Security

 View Only
last person joined: 3 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Need to delay CPPM Captive portal policy on 2530 and 2930 AOS

This thread has been viewed 9 times
  • 1.  Need to delay CPPM Captive portal policy on 2530 and 2930 AOS

    Posted Jul 28, 2022 02:59 AM
    Hi,

    Is it possible to delay a policy execution on CPPM or delay captive portal redirection on AOS ?

    I have randomly some computers witch are going on a partner profile when starting up or getting out of standby mode is too long. 802.1X authentication seems executing to fast or not retrying enough to apply policy 1 and goes to policy 3.

    My CPPM configuration :

    Policy 1 : 802.X for Employee local USER-ROLE
    Policy 2 : Mac authentication for printers and other assets
    Policy 3 : Captive portal for Partner local USER-ROLE

    Captive portal configuration on AOS Switch :

    aaa authentication captive-portal enable
    aaa authentication captive-portal profile "CAPTIVE_PORTAL" url "Personnal URL"

    AAA port-access configuration on AOS Switch :

    aaa port-access authenticator 1
    aaa port-access authenticator 1 tx-period 10
    aaa port-access authenticator 1 supplicant-timeout 10
    aaa port-access authenticator 1 reauth-period 60
    aaa port-access authenticator 1 client-limit 2
    aaa port-access mac-based 1
    aaa port-access mac-based 1 addr-limit 2
    aaa port-access 1 auth-order authenticator mac-based
    aaa port-access 1 auth-priority authenticator mac-based

    Thank's for your help.


  • 2.  RE: Need to delay CPPM Captive portal policy on 2530 and 2930 AOS

    EMPLOYEE
    Posted Jul 28, 2022 03:47 AM
    Can you try to take out the auth-order and auth-priority? By default, AOS-Switch does concurrent 802.1X and MAC and if there is a MAC auth first, then the client does an 802.1X, that will take over. In most cases, the default is fine and setting/changing auth-order is not needed.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------