Security

Hi All,

Device: Clearpass, Cisco Switch 2960X, Cisco/Avaya IP Phone

Current scenario:
Cisco Switch has integrated with Clearpass, IP Phone connect to Switch.
PC connect thru IP Phone Data port but nothing prompt and users gain internet access to all websites.
Clearpass show related Enforcement has pushed to Switch, and the result is correct in switch.

Initial Data VLAN: 48
Voice VLAN: 196
After OnGuard check, re-authentication User Data VLAN: Depends

Expectation: PC connect thru IP Phone Data port and get URL prompt for OnGuard Web Authentication (Not using Software Agent here).


Switch Config:
interface GigabitEthernet1/0/5
switchport access vlan 48
switchport mode access
switchport voice vlan 196
authentication event fail action next-method
authentication event server dead action reinitialize vlan 48
authentication event server dead action authorize voice
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
end


Kindly help. Thanks in advanced.

------------------------------
William Koh
------------------------------

Hard to tell without seeing the configuration. My guess would be that the dACL allows the traffic. This requires interactive troubleshooting. Please check your configuration against the Wired Policy Enforcement Guide, which is available from https://www.arubanetworks.com/clearpassdocs, and work with your ClearPass partner or Aruba TAC if you can't figure out what is going on.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Apr 05, 2021 01:46 AM
From: William Koh
Subject: [Wired URL Redirect Issue] PC Connect thru Cisco/Avaya IP Phone

Hi All,

Device: Clearpass, Cisco Switch 2960X, Cisco/Avaya IP Phone

Current scenario:
Cisco Switch has integrated with Clearpass, IP Phone connect to Switch.
PC connect thru IP Phone Data port but nothing prompt and users gain internet access to all websites.
Clearpass show related Enforcement has pushed to Switch, and the result is correct in switch.

Initial Data VLAN: 48
Voice VLAN: 196
After OnGuard check, re-authentication User Data VLAN: Depends

Expectation: PC connect thru IP Phone Data port and get URL prompt for OnGuard Web Authentication (Not using Software Agent here).


Switch Config:
interface GigabitEthernet1/0/5
switchport access vlan 48
switchport mode access
switchport voice vlan 196
authentication event fail action next-method
authentication event server dead action reinitialize vlan 48
authentication event server dead action authorize voice
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
end


Kindly help. Thanks in advanced.

------------------------------
William Koh
------------------------------

Yes, it got push dACL allowed all TCP eq www & 443.
I followed a guide "Wired Policy Enforcement Solution", this is a requirement in order to push / redirect all websites to captive portal.
This is working fine when PC direct connect to Cisco Switch, but not working when thru IP Phone.

As Cisco port using authentication multi-domain, Clearpass also did push "VOICE" domain to IP Phone.




------------------------------
William Koh
------------------------------

Original Message:
Sent: Apr 06, 2021 06:04 AM
From: Herman Robers
Subject: [Wired URL Redirect Issue] PC Connect thru Cisco/Avaya IP Phone

Hard to tell without seeing the configuration. My guess would be that the dACL allows the traffic. This requires interactive troubleshooting. Please check your configuration against the Wired Policy Enforcement Guide, which is available from https://www.arubanetworks.com/clearpassdocs, and work with your ClearPass partner or Aruba TAC if you can't figure out what is going on.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Apr 05, 2021 01:46 AM
From: William Koh
Subject: [Wired URL Redirect Issue] PC Connect thru Cisco/Avaya IP Phone

Hi All,

Device: Clearpass, Cisco Switch 2960X, Cisco/Avaya IP Phone

Current scenario:
Cisco Switch has integrated with Clearpass, IP Phone connect to Switch.
PC connect thru IP Phone Data port but nothing prompt and users gain internet access to all websites.
Clearpass show related Enforcement has pushed to Switch, and the result is correct in switch.

Initial Data VLAN: 48
Voice VLAN: 196
After OnGuard check, re-authentication User Data VLAN: Depends

Expectation: PC connect thru IP Phone Data port and get URL prompt for OnGuard Web Authentication (Not using Software Agent here).


Switch Config:
interface GigabitEthernet1/0/5
switchport access vlan 48
switchport mode access
switchport voice vlan 196
authentication event fail action next-method
authentication event server dead action reinitialize vlan 48
authentication event server dead action authorize voice
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
end


Kindly help. Thanks in advanced.

------------------------------
William Koh
------------------------------

Hi William,

coiuld you show me your config for the CLEARPASS-REDIRECT acl please? Is it an exact copy of the Wired Policy Enforcement Solution as stated on page 128 of the 2018 version? 

I can't get a PC to redirect when I follow the guide and I don't understand why in one acl you have to deny access to clearpass and the next you allow all traffic. I noticed you didn't specify the default acl to switchport config but that doesn't do the trick for me either.

Second, when I follow the solution for IP phones, I can't get a phone to work either sending the cisco-av-pair = device-traffic-class=voice. The filter-id profile is not specified in the solution text  but I guess thats RADIUS:IETF Filter-ID = ALLOWALL to overrule the default acl specified. None of this seems to be working.

When I staticly configure the switch port with the same access vlan and voice vlan, teh phone connects to the call manager, when using authenitcation it's not. 


Cisco Catalyst 3850 with IOS 16.09.06

txs,
Erik

------------------------------
Erik Eckhardt
ACMX #1245, ACDX #968, ACCP, ACSP
------------------------------

Original Message:
Sent: Apr 06, 2021 11:25 PM
From: William Koh
Subject: [Wired URL Redirect Issue] PC Connect thru Cisco/Avaya IP Phone

Yes, it got push dACL allowed all TCP eq www & 443.
I followed a guide "Wired Policy Enforcement Solution", this is a requirement in order to push / redirect all websites to captive portal.
This is working fine when PC direct connect to Cisco Switch, but not working when thru IP Phone.

