Security

 View Only
last person joined: 19 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Juniper EX Url redirect issue

This thread has been viewed 9 times
  • 1.  Juniper EX Url redirect issue

    Posted Jun 06, 2020 11:20 AM
      |   view attached

    Dear Experts,

    I need some help regarding configuring Juniper EX 2300 running version to support OnGuard. Below is the workflow I am trying to do ( and have done successfully on Cisco switches and Aruba OS switches)

     

    • User connects to the port enabled for dot1x
    • User authenticates successfully
    • User is placed in the quarantine vlan since it’s the first time user connected and there is no posture information
    • Clearpass pushes the url-redirect so that switch may redirect the user to OnGuard Landing page

     

    Now in my case this is what is happening. I have created a “Juniper-CWA” profile (snap attached) which tells url redirect and juniper firewall filter  “JNPR_RSVD_FILTER_CWA” to be pushed the user when he is being placed in quarantine vlan. Now this is what happens

    • User connects to the port
    • User cannot authenticate i.e. windows tells me authentication failed but clearpass is showing authentication successful. There are no Alerts and I can see there are 3 things that are pushed for the user, Vlan, Url redirect and r JNPR_RSVD_FILTER_CWA

     

    Now if I simply remove the Juniper-CWA profile from quarantine policy, authentication is successful. If I just remove “JNPR_RSVD_FILTER_CWA”, authentication is failed (at the client’s end, Clearpass shows its successful).

    I have restarted the switch but no use. Anybody has done on ex switches before?



  • 2.  RE: Juniper EX Url redirect issue

    Posted Sep 10, 2020 01:56 AM

    Hello Iqbal,

     

    We are also having the same issue. Any solution identified?

     

    Please help me with this if you identified any solution.

     

    Thanks,

    Yugandhar.



  • 3.  RE: Juniper EX Url redirect issue

    Posted Sep 10, 2020 02:22 AM
    Dear Yugandhar

    During my research and the collateral i found on Juniper clearly implies
    that such scenario is not possible. Why? below is the excerpt from Juniper
    official website

    Central Web authentication is invoked after a host has failed MAC RADIUS
    authentication. The host can attempt authentication using 802.1X
    authentication first, but must then attempt MAC RADIUS authentication
    before attempting central Web authentication

    In my case, what i recall is we cannot have failed mac authentication after
    successful dot1x authentication because it makes no sense to me atleast.

    Link to Juniper ->
    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/central-web-authentication.html


  • 4.  RE: Juniper EX Url redirect issue

    Posted Sep 17, 2020 03:51 AM

    It looks like I face the same issue.

     

    May I know is there any method on how to solve these issue?



  • 5.  RE: Juniper EX Url redirect issue

    Posted Jul 26, 2022 05:58 PM
    Hi all,

    Just a quick update on this, hope it helps...

    I've been fooling around with the captive portal CoA and 802.1X auth combo in our lab on a Juniper EX2300-C: tried it first on the Junos version I had running (20.2R3.9) > did not work, the URL was not getting accepted by the switch, which caused the authentication to fail. Traceoptions logs show the following message: "CWA : Invalid URL[] received. Do not install CWA filter"

    However, as from Junos version 20.4R3-S3.4, this seems to work just fine.

    FYI: works well on Aruba 2930 switch too ;-)

    Cheerio!