Security

 View Only
Expand all | Collapse all

Cisco URL Redirect

This thread has been viewed 62 times
  • 1.  Cisco URL Redirect

    Posted Sep 17, 2014 11:16 PM

    Is there a way to send a Cisco switch a URL redirect to a CPPM captive portal from an enforcement profile?

     

    The idea here is if a computer connects to port configured to use 802.1x and not using EAP-TLS, then we will force the client to go to a Captive Portal and register. I see Cisco Downloadable ACLs but I don't see how to tell the device to use the Captive Portal.

     

    Thanks in advance for any help



  • 2.  RE: Cisco URL Redirect

    Posted Sep 18, 2014 12:03 AM

    Yes this is possible.

    What type of switch do you have ? and OS version do you have installed ?

     

    It would look something like this:

    2014-09-18 00_02_10-ClearPass Policy Manager - Aruba Networks.png

     

    And you need to enabled ip http and create an ACL that looks like this:

     

    ip access-list extended Onboard_ACL
     deny   tcp any host 192.168.1.102
     permit tcp any any

     



  • 3.  RE: Cisco URL Redirect

    Posted Sep 18, 2014 12:28 AM
    Thank you for the response.
    Its a 3750 on the latest IOS, not sure of the exact version


  • 4.  RE: Cisco URL Redirect

    Posted Sep 18, 2014 12:30 AM

    That should work



  • 5.  RE: Cisco URL Redirect

    Posted Sep 18, 2014 12:54 PM
    The ACL should allow for access to the CPPM server but how do you force the client to the captive portal, dynamically?


  • 6.  RE: Cisco URL Redirect

    Posted Sep 18, 2014 01:40 PM

    Within your enforcement policy you need to define the condition and based on that condition you will enforce an action (enforcement profile)

     

     Here's an example that I use for my wireless 802.1X:

    2014-09-18 13_30_12-ClearPass Policy Manager - Aruba Networks.png

     

    In this scenario I want non-domain devices to get onboarded (SmartPhones, Windows, Mac OSX , etc..) and that have authenticated successfully using PEAP authentication 

     

    And then will allow to get on the network without getting onboarded if it authenticates using EAP-TLS:

    2014-09-18 13_33_25-ClearPass Policy Manager - Aruba Networks.png

     

    This doesnt exactly matches your case but I wanted to give you an idea of what you could do and how flexible ClearPass can be.

     

    Key things to keep in mind:

    - If you want to make decision based on device type you need to add ClearPass as a DHCP relay under your SVIs

    2014-09-18 13_42_34-Chrome Remote Desktop.png

    - Add the endpoint database as an authorization source

    - And enabled the following to be use as roles:

      - 2014-09-18 13_36_48-Greenshot image editor.png

     

    So when the device authenticates you can use this as tips roles to make decisions :

    2014-09-18 13_39_15-ClearPass Policy Manager - Aruba Networks.png

     



  • 7.  RE: Cisco URL Redirect

    Posted Sep 18, 2014 01:51 PM

    Thank you, I understand that part but how do you send the Cisco switch the URL redirect? I haven't been able to find how to send that.

     

    I'm using a Cisco Downloadable Role and I see the AV-Pair where I can use a URL-redirect but I'm not certain that is what I'm looking for. 

     

    Andy Clelland

    ACMP, ACCP

     



  • 8.  RE: Cisco URL Redirect

    Posted Sep 18, 2014 02:15 PM

    In the enforcement profile

     

    2014-09-17 23_58_05-ClearPass Policy Manager - Aruba Networks.png



  • 9.  RE: Cisco URL Redirect

    Posted Aug 25, 2016 01:28 PM

    I'm trying this exact thing, and cannot get it to work. 

     

    I have an enforcement profile that successfully sends an DACL to the switch, however whenever I attempt to add the Cisco AV-Pair url-redirect the DACL fails to download and the port then enters and odd state

     

    This is on a Cisco 2960 running 15.2(4)E lan base.

     

    Are there any known caveats for using the url-redirect functionality?  It seems as though a lot of the documentation is surrounding MAB and not 802.1x authenticaiton.

     

    I'm trying to use the url-redirect for ONGUARD to point users to CPPM for agent download when the are unhealthy.

     

    Thanks!

     

                Interface:  FastEthernet0/18
              MAC Address:  xxxx.xxxx.xxxx
             IPv6 Address:  Unknown
             IPv4 Address:  Unknown
                User-Name:  xxxxxx
                   Status:  Unauthorized
                   Domain:  DATA
           Oper host mode:  single-host
         Oper control dir:  both
          Session timeout:  N/A
          Restart timeout:  N/A
        Common Session ID:  0AC0400E000000A145E716DB
          Acct Session ID:  Unknown
                   Handle:  0xEC000022
           Current Policy:  POLICY_Fa0/18
    
    Local Policies:
           	Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
    
    Resultant Policies:
    
    Method status list:
           Method           State
    
           dot1x            Authc Success


  • 10.  RE: Cisco URL Redirect

    Posted Oct 06, 2016 05:08 PM

    I'm trying the same thing (sending the url-redirect via Radius:Cisco:Cisco-AVPair to a Cisco ASA (9.2.2.4).... the AV-Pair attributes don't get to the ASA.

     

    The Cisco command:

    sh vpn-sessiondb details anyconnect

    doesn't show the attribute for that session and the client doesn't get redirected.



  • 11.  RE: Cisco URL Redirect

    Posted Aug 20, 2021 03:17 AM
    Hi Victor,
    I am also facing same problem. I have Cisco 2960 Switch trying to send redirect url to the switch running IOS version 15.2(7) E2 but its not working.

    I have asked Aruba TAC about this issue but he is  unable to assist because its a switch switch.  According to him the config is correct

    Please advise how you fixed it.

    ------------------------------
    Varun Sharma
    ------------------------------



  • 12.  RE: Cisco URL Redirect

    Posted Jun 11, 2018 08:27 PM

    Thanks Victor. I can see your Cisco AV-pair for captive portal redirect uses HTTPS. Does you wired client complain about any untrusted certificates. My wired client complains about a untrusted certificate which happens to be the certificate on the switch.



  • 13.  RE: Cisco URL Redirect

    Posted Aug 20, 2021 03:19 AM
    Hi Victor,

    I am also facing same problem. I have Cisco 2960 Switch trying to send redirect url to the switch running IOS version 15.2(7) E2 but its not working.

    I have asked Aruba TAC about this issue but he is  unable to assist because its a switch switch.  According to him the config is correct

    Please advise how you fixed it.

    ------------------------------
    Varun Sharma
    ------------------------------



  • 14.  RE: Cisco URL Redirect

    Posted Jan 05, 2024 12:03 AM

    Dear @Victor Fabian,

    is this still valid sir ? i used cisco c9200 switch with IOS-XE Version 17.9.1r [FC8] but still not triggering to open pop up captive portal,

    kindly need advise, thanks



    ------------------------------
    BR,

    Hudaya
    ------------------------------