Security

We have given our guest system a device maximum threshold which is set in as an enforcement condition. 

How can we implement a web page redirect to notify the user if they reach that threshold, using ClearPass?

------------------------------
Adam Newson
------------------------------

Hi Adam,

You can create a "web page" in ClearPass guest that will be redirected to in the event of having too many guest devices registered. Something like this:

I copied the quarantined page and edited it slightly to adapt the wording.

You will need to create a role on your controller (instant virtual controller or mobility controller) that redirects to this page. 

You will need a new Enforcement Profile in ClearPass Policy Manager which pushes the new role "too-many-guest-devices" 

Original Message:
Sent: Oct 18, 2021 10:16 AM
From: Adam Newson
Subject: ClearPass web page redirect

We have given our guest system a device maximum threshold which is set in as an enforcement condition. 

How can we implement a web page redirect to notify the user if they reach that threshold, using ClearPass?

------------------------------
Adam Newson
------------------------------

Thank you for your reply. 

I have already done what you have suggested on ClearPass - so that's reassuring, but still not behaving. 

How exactly can you apply the URL redirect for the web page to a role without using a captive portal profile? I do not recognise your screenshot. We're using an MM with a cluster of controllers. The issue with a captive portal is that our web page needs to appear post authentication and the users credentials are then verified and then subsequently denied, which cannot be done pre-auth. 

The 'max devices' enforcement profile has the the role referenced - does the [Deny Access Profile] not need to be added as an additional profile otherwise how is the user denied access?



------------------------------
Adam Newson
------------------------------

Original Message:
Sent: Oct 18, 2021 11:07 PM
From: Matthew Sutherland
Subject: ClearPass web page redirect

Hi Adam,

You can create a "web page" in ClearPass guest that will be redirected to in the event of having too many guest devices registered. Something like this:

I copied the quarantined page and edited it slightly to adapt the wording.

You will need to create a role on your controller (instant virtual controller or mobility controller) that redirects to this page. 

You will need a new Enforcement Profile in ClearPass Policy Manager which pushes the new role "too-many-guest-devices" 

And then edit the Enforcement Policy that takes care of guest login to use this new enforcement profile in the event that the unique-device-count is greater than your desired number. By default the outcome action is [Deny Access] if you have set the service(s) up using the Guest template.

This isn't an exhaustive step-by-step but hopefully puts you on the right track. Let me know if you get stuck anywhere.

Original Message:
Sent: Oct 18, 2021 10:16 AM
From: Adam Newson
Subject: ClearPass web page redirect

We have given our guest system a device maximum threshold which is set in as an enforcement condition. 

How can we implement a web page redirect to notify the user if they reach that threshold, using ClearPass?

------------------------------
Adam Newson
------------------------------

If you leave in the [Deny Access Profile] an access-reject will be sent to your controller. This won't result in the device being presented the new page. Essentially you are allowing the device to connect but building an ACL within the role which limits the activity of the client. If it is denied network access you are unable to redirect the client to a captive portal / informative page.

So the resultant role you define within your controllers (via the Mobility Conductor / MM) needs to have the appropriate ACL to only allow redirect and captive portal access while restricting further network use. That's pretty standard and you can use the other ACLs you have defined for this. You will need to have a new captive portal profile which redirects to the new web-page served by ClearPass Guest.

The workflow from the user perspective is they will go to register (assuming its self-reg) a subsequent device (once they've reached Max) using their same credentials and click Login at which point they will trigger the policy 'Authorization:[Endpoints Repository]:Unique-Device-Count GREATER_THAN 1'.

I used Aruba Instant to test this so the screenshot differs to how you would configure this in MM. If needed I can spin up my MM to get some screenshots.
Original Message:
Sent: Oct 19, 2021 05:38 AM
From: Adam Newson
Subject: ClearPass web page redirect

Thank you for your reply. 

I have already done what you have suggested on ClearPass - so that's reassuring, but still not behaving. 

How exactly can you apply the URL redirect for the web page to a role without using a captive portal profile? I do not recognise your screenshot. We're using an MM with a cluster of controllers. The issue with a captive portal is that our web page needs to appear post authentication and the users credentials are then verified and then subsequently denied, which cannot be done pre-auth. 

The 'max devices' enforcement profile has the the role referenced - does the [Deny Access Profile] not need to be added as an additional profile otherwise how is the user denied access?



------------------------------
Adam Newson

Original Message:
Sent: Oct 18, 2021 11:07 PM
From: Matthew Sutherland
Subject: ClearPass web page redirect

Hi Adam,

You can create a "web page" in ClearPass guest that will be redirected to in the event of having too many guest devices registered. Something like this:

I copied the quarantined page and edited it slightly to adapt the wording.

