Wireless Access

We have an SSID which uses Captive Portal as an auth mechanism. After successful authentication I know that we can re-direct users to a "Thank You" web page to include additional info. We now have a SSID that uses 802.1x authentication. Is there a way to force the user to a redirected "Thank You" page for this method of authentication? I realize that user don't necessarily have to have their web browser open to authenticate dot1x but am wondering if the page would appear if and when they eventually open their browser.
Thanks,
Mike

(1) Create a new Captive Portal Authentication Profile called "Redirect" with the default role as your 802.1x authentication role. Uncheck User Login, uncheck Guest Login, Uncheck Logout popup Window. Make sure Show Welcome Page is checked. Save the profile.

(2) Create a user-role called "Redirect" and make sure the Captiveportal firewall policy, as well as DNS, DHCP and ICMP policies are applied to it. Configure the captive portal authentication profile on this role as the "Redirect" Captive Portal Authentication profile that you configured above.

(3) Either create an HTML page or a jpeg that says "Thanks for logging in" and upload it to the controller under Maintenence > Captive Portal (Customize Login page or Upload Custom Pages) under the Redirect Captive Portal Profile you created in the first step.

(4) Edit your AAA profile for that SSID so that your default 802.1x role is the "Redirect" role that you created in step 1.

This is how it is supposed to work:

User authenticates successfully via 802.1x and ends up in the "Redirect" role. The Redirect role has the Captive Portal firewall policy and DHCP and DNS which allows to user to get an IP address, but redirects http and https traffic to the captive portal. The controller sees that the user is in the "Redirect" role when his http/https traffic hits the controler when the browser is opened and looks up the Captive Portal Authentication profile associated with the role. The Captive Portal Profile we created has no authentication, but is only there to display whatever "Welcome" page that we have configured, and then disappear. The user is then placed in the default Guest role of that captive portal profile.

I tested this out and it works very nicely. A use-case I have in mind is for university emergency notification situations - it would allow us to quickly intercept web traffic and post a notice to wireless users. The only issue I see is that the mentioned method requires you to upload a page/image to the controller to be used.

Is there a way to make the redirect go to a different website instead of the one the user went to? For instance, user navigates to www.google.com, the "redirect" user-role with the CP profile redirects them to a university website, then the user changes to the non-redirect user-role.

Any ideas on how to accomplish this variation??

Ryan,

The page that the controller builds when you import an image or text has code that will automatically redirect the user to the page he was going to when he opened the browser. If you upload your own page, you can do whatever you want.

I know I'm reviving an old post - but I'm now attempting to do the same thing now...

It almost works, but after getting redirected to the welcome page, the users role is not changed as per the captive portal auth profile. (So user ends up being continually redirected)

 

I'm suspecting this might be do to the fact that my initial role is set via clearpass in the initial 802.1x radius response... and perhaps because of this it cannot be overwritten by the controllers captive portal auth profile?   Or perhaps I need to twist some new knobs now that I come from 5+ years in the future?

 

Travis

The user's role, (unless changed by clearpass) should be the default role in the Captive Portal authentication profile.  If clearpass just sends an accept, the role in the Captive Portal authentication profile should be what is applied.  Maybe your default role in the Captive Portal authentication profile is some type of "logon" role...

I knew I was close and continued to work....   found out a few things....

 

I had initially zeroed out the login page (I wasn't using it....) - then it wanted something there... so I added the same url as the external web page I wanted to show....

 

that apparently doesn't work..... - even with user logon and guest logong unselected - it wants to show the external  login page... but doesn't  trigger a role change.

 

So I then changed it back to default "/auth/index.html"

 

but then my device joined and automagically changed roles without me seeing the welcome page...

 

I think this is a symptom of  advancing 5 years....  so many background http processes - and it just takes one in this scenario to flip my role.     

 

enabling "Show the acceptable use policy page"   makes it require user intervention

 

 

You need an entry in the login page for a successful login. Please enter the default.

The redirect should be in the "welcome page", but start with http://