Security

Hi all,

I'm working with a client that has shared public PC's, which are on a guest VLAN and redirected to ClearPass captive portal (wired). The user is presented with a page that says asks for user's username/password (provided by company). After login, they are redirected to another page that has a logout button, which does an anonymous login using a local account, and sends a RADIUS CoA for the switch. That all works fine in general.

Our problem is that when a user closes the web page with the logout button and launches the page again, we get "Required Parameters Missing" or something along those lines. I assume it's some kind of session ID or something that is missing.

My question's are:

1. How do I figure out what parameter is missing? Packet capture, Logging, etc.?

2. Can I statically assign a session ID to the login, which is then also referenced in the Logout (technically 2nd login)?

3. Can the session ID be random as long as it's present? All we really care about is that the user is bounced, so as long as the form submits, the rest should work fine.

Thanks.

Some guessing from my side, I assume that the parameter missing is the client MAC address that is normally sent in the captive portal redirect. I have seen situtations where adding the mac=00:00:00:00:00:00 solves the 'parameter missing' problem so if you can trigger another redirect from a webserver in your control, the switch or even ClearPass that might solve your problem.

If you find out that you need an actual redirect (adding mac=00:00:00:00:00:00 is not enough), what might work is register for example 'logout.yourcompany.com' in DNS, and specifically redirect only for that IP address and to the logout page on ClearPass. So you have a captive portal bypass for everything, just not logout.yourcompany.com.

Might need some further work and testing.