You will need to create a role on your controller (instant virtual controller or mobility controller) that redirects to this page. 

You will need a new Enforcement Profile in ClearPass Policy Manager which pushes the new role "too-many-guest-devices" 

And then edit the Enforcement Policy that takes care of guest login to use this new enforcement profile in the event that the unique-device-count is greater than your desired number. By default the outcome action is [Deny Access] if you have set the service(s) up using the Guest template.

This isn't an exhaustive step-by-step but hopefully puts you on the right track. Let me know if you get stuck anywhere.

Original Message:
Sent: Oct 18, 2021 10:16 AM
From: Adam Newson
Subject: ClearPass web page redirect

We have given our guest system a device maximum threshold which is set in as an enforcement condition. 

How can we implement a web page redirect to notify the user if they reach that threshold, using ClearPass?

------------------------------
Adam Newson
------------------------------

It's not a self-reg - we have decided to use social media providers. 

Within the cap port prof (max-devices_cp) the redirect URL is set to the web page created on ClearPass.

Here's the current role I am using - I will add the appropriate ACLs regarding network access soon. 

#show rights max-devices_role

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'max-devices_role'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 0
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
IP-Classification Enforcement: Enabled
ACL Number = 125/0
Openflow: Enabled
Max Sessions = 65535

Check CP Profile for Accounting = TRUE
Captive Portal profile = max-devices_cp

Application Exception List
--------------------------
Name Type
---- ----

Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 max-devices_cp_list_operations session
2 global-sacl session
3 apprf-max-devices_role-sacl session
4 vpn-clients session
5 captiveportal session

------------------------------
Adam Newson
------------------------------

Original Message:
Sent: Oct 19, 2021 06:24 AM
From: Matthew Sutherland
Subject: ClearPass web page redirect

If you leave in the [Deny Access Profile] an access-reject will be sent to your controller. This won't result in the device being presented the new page. Essentially you are allowing the device to connect but building an ACL within the role which limits the activity of the client. If it is denied network access you are unable to redirect the client to a captive portal / informative page.

So the resultant role you define within your controllers (via the Mobility Conductor / MM) needs to have the appropriate ACL to only allow redirect and captive portal access while restricting further network use. That's pretty standard and you can use the other ACLs you have defined for this. You will need to have a new captive portal profile which redirects to the new web-page served by ClearPass Guest.

The workflow from the user perspective is they will go to register (assuming its self-reg) a subsequent device (once they've reached Max) using their same credentials and click Login at which point they will trigger the policy 'Authorization:[Endpoints Repository]:Unique-Device-Count GREATER_THAN 1'.

I used Aruba Instant to test this so the screenshot differs to how you would configure this in MM. If needed I can spin up my MM to get some screenshots.
Original Message:
Sent: Oct 19, 2021 05:38 AM
From: Adam Newson
Subject: ClearPass web page redirect

Thank you for your reply. 

I have already done what you have suggested on ClearPass - so that's reassuring, but still not behaving. 

How exactly can you apply the URL redirect for the web page to a role without using a captive portal profile? I do not recognise your screenshot. We're using an MM with a cluster of controllers. The issue with a captive portal is that our web page needs to appear post authentication and the users credentials are then verified and then subsequently denied, which cannot be done pre-auth. 

The 'max devices' enforcement profile has the the role referenced - does the [Deny Access Profile] not need to be added as an additional profile otherwise how is the user denied access?



------------------------------
Adam Newson

Original Message:
Sent: Oct 18, 2021 11:07 PM
From: Matthew Sutherland
Subject: ClearPass web page redirect

Hi Adam,

You can create a "web page" in ClearPass guest that will be redirected to in the event of having too many guest devices registered. Something like this:

I copied the quarantined page and edited it slightly to adapt the wording.

You will need to create a role on your controller (instant virtual controller or mobility controller) that redirects to this page. 

You will need a new Enforcement Profile in ClearPass Policy Manager which pushes the new role "too-many-guest-devices" 

And then edit the Enforcement Policy that takes care of guest login to use this new enforcement profile in the event that the unique-device-count is greater than your desired number. By default the outcome action is [Deny Access] if you have set the service(s) up using the Guest template.

This isn't an exhaustive step-by-step but hopefully puts you on the right track. Let me know if you get stuck anywhere.

Original Message:
Sent: Oct 18, 2021 10:16 AM
From: Adam Newson
Subject: ClearPass web page redirect

We have given our guest system a device maximum threshold which is set in as an enforcement condition. 

How can we implement a web page redirect to notify the user if they reach that threshold, using ClearPass?

------------------------------
Adam Newson
------------------------------