Wired Intelligent Edge

Hi Folks. I am trying to do wired guest with ClearPass and Aruba 3810M access switches.  I have two services on CPPM to accomplish this:

1. First service is Allow All MAC AUTH. If EndPoint is Unknown, it returns dynamic ACL along hpe-captive-portal-url attribute to the switch. If endpoint is know, an unrestricted profile is sent to the switch.

2. Second service is Web-auth to authenticate the captive portal user.

Everything seems to be working as aticipated. If an unknown endpoint comes on the network, I can see radius ACL assinged on the port (show access-list radius port id) and captive portal URL receied by the switch (show port-access clients detailed). Somehow, client is not being automatically redirected to the captive portal page. End to end flow works fine if I manually type the registration page URL and register/login.

I do have L3 interface on guest VLAN creatd on the switch. Running out of options to troubleshoot this issue further. Any help would be appreciated.

I also have a TAC case opened, but havent progressed bit in last 4 days unfortunately.

What version of ArubaOS-Switch?

Was running on 16.03.0003 & yesterday upgraded to 16.03.0004. both have similar behavior.

Please post screenshots of your enforcement profile(s).

Hi Tim,

Please find below:

Also, I can vertify correct attributes sent back to the switch:

And the switch config is pretty simple:

l3swaccstack# sh ip  | inc 153
  Wi-Fi_Guest04        | Manual     172.25.153.200  255.255.255.0    No    No
l3swaccstack#

==================================================

radius-server host 172.25.16.4 key "xxxx"
radius-server host 172.25.16.4 dyn-authorization
radius-server host 172.25.16.4 time-window 0

aaa authentication port-access chap-radius
aaa port-access mac-based 1/48

aaa authentication captive-portal enable

where 172.25.16.4 is CPPM VIP.

Hi Tim,

For some reason I am unable to add the screenshots inline. I have atttached them.

The switch config is pretty simple:

radius-server host 172.25.16.4 key "xxxxx"
radius-server host 172.25.16.4 dyn-authorization
radius-server host 172.25.16.4 time-window 0

aaa authentication port-access chap-radius
aaa port-access mac-based 1/48

aaa authentication captive-portal enable

l3swaccstack#
l3swaccstack# sh ip  | inc 153
  Wi-Fi_Guest04        | Manual     172.25.153.200  255.255.255.0    No    No
l3swaccstack#

where 172.25.16.4 is CPPM VIP.

You need the following two entries to trigger the redirect:

Radius:IETF	NAS-Filter-Rule	=	deny in tcp from any to any 80 cpy
Radius:IETF	NAS-Filter-Rule	=	deny in tcp from any to any 443 cpy

Also, you may want to consider using user-roles instead. Much easier.

Hi Tim,

Thanks. I am out of site for couple of days. Will check and update you.