Security

 View Only
  • 1.  CPPM Redirect integration with Cisco 9800 WLC

    Posted Mar 10, 2022 05:57 PM
    Edited by bbdip100 Mar 11, 2022 06:58 AM
    We have successfully been using CPPM with Cisco 5520 WLCs and now trying to migrate to the 9800's.  Our 802.1x SSIDs have been configured with
    Layer 3 >Web Policy and "Conditional Web Redirect". Clients without a current posture check are sent a enforcement profile w/CPPM URL to download agent.  The new Cisco 9800s no longer support Conditional Web Redirect. Has anyone successfully integrated CPPM & Cisco 9800 for this feature?

    Currently running 6.9.6

    ------------------------------


  • 2.  RE: CPPM Redirect integration with Cisco 9800 WLC

    Posted Mar 13, 2022 03:35 PM
    That's probably something you'd have to ask Cisco. If memory serves well, the conditional redirect was based on the Radius server (ClearPass here) to return two Cisco AV-Pairs that triggered the WLC to redirect:

    url-redirect=http://url

    url-redirect-acl=acl_name

    Now if that approach is no longer working, I would expect that it was replaced with some other mechanism.

    But this article implies that they are still using a redirect AC/URLL with the 9800 WLC. Perhaps it is sufficient that you return this ACL after successful 802.1x authentication: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213920-central-web-authentication-cwa-on-cata.htm

    But if that works in tandem with 802.1x is probably a question better suited for a Cisco SE.

    ------------------------------
    I work for Aruba. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 3.  RE: CPPM Redirect integration with Cisco 9800 WLC

    Posted Oct 31, 2023 03:09 PM

    Hi, did you resolved this?




  • 4.  RE: CPPM Redirect integration with Cisco 9800 WLC

    Posted Oct 31, 2023 03:51 PM

    On the 9800, the "redirect" ACL is not a security ACL but a punt ACL that will define what traffic goes to the CPU (on permits) for further treatment (like redirection) and what traffic stays on the dataplane (on deny) and will avoid redirection.

    The ACL should deny the traffic to DHCP/DNS, Clearpass, and then permit all at the end. When the permits are hit, it will cause the redirects:

        10 deny udp any range 0 65535 any eq domain
        20 deny udp any eq domain any range 0 65535
        30 deny udp any eq bootpc any range 0 65535
        40 deny udp any eq bootps any range 0 65535
        50 deny icmp any any
        60 deny ip any host clearpassIP
        70 deny ip host clearpassIP any
        80 deny ip any InternalServerIP
        90 deny ip InternalSErverIP any
       100 permit ip any any

    Good luck!




  • 5.  RE: CPPM Redirect integration with Cisco 9800 WLC

    Posted Nov 02, 2023 10:23 AM

    Apart from the redirection acl, what do I have to configure on the 9800? for conditional redirection to work? I only want this to happen when the posture state is unknown.