Hello,
We have Clearpass 6.6.8 and we configured cisco WLC 2500 controller as well.
Clearpass= 802.1x + onguard service configured, with Cisco- AVpair = Url-redirect=Http and Cisco-AVpair-acl=PreAuth
Cisco WLC: We configured ACL(PreAuth) = 0.0.0.0 --> 10.66.16.251 and 10.66.16.251 --> 0.0.0.0 permit
Deny 0.0.0.0 --> 0.0.0.0
Layer3 Security = we apply conditional redirect and apply ACL
My Concern:
When the User try to connect AP,
1: 802.1x Authenticated -OK
2: Connected to SSID -OK
3: Clearpass will do the redirect to onguard download -OK
4:Access to internet deny
because of ACL on WLC, Can't access Internet (deny 0.0.0.0--> 0.0.0.0)
Moreover,If i opened the ACL as Permit on WLC.
0.0.0.0 -> 0.0.0.0 permit
Please find my observation:
1: 802.1x Authenticated -OK
2: Connected to SSID -OK
3: Clearpass will not do the redirect to onguard download -NOK
But because of ACL on WLC, access Internet
WLC permit the traffic and forward to firewall.
" Cisco WLC does not offer hostname based ACL rules such as Aruba so it is not possible to restrict access to only Google Play's hostnames, "android.clients.google.com" and "ggpht.com". The effect of allowing Google's entire address range is that users in the pre-onboard ACL will not redirect to the captive portal page if they request any Google-owned web addresses such as google.com and gmail.com. These requests will go straight through the firewall as allowed."
In my case it happened, My need is the user should get the redirect page for Onguard according to the service, if the user is healthy it should get the Internet access directly.
Could you please provide any solution on this issue.
Regards
Vishesh Anand