Hey all!
Big background up front: I had a lab with an HP switch for users, a MAS 1500 for redirection (maybe) and head-end, and a 7005 controller. this is all segregated via Cisco ASA to simulate a remote office. Our ClearPass appliance is not in this segregated lab, since it is a VM and we don't have a big enough lab/budget to have VM in the lab. With this setup, everything seemed to be working fine - although I am almost positive that it was actually the controller handling all of the redirection rather than the MAS.
Part II
Well, since our remote sites DO have MAS switches, but DO NOT have controllers, I have moved the controller to the other side of the firewall with the VM, thus ensuring that I am both emulating a remote site, and that I am indeed doing the redirection with the MAS rather than the controller. This SEEMS to be working.
Part III
However, when the controller was doing the redirection, it was seamless: open IE, go directly to ClearPass login page. Now, with the MAS doing redirection, when you open IE you are given an "Authentication Required, Click here to proceed" page. Of course, we want to remove that manual step and have the redirection be seamless again.
Other than the config below, is there any other info I can provide to help with finding a solution?
Thanks,
Russell
Config:
interface gigabitethernet "1/0/0"
switching-profile "trunk"
!
interface gigabitethernet "1/0/1"
aaa-profile "CLEARPASS-BYODLOGIN-AAA"
switching-profile "vlan426"
no trusted port
!
interface gigabitethernet "1/0/2"
aaa-profile "CLEARPASS-POSTURE-AAA"
switching-profile "vlan526"
no trusted port
!
interface-profile switching-profile "trunk"
switchport-mode trunk
native-vlan 427
trunk allowed vlan 427-429,527
!
interface-profile switching-profile "vlan426"
access-vlan 426
!
interface-profile switching-profile "vlan526"
access-vlan 526
!
aaa authentication captive-portal "CLEARPASS-BYODLOGIN-PORTAL"
default-role "authenticated"
server-group "LAB-CPPM-GROUP"
redirect-pause 0
protocol-http
login-page "https://qa01vacppm01.hmcorp.local/guest/byod.php"
!
aaa authentication captive-portal "CLEARPASS-POSTURE-PORTAL"
default-role "authenticated"
server-group "LAB-CPPM-GROUP"
redirect-pause 0
protocol-http
login-page "https://qa01vacppm01.hmcorp.local/guest/posture.php"
!
aaa profile "CLEARPASS-BYODLOGIN-AAA"
initial-role "CLEARPASS-WIRED-BYODLOGIN-ROLE"
radius-accounting "LAB-CPPM-GROUP"
rfc-3576-server "10.1.254.10"
!
aaa profile "CLEARPASS-POSTURE-AAA"
initial-role "CLEARPASS-POSTURE-ROLE"
radius-accounting "LAB-CPPM-GROUP"
rfc-3576-server "10.1.254.10"
!
user-role CLEARPASS-POSTURE-ROLE
vlan 526
captive-portal "CLEARPASS-POSTURE-PORTAL"
!
user-role CLEARPASS-WIRED-BYODLOGIN-ROLE
vlan 426
captive-portal "CLEARPASS-BYODLOGIN-PORTAL"
!