Security

last person joined: 6 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Web authentication works but no redirect to switch login page

This thread has been viewed 1 times
  • 1.  Web authentication works but no redirect to switch login page

    Posted Feb 12, 2020 07:56 AM

    Hi,

     

    I'm having trouble getting web port authentication working as expected. I have configured RADIUS and web auth, and when connecting an un-authenticated computer to the port, I get the IP 192.168.0.2 with a 24 bit mask. At this stage I was expecting HTTP(S) requests to be redirected to the login page, however the requests just fail. I can see that I have 192.168.0.1 configured as the DNS server which was supplied by the switch via DHCP.

     

    If I navigate to 192.168.0.1, the login page is displayed and I can authenticate against RADIUS.

     

    What do I have to do to change the behaviour so that clients are automatically redirected to 192.168.0.1?

     

    Thanks in advance

    GM



  • 2.  RE: Web authentication works but no redirect to switch login page

    Posted Feb 12, 2020 09:09 AM

    Can you give us some more detail as to how you are configured?

    Is there a IP address configured on the VLAN that the clients get placed into for captive portal? If not you would need to configure one. It doesn't have to be a gateway, just needs to have an address in the same range.

     

    Also do you have a captive portal profile configured in the initial user role, and do you have the captive portal redirect ACLs/policies in that initial role as well? If not the user will not be automatically redirected.



  • 3.  RE: Web authentication works but no redirect to switch login page

    Posted Feb 12, 2020 06:17 PM

    Hi Dustin

     

    Thanks for coming back to me. I've been working from the ArubaOS port security guide but to be honest couldn't find the relevant captive portal config for using the inbuilt web server so probably not.

     

    The current test config looks as so:

     

    radius-server host 192.168.55.57 key "secret"
    radius-server tracking enable
    aaa authentication port-access eap-radius
    aaa port-access web-based 1-2
    aaa port-access web-based 1 redirect-url "https://www.example.com/"
    aaa port-access web-based 2 redirect-url "https://www.example.com/"
    vlan 1
       name "DEFAULT_VLAN"
       untagged 1-28
       ip address 192.168.55.10 255.255.255.0
       exit

     


    As mentioned if I'm unauthenticated and navigate to 192.168.0.1 then I get the following login screen and can successfully auth from RADIUS:

     

    image.png


    If however I try to navigate anywhere else, the browser fails to load. 



  • 4.  RE: Web authentication works but no redirect to switch login page

    Posted Feb 12, 2020 07:59 PM

    Can you try a configuration like this:

     

    radius-server host 192.168.55.57 key "secret"

    aaa authentication port-access eap-radius

    radius-server host 192.168.55.57 dyn-authorization

    radius-server host 192.168.55.57 time-window 0

     

    aaa port-access web-based 1-2

    aaa port-access web-based ewa-server www.example.com

    aaa port-access web-based 1-2 redirect-url www.google.com

     

    The redirect-url is a page that you want to re-direct them to after authentication. the ewa-server will specify the webpage to use for login. Also make sure captive portal is enabled on the switch as well.



  • 5.  RE: Web authentication works but no redirect to switch login page

    Posted Feb 13, 2020 06:04 AM

    Thanks, I did try configuring ewa-server before but all I ended up with was a timeout and error saying that the EWA server wasn't responding. 

     

    I feel like I need to use policies and an IP in the quarantine VLAN although can't find concise docs on how this is done. The documentation on web auth really is a bit thin on detail unless I'm missing something obvious.