Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Modify NAS IP in wired web-redirect

This thread has been viewed 4 times

  • 1.  Modify NAS IP in wired web-redirect

    MVP
    Posted Nov 29, 2016 10:41 AM

    Hi all,

     

    So I'm trying to get a wired web-login working from a Cisco switch to ClearPass, however, I keep running into the problem where the NAS IP is CPPM (127.0.0.1) and not the switch. Is there a way to modify the redirect-URL to include a NAS-IP field, I already have switch IP and MAC address included in the URL.

     

    I have the web login page set to Server Initiated, if we set it to Controller-initiated the login never succeeds, probably due to same issue. Essentially we see (2) requests for the same authentication:

    1. RADIUS

    2. WebAuth 

     

    both have the 127.0.0.1 IP address, if we can get the IP to be the switch or send a COA to the switch some how via enforcement profile, the device would then successfully mac auth and no more ACL redirect on port. 

     

    In the Computed Attributes of the request, I have the following:

    Application: WebLoginURL:switchip 10.23.128.31

     

    So I know the information is there, just how do i reference it to send a terminate session or ACL update?

     

    Any ideas? 



  • 2.  RE: Modify NAS IP in wired web-redirect

    MVP
    Posted Nov 29, 2016 10:50 AM

     

    Would prefer to have the request show the correct NAS IP, but if I can send an enforcement referencing that computed attribute, that works too., 

     



  • 3.  RE: Modify NAS IP in wired web-redirect

    Posted Nov 30, 2016 12:17 AM

    For Cisco switches I also use Server-Initiated.

     

    To make this work create a RADIUS enforcement profile that returns Cisco av-pair = url-redirect=http://FQDN/guest/guestwebloginwired.php?switchip=%{Radius:IETF:NAS-IP-Address}&mac=%{Connection:Client-Mac-Address-NoDelim}&

     

    Also, in the same RADIUS enforcement profile return a reference to an ACL with another Cisco-AVPair = url-redirect-acl=Guest-Web-Redirect

     

    I dont use DACLs so the access list must be created on the switch.

    ip access-list extended Guest-Web-Redirect
    deny ip any host <ClearPass IP Address>
    deny udp any any eq domain
    permit ip any any



  • 4.  RE: Modify NAS IP in wired web-redirect

    MVP
    Posted Nov 30, 2016 08:39 AM

    Excellent, I will try to implement. I was able to temporarily resolve the issue by changing the COA from the Web Auth request to the RADIUS request, which still seems to maintain the original switch information. Essentially we do MAC auth, captive portal  login (RADIUS+WebAuth) and then bounce in background while at landing page with loading bar for 10 seconds, then re-mac auth successfully for full access. 

     

    I will look into optimizing it with the recommendations. Thank you for the help.