Security

Hello Community,

I have a question. Today, my customer has a configuration of  redirecting devices (mobiles) when they try to access the enterprise SSID. This being said, the communication is as follow:

User request access to the corporate SSID

Clearpass analyze the connection and apply "deny access profile"

The controller redirect the user to a webpage saying "This user cannot enter the corporate SSID, please move to xxx SSID"

I want to know how to redirect that traffic to another webpage besides the one that is already configured.

I have created a new webpage on Clearpass and I want to know how to use that webpage to redirect my users after being rejected by clearpass. (This is a new SSID)

I have gone through the configuration and I haven't find a way to do this.

Can aybody help me with this?

This is how! And I didn't undertand at first since I didn't know how to do it.

Thanks a lot!!!!!!

As Tim says you should return an aruba-user-role pointing to a role on the Controller which is a captive portal only role. Use "guest-logon" as example.

Check the default-role for your AAA profile. That is most likely a captive-portal role already where you can just change the re-direct URL.

But - I'm not quite sure how your system is setup, because normally a "Deny Access" would cause the Controller to just disconnect you.

Worth checking into atleast.

Thanks a lot for your answers.

I still don't understand what should I look. I have checked guest-logon profile but it does not say much. I still don´t know how to redirect the traffic. This is my first time doing this. I have checked roles, policies, AAA and more and yet I'm not able to figure this out.

When Tim says" Return a user role with a captive portal profile instead of rejecting the request. " How exactly do I do that? If anybody can share with me docummentation I will be more than happy to read it so I can understand.

Ok, if you're not familiar with either Clearpass or Aruba Controller then this isn't easy to jump in to. Your quickest bet is to reach out to Aruba TAC or an Aruba Partner in your area to get this sorted out.

If you still want to dive into this..

Check Clearpass Acces Tracker and search for the record of the authentication (mac-address or user-name). Verify that it does indeed do [Deny Access]. Check the Output field to verify that it's not sending something like "aruba-user-role" or "filter-id".

If it's [Deny Access] then you're in for a struggle.. Again - reach out to your closest Aruba Partner!

Hello Community!

Its been a while! After doing a lot of research, failing and testing configuration I was able to figure this out. The idea is, from clearpass, configure an "aruba-rol" so it will return the "role name" of the role configure in the controller that has the HTTPs page for the user (when it fails)

For example, in my controller I configured 2 roles, 1 that is not apply to anything (basically a webpage with a notification for the users saying why he cannot navigate from his/her device) and one that has the redirection and rules to access the network.

When a user tries to connect through an SSID with a device that is not allowed, from clearpass I will "Accept" the connect BUT I will be changing the role of the user.

And that is how you redirect users using clearpass when they try to connect with an unauthorized device.

I really hope that this experience of mine help you guys!