Security

Is it possible to do central webauth with Cisco switches and Clearpass? It looks like only local webauth is possible and will require a separate "web login" for every switch that will have webauth enabled.

What are you trying to accomplish?

I need to setup webauth on 20 Cisco switches.  So I'm wondering if that means I need to create 20 web login pages in ClearPass.

got no personal experience with this, but i would advise to ask this on a cisco forum also (if you haven't alread), lots depends on if you really need 20 different urls, if you do the question might be if clearpass can do something smart there.

I ran into this issue as well in a proof-of-concept environment. For whatever it's worth, I had to put the guest traffic on a VLAN that spanned upstream to a untrusted port on an Aruba controller. It was at the Aruba controller that I applied a wired authentication profile, giving a role to those users. That role had a captive portal authentication profile, which redirected to CPPM for central web auth.

 

FWIW, if you wanted to do this with Cisco ISE, you'd have to do things similarly for wireless users (i.e., have wireless guests be placed on a vlan, spanned upstream to an 802.1X enabled Cisco switchport wherein central webauth could be performed).

 

Both CPPM and ISE have flaws when it comes to multivendor support for web auth.

Ryan,

That's a pretty good idea. I'll give that a shot and see how it works.

.

I think this will work with the web auth enforcment policy on the CPPM as there is a Cisco Web auth enforcment template in the Enforcment polices.

 

The link below is how its done with ise (:smileymad:) and cisco switches. So I guess we can throw out ise and replace with CPPM with enforcment polices :smileyhappy: .

 

http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml