Security

Hello everyone !

A custumer wants that users do 802.1X authentication on the wired access with clearpass.

If the 802.1X authrentication doesn't work ( for a guest user for example), then the user is redirected to the ClearPass captive portal.

Can someone please explain to me how can I do that ? 

Thank's all for your help !

Hello !

Thank you very much for your reply.

I read some parts of it. I found how to do 802.1X with wired access. i found how to do captive portal with the wired access.

But I don't know how the fallback mechanism works : if 802.1X doesn't success, so we perform web auth...

What kind of switches do you use?

For Cisco you can do something like this:

interface GigabitEthernet1/0/35
 switchport access vlan 100
 switchport mode access
 authentication host-mode multi-domain
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication timer reauthenticate server
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 dot1x timeout supp-timeout 15
 dot1x max-reauth-req 1
 spanning-tree portfast
!

MAB is the key there - as it's mac address bypass - which in essence is mac-auth.. So on failed dot1x it will do mab, and here you will return the attributes from Clearpass which triggers the redirect-acl. Once redirected and authenticated, you use Radius CoA to change the ACL for the client.

If you use aruba switches you can send an enforcement profile on authentication failure with the captive portal URL (based on HPE VSA's):

Radius:Hewlett-Packard-Enterprise
HPE-Captive-Portal-URL (24)
http://<cppm-server>/guest/<guest-page>.php

Be sure to enable captive portal in the switch.

Also a couple of downloadable ACL's are required to block all traffic except dns, dhcp and 80/443 to clearpass.

Thank you all for your answer !

The custumer have Extreme switches. I looked for documentation but I didn't find anything yet.