Security

last person joined: 8 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Cisco Wired url-redirect question

Jump to Best Answer
  • 1.  Cisco Wired url-redirect question

    Posted Oct 08, 2014 04:47 PM

    For our wired ports, we have them authenticate. If 802.1x isnt active it MAC auths (for printers and such) and if its not in a list it will url-redirect them for Onboarding, or click through for Guest Access.  I am already dropping them in a quarentine space.  My issue is the Cisco CoA needed once they successfully Guest auth on the wired network.  I am unsure what I need to put in the web auths enforcement profile that will CoA the port to a Guest network port without the url-redirect remaining on the port. 



  • 2.  RE: Cisco Wired url-redirect question

    Posted Oct 08, 2014 05:47 PM

    Are you just doing a Web login with Anonymous account ?

     

    -



  • 3.  RE: Cisco Wired url-redirect question

    Posted Oct 08, 2014 05:54 PM

    Yep, its a web login with an Anonymous account.  I can see the authentication happen and the profile pushed down.  It just looks like the profile does not do what I need.



  • 4.  RE: Cisco Wired url-redirect question
    Best Answer

    Posted Oct 08, 2014 06:24 PM

     

    This is what you can do:

     

    - First create a custom attribute

    2014-10-08 18_07_04-ClearPass Policy Manager - Aruba Networks.png

    - Then create a post_authentication enforcement profile using this custom attribute

    2014-10-08 18_17_35-ClearPass Policy Manager - Aruba Networks.png

     

    - On the enforcement policy of your webauth include the Cisco terminate to CoA the device and also add the post_authentication custom attribute so you can use later on your MAc auth to provide access to the guest user

    2014-10-08 18_14_39-ClearPass Policy Manager - Aruba Networks.png

     

    See if this helps you.

     

    Note: You may need to add 10-25 seconds delay in the weblogin to allow the whole process(CoA, Mac,etc..) to work properly