On the 9800, the "redirect" ACL is not a security ACL but a punt ACL that will define what traffic goes to the CPU (on permits) for further treatment (like redirection) and what traffic stays on the dataplane (on deny) and will avoid redirection.
The ACL should deny the traffic to DHCP/DNS, Clearpass, and then permit all at the end. When the permits are hit, it will cause the redirects:
10 deny udp any range 0 65535 any eq domain
20 deny udp any eq domain any range 0 65535
30 deny udp any eq bootpc any range 0 65535
40 deny udp any eq bootps any range 0 65535
50 deny icmp any any
60 deny ip any host clearpassIP
70 deny ip host clearpassIP any
80 deny ip any InternalServerIP
90 deny ip InternalSErverIP any
100 permit ip any any
Good luck!
Original Message:
Sent: Oct 31, 2023 03:08 PM
From: raul0rtega
Subject: CPPM Redirect integration with Cisco 9800 WLC
Hi, did you resolved this?
Original Message:
Sent: Mar 10, 2022 05:57 PM
From: bbdip100
Subject: CPPM Redirect integration with Cisco 9800 WLC
We have successfully been using CPPM with Cisco 5520 WLCs and now trying to migrate to the 9800's. Our 802.1x SSIDs have been configured with
Layer 3 >Web Policy and "Conditional Web Redirect". Clients without a current posture check are sent a enforcement profile w/CPPM URL to download agent. The new Cisco 9800s no longer support Conditional Web Redirect. Has anyone successfully integrated CPPM & Cisco 9800 for this feature?
Currently running 6.9.6
------------------------------