last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass web page redirect

This thread has been viewed 21 times
  • 1.  ClearPass web page redirect

    Posted Oct 18, 2021 10:17 AM
    We have given our guest system a device maximum threshold which is set in as an enforcement condition. 

    How can we implement a web page redirect to notify the user if they reach that threshold, using ClearPass?

    Adam Newson

  • 2.  RE: ClearPass web page redirect

    Posted Oct 18, 2021 11:07 PM
    Hi Adam,

    You can create a "web page" in ClearPass guest that will be redirected to in the event of having too many guest devices registered. Something like this:
    Too many devices

    I copied the quarantined page and edited it slightly to adapt the wording.
    Too Many Devices Page Config

    You will need to create a role on your controller (instant virtual controller or mobility controller) that redirects to this page. 
    Aruba Instant Captive Portal Config - Too many guest devices

    You will need a new Enforcement Profile in ClearPass Policy Manager which pushes the new role "too-many-guest-devices" 
    ClearPass Enforcement Profile - too-many-guest-devices
    And then edit the Enforcement Policy that takes care of guest login to use this new enforcement profile in the event that the unique-device-count is greater than your desired number. By default the outcome action is [Deny Access] if you have set the service(s) up using the Guest template.
    Enforcement Policy - Oversubscribe

    This isn't an exhaustive step-by-step but hopefully puts you on the right track. Let me know if you get stuck anywhere.

  • 3.  RE: ClearPass web page redirect

    Posted Oct 19, 2021 05:38 AM
    Thank you for your reply. 

    I have already done what you have suggested on ClearPass - so that's reassuring, but still not behaving. 

    How exactly can you apply the URL redirect for the web page to a role without using a captive portal profile? I do not recognise your screenshot. We're using an MM with a cluster of controllers. The issue with a captive portal is that our web page needs to appear post authentication and the users credentials are then verified and then subsequently denied, which cannot be done pre-auth. 

    The 'max devices' enforcement profile has the the role referenced - does the [Deny Access Profile] not need to be added as an additional profile otherwise how is the user denied access?

    Adam Newson

  • 4.  RE: ClearPass web page redirect

    Posted Oct 19, 2021 06:25 AM
    If you leave in the [Deny Access Profile] an access-reject will be sent to your controller. This won't result in the device being presented the new page. Essentially you are allowing the device to connect but building an ACL within the role which limits the activity of the client. If it is denied network access you are unable to redirect the client to a captive portal / informative page.

    So the resultant role you define within your controllers (via the Mobility Conductor / MM) needs to have the appropriate ACL to only allow redirect and captive portal access while restricting further network use. That's pretty standard and you can use the other ACLs you have defined for this. You will need to have a new captive portal profile which redirects to the new web-page served by ClearPass Guest.

    The workflow from the user perspective is they will go to register (assuming its self-reg) a subsequent device (once they've reached Max) using their same credentials and click Login at which point they will trigger the policy 'Authorization:[Endpoints Repository]:Unique-Device-Count GREATER_THAN 1'.

    I used Aruba Instant to test this so the screenshot differs to how you would configure this in MM. If needed I can spin up my MM to get some screenshots.

  • 5.  RE: ClearPass web page redirect

    Posted Oct 19, 2021 07:38 AM
    It's not a self-reg - we have decided to use social media providers. 

    Within the cap port prof (max-devices_cp) the redirect URL is set to the web page created on ClearPass.

    Here's the current role I am using - I will add the appropriate ACLs regarding network access soon. 

    #show rights max-devices_role

    Valid = 'Yes'
    CleanedUp = 'No'
    Derived Role = 'max-devices_role'
    Up BW:No Limit Down BW:No Limit
    L2TP Pool = default-l2tp-pool
    PPTP Pool = default-pptp-pool
    Number of users referencing it = 0
    Periodic reauthentication: Disabled
    DPI Classification: Enabled
    Youtube education: Disabled
    Web Content Classification: Enabled
    IP-Classification Enforcement: Enabled
    ACL Number = 125/0
    Openflow: Enabled
    Max Sessions = 65535

    Check CP Profile for Accounting = TRUE
    Captive Portal profile = max-devices_cp

    Application Exception List
    Name Type
    ---- ----

    Application BW-Contract List
    Name Type BW Contract Id Direction
    ---- ---- ----------- -- ---------

    access-list List
    Position Name Type Location
    -------- ---- ---- --------
    1 max-devices_cp_list_operations session
    2 global-sacl session
    3 apprf-max-devices_role-sacl session
    4 vpn-clients session
    5 captiveportal session

    Adam Newson