Security

last person joined: 3 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Captive Portal redirects

Jump to Best Answer
This thread has been viewed 8 times
  • 1.  Captive Portal redirects

    Posted Jan 16, 2013 03:35 PM

    I am trying to get users redirected to my new clearpass guest server.  The role the user receives  contains:

     

    Allow user 80 and 443 to CP server

    2. Logon Control

    3 Captive Portal

     

    ip access-list session captiveportal
      user   alias controller svc-https  dst-nat 8081 
      user any svc-http  dst-nat 8080 
      user any svc-https  dst-nat 8081 
      user any svc-http-proxy1  dst-nat 8088 
      user any svc-http-proxy2  dst-nat 8088 
      user any svc-http-proxy3  dst-nat 8088 
    !


    and the proper captive portal profile is selected.

    I have Policy enforcement firewall if that is a concern.

     

    I am a little fuzzy on how the captive portal policy is suppose to redirect, should I have additional line in there that says something like:

    user any servce http https  send to captive portal ??

     

    Currently the user gets DHCP and can access nothing else execpt to browse to the CP server, but is not forced there.

     

     

     



  • 2.  RE: Captive Portal redirects
    Best Answer

    Posted Jan 16, 2013 05:02 PM

    Couple of things to check:

    - Is DNS working properly?  Can the client do an nslookup?   Try connecting to an IP (any IP; 1.1.1.1) to force a redirect

    - Does your controller have an IP on the the guest network (required for captive portal)?

    - The What URL do you have defined in the CP profile; does it look like the client is even attempting to access it at all?

     

    When you you look at the datapath sessions of that user, does it show any redirects?

    show user ip x.x.x.x (look at the firewall sessions at the top of the output).....you'll need to run this right when the client is attempting to access.

     

    The captive portal profile is fine as is; the dst-nat entries handle the redirct; but the controller reuqires an IP on that VLAN.



  • 3.  RE: Captive Portal redirects

    Posted Jan 16, 2013 05:07 PM

    No the controller does not have a IP address on this vlan, that is different then my other captive portal config I have, and probably is the culprit. thanks so much.

     

     



  • 4.  RE: Captive Portal redirects

    Posted May 08, 2013 04:19 PM

    Thanks Clembo. :smileyhappy:

    This helps me with my configuration too!   You made my day.