11-07-2019 01:40 PM - last edited 3 weeks ago
I assume most people here are familiar with ClearPass and how you can use it for anonymous guest access, guest self registration, and guest device registration via captive portal. I'm trying to do that on a pair of Cisco 3504 controllers running 220.127.116.11, ultimate production controllers are 8540s on the same version. I'm on ClearPass 6.8.1 right now.
When a brand new device joins my guest SSID, I want it to redirect to my ClearPass captive portal page. Users will be given an option to self-register for full internet access or anonymously get on and only get web access. That's being enforced at a Palo Alto firewall.
My problem: I've no idea how to make a Cisco WLC do a redirect to the captive portal page I want, or how to set the SSID up for what I want it to do. I assume I'm supposed to do web policy authentication on MAC filter failure, but so far I've only gotten that to redirect to Cisco's internal captive portal page and not to my ClearPass server. I've followed a couple sets of directions from Cisco to make this work with ISE and I also don't know what (if any) av pairs I need to send from ClearPass back to the WLC. Here's the enforcement profile for the captive portal page right now, please let me know if you'd like to look at anything else or have clarifying questions, or if I'm going completely the wrong way about making this work.
Solved! Go to Solution.
4 weeks ago - last edited 4 weeks ago
This was done on 18.104.22.168 on 3504s.
No screenshots are provided here to the information of the customer I helped with this.
First run "config network web-auth captive-bypass enable" which requires a controller reboot.
Next generate a CSR and private key. This CSR should be sent to a public CA for signing. The CSR CN should be the name you chose for your controller in the ClearPass config section above. In my case the name is "controller.mydomain.local." When you have this, upload it in Security > Web Auth > Certificate. Applying this also requires a controller reboot.
Next go to Controller > Interfaces > Virtual. If you have a spare loopback IP in your addressing scheme, change the controller's virtual IP to that loopback address. You can also use this loopback on multiple controllers, just do not use it anywhere else on your environment.
If you don't have a loopback address handy, Cisco recommends changing this address to 192.0.2.1, which belongs to a special TEST IP address block per RFC1166.
In your DNS server, set your controller name up as an A record pointing to your chosen IP. In my example, we point controller.mydomain.local to 192.0.2.1.
Under Security > AAA > RADIUS > Authentication add a new RADIUS server for each ClearPass node in your cluster. Make sure to enable "Support for CoA" on each server as well.
Under Security > AAA > RADIUS > Accounting add a new RADIUS server for each ClearPass node in your cluster.
Under Security > Access Control Lists > Access Control Lists create a new access control list with rules similar to the following:
- Source any, destination IP address, <YOUR-DNS-SERVER>, 255.255.255.255, UDP, source port ANY, destination port DNS, DSCP ANY, direction ANY, permit. Have one of these for each DNS server.
- Source IP address, <YOUR-DNS-SERVER>, 255.255.255.255, UDP, source port DNS, destination port ANY, DSCP ANY, direction ANY, permit. Have one of these for each DNS server.
- Source IP address, <YOUR-CLEARPASS-NODE>, 255.255.255.255, destination any, protocol any, DSCP any, direction any, permit. Have one of these for each ClearPass node.
- Source any, destination IP address, <YOUR-CLEARPASS-NODE>, 255.255.255.255, protocol any, DSCP any, direction any, permit. Have one of these for each ClearPass node.
You're ready to create the WLAN now. Go to WLANs > Create New > Go. Pick a friendly name for the profile, and in my example the SSID is called Matt-Test. Click Apply. It should take you back to the WLANs page with the new one you just created at the bottom.
Click the number of the WLAN you just created and begin editing it.
In General, make sure it's enabled and Broadcast SSID is set to enabled.
In Security > Layer 2, set it to None and check the Mac Filtering box.
In Security > Layer 3, set it to Web Policy and select the On MAC Filter Failure bubble. Set the Preauthentication ACL to the ACL you created earlier. Check the box to Override Global Config. Set the Web Auth Type to External. Set the Redirect URL to https://<YOUR-CLEARPASS-SERVERS-HOSTNAME>/guest/matt_test.php. Replace matt_test in the URL with the actual name of the page you configured earlier.
In Security > AAA Servers, enable Authentication and Accounting servers and set your ClearPass servers configured above.
I like to go into Advanced and Allow AAA Override as well, just in case you want to redirect certain clients to a specific VLAN.
When this is done:
When a brand new guest walks over and attempts to join your new guest SSID, ClearPass won't recognize them and will send the Cisco WLC a RADIUS REJECT.
The controller sees this RADIUS REJECT as a MAC filter failure, and redirects the client to your ClearPass server captive portal page.
The client device pulls the page up automatically, prompting users to accept the terms and conditions and log in.
When a user logs in, the ClearPass page redirects the user to HTTP POST the credentials to https://controller.mydomain.local/login.html. The controller accepts these credentials and sends ClearPass a RADIUS request.
ClearPass accepts the RADIUS request and allows the client online. It also sets an attribute on the endpoint allowing it to stay online for the rest of the time period you allotted when you set the MAC caching service up. In my example, clients are allowed online for 24 hours.
Next time a user comes back within that 24 hour time frame, they will authenticate against the guest device MAC authentication service.
If they come back after that 24 hours has passed, they will be rejected by ClearPass and prompted to accept the terms and conditions by the controller.