Hi, not simple but very effective. In clearpass side basically two services (mac authenticaton and 802.1x windows) and CoA action. The tip is the action sequence:

1- user connect to ssid, is marked as unknown so a captive portal is displayed (I used my own captive from a ftp server, not clearpass one).
2- user connects with user y password under the captive (local clearpass users on this case).
3- Controller assign vlan defined to this web authentication SSID
4- CoA action to force user authenticate again
5- automatically user connects again and is marked as KNOWn. Vlan configured for the user (as atribute in clearpass) can be assigned secure in layer 2.
*Users must exist as local on clearpass and have Vlan as attribute, but I´m sure t can be done from AD, LDAP.
¿What about Controller side? (cisco on this case)
- Global confi: add the clearpass as a radius (authentication and accounting)
- SSID:
- It must be maped to a Interface Group instead interface (group of vlans)
-under security tab:
layer2, enable MAC Filtering.
layer 3 , enable On MAC Filter failure, configure a preauthentication ACL,Override Global Config, Web Auth type redirect to external server (add https://whateverURL),
AAA Servers: add clearpass IP for authent and accounting
ACL parameters it depends, restrict all you can but permit DNS and UDP to the clearpass (and the captive portal IP).
Before going crazy...CoA delay default values don´t use to achieve goals, probably you will have to test a lot to find the correct.
@thenatural33wrote:
Hi All,
I know this threat is old, but I have the same requirements to do and your sample is correct. I jus would like to know what services can I use in this case and also what changes needs to be done on the controller side.
@thenatural33wrote:
Hi All,
I know this threat is old, but I have the same requirements to do and your sample is correct. I jus would like to know what services can I use in this case and also what changes needs to be done on the controller side.