTWARE (fc2)

Occasional Contributor II
Posts: 57
Registered: ‎04-01-2010

Re: NAC and Cisco 3750

CPG ACL is below.  The 10.1.1.1 being the clearpass IP.

 

!
ip access-list extended CPG
 deny   tcp any host 216.68.1.100
 deny   tcp any host 216.68.2.100
 deny   tcp any host 10.1.1.1
 deny   tcp any host 10.2.2.2
 permit tcp any any

 

I will get you the access tracker and sh auth sessions info here shortly.

Occasional Contributor II
Posts: 57
Registered: ‎04-01-2010

Re: NAC and Cisco 3750

Access Tracker info:

 

Enforcement Profiles:
POC Cisco redirect
System Posture Status:
UNKNOWN (100)
Audit Posture Status:
UNKNOWN (100)
 
-RADIUS Response
Radius:Cisco:Cisco-AVPairurl-redirect-acl=CPG
Radius:Cisco:Cisco-AVPairurl-redirect=https://10.1.1.1/guest/poc_wired_login.php?mac=00:18:8b:b9:0c:bb

 

 

dtnsa-5-lab-9#sh authentication sessions int g1/0/12
            Interface:  GigabitEthernet1/0/12
          MAC Address:  0018.8bb9.0cbb
           IP Address:  10.237.75.46
            User-Name:  00188bb90cbb
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
        Authorized By:  Authentication Server
           Vlan Group:  N/A
         URL Redirect:  https://10.1.1.1/guest/poc_wired_login.php?mac=00:18:8b:b9:0c:bb
     URL Redirect ACL:  CPG
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0AC700E60000002333D9E98D
      Acct Session ID:  0x0000003E
               Handle:  0x35000023

Runnable methods list:
       Method   State
       dot1x    Failed over
       mab      Authc Success

 

Aruba
Posts: 1,643
Registered: ‎04-13-2009

Re: NAC and Cisco 3750

I don't see anything obvious with your results.   It looks like ClearPass is sending the proper attributes and the switch is setting them for hte port.   Can you show the configuration for the port itself please?

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Aruba
Posts: 1,540
Registered: ‎06-12-2012

Re: NAC and Cisco 3750

Try this link.

 

https://afp.arubanetworks.com/afp/index.php/Cisco_Wired_Guest_for_ClearPass_6.2.1_and_greater

 

there are a couple verification commands in the trouble shooting area and I added some on the bottom for DACLs that will help you trouble your config

 

!
aaa new-model
!
!
aaa authentication dot1x default group radius local
aaa authorization network default local group radius
aaa authorization auth-proxy default group radius
aaa accounting dot1x default start-stop group radius
!
!
aaa server radius dynamic-author
 client 10.80.2.100 server-key XXXXXXXX
 client 10.80.2.106 server-key XXXXXXXX
 client 10.80.2.107 server-key XXXXXXXX
 port 3799
 auth-type all
!
!
interface FastEthernet1/0/18
 switchport access vlan 200
 switchport mode access
 switchport voice vlan 50
 authentication event no-response action authorize vlan 400
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 20
 dot1x timeout supp-timeout 20
 dot1x max-reauth-req 1
 no mdix auto
 spanning-tree portfast trunk
!
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface Vlan1
 ip address 10.80.2.5 255.255.255.0
 ip helper-address 10.80.2.254
 ip helper-address 10.80.2.100
 no ip route-cache
 no ip mroute-cache
!
interface Vlan400
 description "quarantine_vlan"
 ip address 10.0.4.5 255.255.255.0
 ip helper-address 10.80.2.254
 ip helper-address 10.80.2.100
 no ip route-cache
 no ip mroute-cache
 shutdown
!
ip default-gateway 10.80.2.1
ip classless
ip http server
ip http secure-server
!
ip access-list extended cplab
 deny   tcp any host 10.80.2.100
 permit tcp any any
ip access-list extended default_acl
 permit ip any any
ip access-list extended guest
 deny   tcp any host 10.80.2.100
 deny   tcp any host 10.80.2.106
 deny   tcp any host 10.80.2.107
 permit tcp any any
!

 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: