ACLs
class ipv4 "ALLOW-CLEARPASS-ACL"
10 match tcp 0.0.0.0 255.255.255.255 <CLEARPASS-IP> 0.0.0.0 eq 80
20 match tcp 0.0.0.0 255.255.255.255 <CLEARPASS-IP> 0.0.0.0 eq 443
exit
class ipv4 "ALLOW-DNS-ACL"
10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53
exit
class ipv4 "ALLOW-DHCP-ACL"
10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
exit
exit
class ipv4 "ALLOW-HTTP_HTTPS-ACL"
10 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 80
20 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 443
exit
Captive Portal Policy
policy user "CAPTIVE_PORTAL-REDIRECT-POLICY"
10 class ipv4 "ALLOW-DHCP-ACL" action permit
20 class ipv4 "ALLOW-DNS-ACL" action permit
30 class ipv4 "ALLOW-CLEARPASS-ACL" action permit
40 class ipv4 "ALLOW-HTTP_HTTPS-ACL" action redirect captive-portal
exit
URL Profile
aaa authentication captive-portal profile "CAPTIVE-PORTAL-PROFILE" url "<clearpass-url>"
Captive Portal User-Role
aaa authorization user-role name "CAPTIVE-PORTAL-ROLE"
captive-portal-profile "CAPTIVE-PORTAL-PROFILE"
policy "CAPTIVE_PORTAL-REDIRECT-POLICY"
reauth-period 28800
Make sure you return the "CAPTIVE-PORTAL-ROLE" from ClearPass
Thank you
Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
