01-16-2013 12:34 PM
I am trying to get users redirected to my new clearpass guest server. The role the user receives contains:
Allow user 80 and 443 to CP server
2. Logon Control
3 Captive Portal
ip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 !
and the proper captive portal profile is selected.
I have Policy enforcement firewall if that is a concern.
I am a little fuzzy on how the captive portal policy is suppose to redirect, should I have additional line in there that says something like:
user any servce http https send to captive portal ??
Currently the user gets DHCP and can access nothing else execpt to browse to the CP server, but is not forced there.
Solved! Go to Solution.
01-16-2013 02:01 PM
Couple of things to check:
- Is DNS working properly? Can the client do an nslookup? Try connecting to an IP (any IP; 220.127.116.11) to force a redirect
- Does your controller have an IP on the the guest network (required for captive portal)?
- The What URL do you have defined in the CP profile; does it look like the client is even attempting to access it at all?
When you you look at the datapath sessions of that user, does it show any redirects?
show user ip x.x.x.x (look at the firewall sessions at the top of the output).....you'll need to run this right when the client is attempting to access.
The captive portal profile is fine as is; the dst-nat entries handle the redirct; but the controller reuqires an IP on that VLAN.
Systems Engineer, Northeast USA
AMFX | ACCX | ACDX | ACMX