Wired Intelligent Edge

Hi everyone,

I have the following requirement on my 2930f environment:

I want to use captive-portal redirect to display an information page containing a hyperlink. This hyperlink takes the user to our helpdesk system to log a ticket (which they would do to ask for access to the network - im running clearpass)

However the logic for the user-policy on the switch says:

10 "traffic to captive-portal URL (clearpass) PERMIT"

20 "traffic to ANY WEB DESTINATION" REDIRECT CAPTIVE-PORTAL

Therefore my switch is blocking access to the servicedesk system, as this comes under the REDIRECT.

I could just add a line in to PERMIT traffic to the servicedesk system, however this uses AWS, and Azure auth so there would be ALOT of IP ranges involved in creating the IPV4 class to support this.  It would be unmanageable going forward.

This seems like a really simple requirement.  Does anyone have any input on the best way to achieve this on my 2930f and clearpass setup?

Many thanks for any input!

You should know that the 2930F is a switch, and switches can permit/deny ACL based on IP Address and Ports. URLs are part of Firewalls or Application Aware equipment which are on a higher layer than Layer2/3.

So not much you can do, besides the fact that you need to permit/deny IP based and Port Based ACLs

Hi everyone,

I have the following requirement on my 2930f environment:

I want to use captive-portal redirect to display an information page containing a hyperlink. This hyperlink takes the user to our helpdesk system to log a ticket (which they would do to ask for access to the network - im running clearpass)

However the logic for the user-policy on the switch says:

10 "traffic to captive-portal URL (clearpass) PERMIT"

20 "traffic to ANY WEB DESTINATION" REDIRECT CAPTIVE-PORTAL

Therefore my switch is blocking access to the servicedesk system, as this comes under the REDIRECT.

I could just add a line in to PERMIT traffic to the servicedesk system, however this uses AWS, and Azure auth so there would be ALOT of IP ranges involved in creating the IPV4 class to support this.  It would be unmanageable going forward.

This seems like a really simple requirement.  Does anyone have any input on the best way to achieve this on my 2930f and clearpass setup?

Many thanks for any input!

Hi Thanks for the reply.

I got around this.  Instead of allowing the quarantined uer into our helpdesk system, I created a new form on the Clearpass Server, which captured the required details from the user.

Then the submit button on the form sends an email to our servicedesk system which raises the ticket automatically.

Cheers.

You should know that the 2930F is a switch, and switches can permit/deny ACL based on IP Address and Ports. URLs are part of Firewalls or Application Aware equipment which are on a higher layer than Layer2/3.

So not much you can do, besides the fact that you need to permit/deny IP based and Port Based ACLs

Hi everyone,

I have the following requirement on my 2930f environment:

I want to use captive-portal redirect to display an information page containing a hyperlink. This hyperlink takes the user to our helpdesk system to log a ticket (which they would do to ask for access to the network - im running clearpass)

However the logic for the user-policy on the switch says:

10 "traffic to captive-portal URL (clearpass) PERMIT"

20 "traffic to ANY WEB DESTINATION" REDIRECT CAPTIVE-PORTAL

Therefore my switch is blocking access to the servicedesk system, as this comes under the REDIRECT.

I could just add a line in to PERMIT traffic to the servicedesk system, however this uses AWS, and Azure auth so there would be ALOT of IP ranges involved in creating the IPV4 class to support this.  It would be unmanageable going forward.

This seems like a really simple requirement.  Does anyone have any input on the best way to achieve this on my 2930f and clearpass setup?

Many thanks for any input!