Security

I have one SSID for internal users that get placed in a default 802.1x authenticated role (Clearpass is the Radius server) based on AD credentials.  I need to redirect some of those users to a captive portal telling them to download and install network access control software (Forescout's SecureConnector agent).  Forescout can tell Aruba to do a role change into an L3 captive portal role but users only see the page if they open a web browser.  Is there a way to activate the Windows/Mac captive portal assistant that auto opens the web browser?

I thought about adding the captive portal profile to the aaa profile's initial role but I only want certain users to get the web redirect.  And they still need to be authenticated via 802.1x after seeing the redirect.

Any suggestions would be much appreciated.  Some solutions on the forum come close, like "Redirect 802.1x clients to a "Thank You" web page" but I can't find anything that applies to just a group of users.

Thanks in advance.

If this is wireless, ClearPass would have to return a role that blocks access to  msftncsi.com  

https://docs.microsoft.com/en-us/windows-hardware/drivers/mobilebroadband/captive-portals

Tried that.  It only seems to work when the client first connects to the SSID, not after they are already authenticated.

Oh.  You didn't say you wanted to do that AFTER the client is connected.  What do you want the workflow to be? 

Sorry for the confusion.

Workflow:

- User connects to SSID, signs in using 802.1x cached credentials, is dropped in to default authenticated role

- Forescout determines user's device is not running required software

- Forescout tells Aruba to block user's device and redirect to captive portal

- User's web browser auto opens to present captive portal page to download the software 

- User installs software

- Forescout determines user is remediated and tells controllers (or Clearpass) to unblock the user

Workflow only applies to specific users identified by Forescout.  Options to take action are:

- Forescout sends WLAN role change to Aruba controller directly.  This works fine.  User gets dropped into L3 captive portal role with redirect.  But user has to manually open web browser to get the message.

- Forescout sends webapi call to Clearpass to perform 802.1x CoA into new role.  Haven't tried this but assume same outcome as above.

Have you tried to do an 'Aruba Terminate Session' and change the role during the re-authentication, instead of just changing the role? The terminate session may trigger the captive portal detection on the client as a reauthentication is triggered.

Is that accomplished with the Radius CoA action from Clearpass?

Correct. You can have different CoA actions, most widely used on Aruba wireless is the 'Terminate Session', and somewhat less used is to directly trigger a role change without re-authentication. From what I read, you do the second CoA method. The 'Terminate Session' will trigger a reauthentication between the client and network, so the OS is notified and may trigger the captive portal detection in Windows (or other Operating System).