Security

Reply
Highlighted

Juniper EX Url redirect issue

Dear Experts,

I need some help regarding configuring Juniper EX 2300 running version to support OnGuard. Below is the workflow I am trying to do ( and have done successfully on Cisco switches and Aruba OS switches)

 

  • User connects to the port enabled for dot1x
  • User authenticates successfully
  • User is placed in the quarantine vlan since it’s the first time user connected and there is no posture information
  • Clearpass pushes the url-redirect so that switch may redirect the user to OnGuard Landing page

 

Now in my case this is what is happening. I have created a “Juniper-CWA” profile (snap attached) which tells url redirect and juniper firewall filter  “JNPR_RSVD_FILTER_CWA” to be pushed the user when he is being placed in quarantine vlan. Now this is what happens

  • User connects to the port
  • User cannot authenticate i.e. windows tells me authentication failed but clearpass is showing authentication successful. There are no Alerts and I can see there are 3 things that are pushed for the user, Vlan, Url redirect and r JNPR_RSVD_FILTER_CWA

 

Now if I simply remove the Juniper-CWA profile from quarantine policy, authentication is successful. If I just remove “JNPR_RSVD_FILTER_CWA”, authentication is failed (at the client’s end, Clearpass shows its successful).

I have restarted the switch but no use. Anybody has done on ex switches before?




ACMP / ACSP / ACCP / ACEP / ACDX # 663
CCIE R/S - 37956
Highlighted
Contributor I

Re: Juniper EX Url redirect issue

Hello Iqbal,

 

We are also having the same issue. Any solution identified?

 

Please help me with this if you identified any solution.

 

Thanks,

Yugandhar.

Highlighted

Re: Juniper EX Url redirect issue

Dear Yugandhar

During my research and the collateral i found on Juniper clearly implies
that such scenario is not possible. Why? below is the excerpt from Juniper
official website

Central Web authentication is invoked after a host has failed MAC RADIUS
authentication. The host can attempt authentication using 802.1X
authentication first, but must then attempt MAC RADIUS authentication
before attempting central Web authentication

In my case, what i recall is we cannot have failed mac authentication after
successful dot1x authentication because it makes no sense to me atleast.

Link to Juniper ->
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/central-web-authentication.html



ACMP / ACSP / ACCP / ACEP / ACDX # 663
CCIE R/S - 37956
Highlighted
New Contributor

Re: Juniper EX Url redirect issue

It looks like I face the same issue.

 

May I know is there any method on how to solve these issue?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: