Security

Dear Team,

 

Task Required to be Done =  802.1x Authentication and assigning the correct VLAN after posture onguard dissolvable agent.

 

My case is whenever the user will join to the "802.1 X" SSID it should be redirected to the Clearpass portal page. User will open the browser and redirected to the portal page. On the portal page the health check of the client will be done using dissolvable agent.

 

I have created three services on the CP as follow.

 

1- 802.1x Service for Auth (Authentication is working fine)

 

2- Web-Health (to get the posture health of the client and returen the healthy / unhealthy status)

 

3- Web-Auth (after the health check, the user should again authinicate with its respective correct VLAN according to the health status.)

 

My problem is: when user download the java and give the correct health check as per configured policy it will again redirect to the portal page rather than to redirect to the internet. I have seen all the logs in Access Tracker and each and every out were seems to be Ok.

 

From Controller side i am using layer2 authentication and also in layer three i enable the authentication and put the portal page to redirect the client.

 

Can anyone help, i am stuck in the looping of redirection page even my posture is correct and return vlan is also correct?

 

Regards,

 

Ali

 

What version of CPPM are you using ?

 

Can you share your web portal health check  config ?

 

Dear,

 

I follow the doucment as reference. 

https://afp.arubanetworks.com/afp/index.php/ClearPass_6.3_OnGuard_Dissolvable_Agent_Workflow_and_Configuration

 

 

Can you please share the config on your Web Login Page ?

I just follow the refernece link to configure the web login page, same to same.

 

https://afp.arubanetworks.com/afp/index.php/ClearPass_6.3_OnGuard_Dissolvable_Agent_Workflow_and_Con...

Try using the Bounce User option under the Agent enforcement profile.

Do you added it the CPPM as RCF 3576 in your controller ?

 

Can you turn up a user-debug and show the output after the user gets bounced?

 

Also, in Access Tracker in ClearPass, is the correct role being returned?

 

Actually i am using cisco controller and return the data VLAN if the user is healthy otherwise user will be in quarantian vlan.

 

In access tracker i can see that once user join 802.1x it is in quartian vlan becasue CP didnt have the current health status.

 

Then user open a browser and redirect on the page where the health check start and after that user will get the actual correct vlan.

 

Then it again come to the same page rather then to go to the internet.

 

Why we need this RFC in controller, where i can put it in cisco?

In the initial phase when the device connects the posture is unknown so once you know the posture "unhealthy or healthly", then you need to CoA the device to go through the 802.1x service so it can the access based on the posture.

CoA needs to be enabled in the Network > Devices .

Make sure that you select Cisco as the vendor .

Here's a good doc:
https://supportforums.cisco.com/document/32466/how-test-rfc3576-wlcpdf

In your health posture enforcement policy enforcement profile should have "Cisco Terminate" to execute this

Do you have a CoA in your WebAuth for "HEALTHY(0)"?

Dear,

 

Yes i tried with CoA in WebAuth for healthy and i can see clearly that user intiates the authientication again after the health check.

 

I just follow this document as a reference.

 

https://afp.arubanetworks.com/afp/index.php/ClearPass_6.3_OnGuard_Dissolvable_Agent_Workflow_and_Configuration

Did your  dissolvable issue is reslove or not? I had similar issue which cause by enforcemement policy configuration and 2nd,  had to add, 2nd Web auth account in service in order fix dissolvable  issue.  Beacuse we allowed  machine and AD authentication and didn't wanted usersto enter their usename or password  twice.