Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Cisco URL Redirect - Not removing after enforcement

This thread has been viewed 1 times

  • 1.  Cisco URL Redirect - Not removing after enforcement

    MVP
    Posted Sep 16, 2016 01:24 PM

    Running into an issue with CPPM and Cisco Wired captive portal. Machine does MAC authentication successfuly, a redirect-url and redirect-acl is applied from enforcement profile. After user logs into web login page, I'm trying to send back a dACL for "permit ip any any" to replace the captive portal redirect one. However, the captive portal redirect URL and ACL are still applied to the user session and the user gets bounced back to the login page. 

     

    Is there a way to clear that out without COA? We are not doing MAC caching because it's a shared machine.

     

    Not sure if it's just something I'm missing or misunderstanding.

     

    Thanks. 

     



  • 2.  RE: Cisco URL Redirect - Not removing after enforcement

    MVP
    Posted Sep 16, 2016 04:05 PM

    We've identified that the Cisco switch is not receiving the DACL because the request came from 127.0.0.1 That is where the DACL is being sent. Is there a way to make sure the switch gets the DACL? I'm thinking about trying to add the switch IP to the redirect URL, but not sure what string to use in the initial redirect-URL.



  • 3.  RE: Cisco URL Redirect - Not removing after enforcement

    EMPLOYEE
    Posted Sep 19, 2016 11:55 AM

    Michael,

     

    Please check this solution on Aruba Solution Exchange: https://ase.arubanetworks.com/solutions/id/93 as it has most of the components you seem to need in it.

     

    Looks to me that it makes sense if someone joins you on a call to look together with you to this issue. From the information you provided, it is rather challenging to get good support.

     

    You may try a local engineer or ask Aruba TAC to assist you.



  • 4.  RE: Cisco URL Redirect - Not removing after enforcement

    Posted Dec 07, 2016 10:20 AM

    I have this solution mostly operational however I cannot get the WebAuth piece to work correctly. 

     

    The Wired Guest is redirected to the Clearpass Guest page with no issue. When they register and Login, the client is just redirected back to the Registration page and there is no hit in Access Tracker for the WebAuth service (proibably becuase it never made it to Clearpass). I am sure this is due to how the WebLogin page is configured in Clearpass Guest. I have tried all sorts of Vendor Settings and cannot get one to work. 

     

    How should the WebAuth page in Clearpass be configured? 

     

    Thanks!



  • 5.  RE: Cisco URL Redirect - Not removing after enforcement

    EMPLOYEE
    Posted Dec 07, 2016 10:48 AM

    On the guest side, your self-registration/web login should be configured for server-iniaited logins.

     

    In your web auth service, you'll want to use the Cisco Bounce Host Port CoA and also, if you're using MAC-caching, stamp the guest attributes to the endpoints repository.



  • 6.  RE: Cisco URL Redirect - Not removing after enforcement

    Posted Dec 07, 2016 11:58 AM

    Thanks! I though I had tested Server Initiated logins already but I must not have... It is working now. CoA from WebAuth is working as it should. Thanks for the help!