Modify NAS IP in wired web-redirect

Hi all,


So I'm trying to get a wired web-login working from a Cisco switch to ClearPass, however, I keep running into the problem where the NAS IP is CPPM ( and not the switch. Is there a way to modify the redirect-URL to include a NAS-IP field, I already have switch IP and MAC address included in the URL.


I have the web login page set to Server Initiated, if we set it to Controller-initiated the login never succeeds, probably due to same issue. Essentially we see (2) requests for the same authentication:


2. WebAuth 


both have the IP address, if we can get the IP to be the switch or send a COA to the switch some how via enforcement profile, the device would then successfully mac auth and no more ACL redirect on port. 


In the Computed Attributes of the request, I have the following:

Application: WebLoginURL:switchip


So I know the information is there, just how do i reference it to send a terminate session or ACL update?


Any ideas? 

Michael Haring
If my answer is helpful, a Kudos is always appreciated!

Re: Modify NAS IP in wired web-redirect


Would prefer to have the request show the correct NAS IP, but if I can send an enforcement referencing that computed attribute, that works too., 


Michael Haring
If my answer is helpful, a Kudos is always appreciated!
Occasional Contributor II

Re: Modify NAS IP in wired web-redirect

For Cisco switches I also use Server-Initiated.


To make this work create a RADIUS enforcement profile that returns Cisco av-pair = url-redirect=http://FQDN/guest/guestwebloginwired.php?switchip=%{Radius:IETF:NAS-IP-Address}&mac=%{Connection:Client-Mac-Address-NoDelim}&


Also, in the same RADIUS enforcement profile return a reference to an ACL with another Cisco-AVPair = url-redirect-acl=Guest-Web-Redirect


I dont use DACLs so the access list must be created on the switch.

ip access-list extended Guest-Web-Redirect
deny ip any host <ClearPass IP Address>
deny udp any any eq domain
permit ip any any

Re: Modify NAS IP in wired web-redirect

Excellent, I will try to implement. I was able to temporarily resolve the issue by changing the COA from the Web Auth request to the RADIUS request, which still seems to maintain the original switch information. Essentially we do MAC auth, captive portal  login (RADIUS+WebAuth) and then bounce in background while at landing page with loading bar for 10 seconds, then re-mac auth successfully for full access. 


I will look into optimizing it with the recommendations. Thank you for the help.

Michael Haring
If my answer is helpful, a Kudos is always appreciated!
Search Airheads
Showing results for 
Search instead for 
Did you mean: