Security

Hi,

I am struggling with setting up a Captive Portal redirect for wired guest. The configurations are all from the prescribed documents and guidelines but the web redirect is not happening.

Relevant switch configurations are as below:

!
aaa authentication dot1x default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 1
aaa accounting dot1x default start-stop group radius
aaa accounting network default start-stop group tacacs+ group radius
aaa accounting system default start-stop group tacacs+ group radius
!
aaa server radius dynamic-author
client 192.168.1.242 server-key test123
port 3799
auth-type all
!
aaa session-id common
switch 1 provision ws-c2960s-24ps-l
authentication mac-move permit
!
ip dhcp snooping
no ip domain-lookup
ip name-server 192.168.1.240
ip device tracking

!

dot1x system-auth-control

!

interface GigabitEthernet1/0/1
switchport access vlan 99
switchport mode access
authentication control-direction in
authentication event server dead action authorize vlan 96
authentication event no-response action authorize vlan 96
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab webauth
authentication priority dot1x mab webauth
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 2
dot1x timeout supp-timeout 20
dot1x max-req 1
dot1x max-reauth-req 1
spanning-tree portfast

!

interface Vlan1
ip address 192.168.1.11 255.255.255.0
!
ip default-gateway 192.168.1.1
ip http server
ip http secure-server
ip http secure-active-session-modules disable_webmgmt
ip http session-module-list disable_webmgmt NONE
ip http active-session-modules disable_webmgmt
!
ip access-list extended ANY
permit ip any any
ip access-list extended Web-Redirect
deny udp host 0.0.0.0 host 255.255.255.255 eq bootps
deny udp any any eq domain
deny tcp any host 192.168.1.242
permit tcp any any
ip radius source-interface Vlan1
ip sla enable reaction-alerts
radius-server attribute 4 192.168.1.11
radius-server host 192.168.1.242 auth-port 1812 acct-port 1813 key test123
radius-server vsa send accounting
radius-server vsa send authentication

!

Services on ClearPass and the outputs are attached.

Any guidance would be good enough. Thanks

Have you tried creating an access list which will permit users to have access to 192.168.1.242 for http, https and DNS service on the initial guest user-role?

When HTTPS is enabled, it hits the security page, I hit continue anyway, then display error/redirect too many times .

Did you ever resolve this issue? Experiencing something similar

What are you experiencing? There are multiple things in this thread. Do you have the redirect? Can you authenticate on ClearPass? Do you see the port-bounce?

Did you check the ClearPass wired enforcement guide as posted on https://arubanetworks.com/clearpassdocs ?

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------