As Cisco port using authentication multi-domain, Clearpass also did push "VOICE" domain to IP Phone.




------------------------------
William Koh

Original Message:
Sent: Apr 06, 2021 06:04 AM
From: Herman Robers
Subject: [Wired URL Redirect Issue] PC Connect thru Cisco/Avaya IP Phone

Hard to tell without seeing the configuration. My guess would be that the dACL allows the traffic. This requires interactive troubleshooting. Please check your configuration against the Wired Policy Enforcement Guide, which is available from https://www.arubanetworks.com/clearpassdocs, and work with your ClearPass partner or Aruba TAC if you can't figure out what is going on.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Apr 05, 2021 01:46 AM
From: William Koh
Subject: [Wired URL Redirect Issue] PC Connect thru Cisco/Avaya IP Phone

Hi All,

Device: Clearpass, Cisco Switch 2960X, Cisco/Avaya IP Phone

Current scenario:
Cisco Switch has integrated with Clearpass, IP Phone connect to Switch.
PC connect thru IP Phone Data port but nothing prompt and users gain internet access to all websites.
Clearpass show related Enforcement has pushed to Switch, and the result is correct in switch.

Initial Data VLAN: 48
Voice VLAN: 196
After OnGuard check, re-authentication User Data VLAN: Depends

Expectation: PC connect thru IP Phone Data port and get URL prompt for OnGuard Web Authentication (Not using Software Agent here).


Switch Config:
interface GigabitEthernet1/0/5
switchport access vlan 48
switchport mode access
switchport voice vlan 196
authentication event fail action next-method
authentication event server dead action reinitialize vlan 48
authentication event server dead action authorize voice
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
end


Kindly help. Thanks in advanced.

------------------------------
William Koh
------------------------------

captive portal redirect solved, thanks to Victor Fabian https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=5173

http server and http secure-server need to be enabled on the switch!!

------------------------------
Erik Eckhardt
ACMX #1245, ACDX #968, ACCP, ACSP
------------------------------

Original Message:
Sent: Apr 07, 2021 04:02 AM
From: Erik Eckhardt
Subject: [Wired URL Redirect Issue] PC Connect thru Cisco/Avaya IP Phone

Hi William,

coiuld you show me your config for the CLEARPASS-REDIRECT acl please? Is it an exact copy of the Wired Policy Enforcement Solution as stated on page 128 of the 2018 version? 

I can't get a PC to redirect when I follow the guide and I don't understand why in one acl you have to deny access to clearpass and the next you allow all traffic. I noticed you didn't specify the default acl to switchport config but that doesn't do the trick for me either.

Second, when I follow the solution for IP phones, I can't get a phone to work either sending the cisco-av-pair = device-traffic-class=voice. The filter-id profile is not specified in the solution text  but I guess thats RADIUS:IETF Filter-ID = ALLOWALL to overrule the default acl specified. None of this seems to be working.

When I staticly configure the switch port with the same access vlan and voice vlan, teh phone connects to the call manager, when using authenitcation it's not. 


Cisco Catalyst 3850 with IOS 16.09.06

txs,
Erik

------------------------------
Erik Eckhardt
ACMX #1245, ACDX #968, ACCP, ACSP

Original Message:
Sent: Apr 06, 2021 11:25 PM
From: William Koh
Subject: [Wired URL Redirect Issue] PC Connect thru Cisco/Avaya IP Phone

Yes, it got push dACL allowed all TCP eq www & 443.
I followed a guide "Wired Policy Enforcement Solution", this is a requirement in order to push / redirect all websites to captive portal.
This is working fine when PC direct connect to Cisco Switch, but not working when thru IP Phone.

As Cisco port using authentication multi-domain, Clearpass also did push "VOICE" domain to IP Phone.




------------------------------
William Koh

Original Message:
Sent: Apr 06, 2021 06:04 AM
From: Herman Robers
Subject: [Wired URL Redirect Issue] PC Connect thru Cisco/Avaya IP Phone

Hard to tell without seeing the configuration. My guess would be that the dACL allows the traffic. This requires interactive troubleshooting. Please check your configuration against the Wired Policy Enforcement Guide, which is available from https://www.arubanetworks.com/clearpassdocs, and work with your ClearPass partner or Aruba TAC if you can't figure out what is going on.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Apr 05, 2021 01:46 AM
From: William Koh
Subject: [Wired URL Redirect Issue] PC Connect thru Cisco/Avaya IP Phone

Hi All,

Device: Clearpass, Cisco Switch 2960X, Cisco/Avaya IP Phone

Current scenario:
Cisco Switch has integrated with Clearpass, IP Phone connect to Switch.
PC connect thru IP Phone Data port but nothing prompt and users gain internet access to all websites.
Clearpass show related Enforcement has pushed to Switch, and the result is correct in switch.

Initial Data VLAN: 48
Voice VLAN: 196
After OnGuard check, re-authentication User Data VLAN: Depends

Expectation: PC connect thru IP Phone Data port and get URL prompt for OnGuard Web Authentication (Not using Software Agent here).


Switch Config:
interface GigabitEthernet1/0/5
switchport access vlan 48
switchport mode access
switchport voice vlan 196
authentication event fail action next-method
authentication event server dead action reinitialize vlan 48
authentication event server dead action authorize voice
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
end


Kindly help. Thanks in advanced.

------------------------------
William Koh
------------------------------