Security

Reply
Contributor I

How to redirect user to a http page when clearpass rejects connection

Hello Community,

 

I have a question. Today, my customer has a configuration of  redirecting devices (mobiles) when they try to access the enterprise SSID. This being said, the communication is as follow:

User request access to the corporate SSID

Clearpass analyze the connection and apply "deny access profile"

The controller redirect the user to a webpage saying "This user cannot enter the corporate SSID, please move to xxx SSID"

 

I want to know how to redirect that traffic to another webpage besides the one that is already configured.

 

I have created a new webpage on Clearpass and I want to know how to use that webpage to redirect my users after being rejected by clearpass. (This is a new SSID)

 

I have gone through the configuration and I haven't find a way to do this.

 

Can aybody help me with this?

Guru Elite

Re: How to redirect user to a http page when clearpass rejects connection

Return a user role with a captive portal profile instead of rejecting the request.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
MVP Expert

Re: How to redirect user to a http page when clearpass rejects connection

As Tim says you should return an aruba-user-role pointing to a role on the Controller which is a captive portal only role. Use "guest-logon" as example.

 

Check the default-role for your AAA profile. That is most likely a captive-portal role already where you can just change the re-direct URL.

 

But - I'm not quite sure how your system is setup, because normally a "Deny Access" would cause the Controller to just disconnect you.

 

Worth checking into atleast.


Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Contributor I

Re: How to redirect user to a http page when clearpass rejects connection

Thanks a lot for your answers.

 

I still don't understand what should I look. I have checked guest-logon profile but it does not say much. I still don´t know how to redirect the traffic. This is my first time doing this. I have checked roles, policies, AAA and more and yet I'm not able to figure this out.

 

When Tim says" Return a user role with a captive portal profile instead of rejecting the request. " How exactly do I do that? If anybody can share with me docummentation I will be more than happy to read it so I can understand.

 

 

MVP Expert

Re: How to redirect user to a http page when clearpass rejects connection

Ok, if you're not familiar with either Clearpass or Aruba Controller then this isn't easy to jump in to. Your quickest bet is to reach out to Aruba TAC or an Aruba Partner in your area to get this sorted out.

 

If you still want to dive into this..

Check Clearpass Acces Tracker and search for the record of the authentication (mac-address or user-name). Verify that it does indeed do [Deny Access]. Check the Output field to verify that it's not sending something like "aruba-user-role" or "filter-id".

 

If it's [Deny Access] then you're in for a struggle.. Again - reach out to your closest Aruba Partner!


Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Contributor I

Re: How to redirect user to a http page when clearpass rejects connection

Hello Community!

 

Its been a while! After doing a lot of research, failing and testing configuration I was able to figure this out. The idea is, from clearpass, configure an "aruba-rol" so it will return the "role name" of the role configure in the controller that has the HTTPs page for the user (when it fails)

 

For example, in my controller I configured 2 roles, 1 that is not apply to anything (basically a webpage with a notification for the users saying why he cannot navigate from his/her device) and one that has the redirection and rules to access the network.

When a user tries to connect through an SSID with a device that is not allowed, from clearpass I will "Accept" the connect BUT I will be changing the role of the user.

 

And that is how you redirect users using clearpass when they try to connect with an unauthorized device.

 

I really hope that this experience of mine help you guys!

 

Highlighted
Contributor I

Re: How to redirect user to a http page when clearpass rejects connection

This is how! And I didn't undertand at first since I didn't know how to do it.

 

Thanks a lot!!!!!!

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: