Security

Reply
Contributor II

Radius IETF redirect to a URL

Hi

 

There is some type of attribute RADIUS IETF to redirect a denied access user  to a web page?

 

Or

 

There is some way to redirect blacklisted users to a web page after authenticating in the Captive Portal?

 

I tried using a enforcement profile (ARUBA CAPTIVE PORTAL URL and  CISCO AV PAIR )  but it  doesnt work.

 

Im using CISCO WLC + Clearpass Policy Manager 6.7.5

Guru Elite

Re: Radius IETF redirect to a URL

Cisco-AVpair url-redirect=yoururl

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor II

Re: Radius IETF redirect to a URL

Thanks for your response.

 

But I need to create a ACL for this to work?

 

AV-PAIR works with Wireless?

 

Im working with CAPTIVE PORTAL and MAC AUTH.

 

 

Guru Elite

Re: Radius IETF redirect to a URL

Yes, follow the same process as a guest redirect.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor II

Re: Radius IETF redirect to a URL

Just to confirm,  create an ACL in the WLC?

 

Thanks.

Frequent Contributor I

Re: Radius IETF redirect to a URL

Hi Luis,

 

Just create an ACL on the WLC that allows traffic to your page (you can add this with an IP rule or url) and allows dns.

Within ClearPass, add the following to your enforcement profile:

 

Radius:Cisco>Cisco-AVPair => url-redirect=<your url>

Radius:Cisco>Cisco-AVPair => url-redirect-acl=<the name of the ACL defined on wlc>

 

Then, on the WLAN config under WLC just make sure NAC state advanced option is set to "ISE NAC" or "RADIUS NAC".

Contributor II

Re: Radius IETF redirect to a URL

Thank you Ricardo.


 I see on the ACCESS TRACKER in the output TAB the Radius Response of the enforcement,   but I am redirected to the web login again.

You can see on the attached image the results of the ACCESS TRACKER.

 

On the WLC NAC STATE options I only have SNMP NAC and ISE NAC.  I suppose to use ISE NAC but Im not sure because we dont have any ISE.

 

I do not have much experience in Clearpass or WLC so I ask fo so many details.

Frequent Contributor I

Re: Radius IETF redirect to a URL

Hi,

 

You must set the NAC option to "ISE NAC" (it will work with ClearPass despite having ISE in the name), otherwise redirect will not work.

 

Also, redirect will only happen when you access a site/ip that is not whitelisted. So, if you are already at your page the controller will not redirect you to a new page on the same address, if it was whitelisted.

 

You can see if the RADIUS integration is working by looking at the endpoint details at the WLC to see if the state os WEB_REQD and the redirect URL and ACL shows there.

 

For your case, you also have to make sure you enables "MAC Filtering" on the WLAN.

 

Regards.

Contributor II

Re: Radius IETF redirect to a URL

Hi Ricardo,

 

This error appears when I put on NAC STATE --- ISE NAC.

 

Any other suggestion.  Thanks.

Highlighted
Frequent Contributor I

Re: Radius IETF redirect to a URL

To redirect the traffic you disable all Layer 3 security option on the WLAN, enable mac filter on Layer 2 and then enable ISE-NAC.

What exactly are you setting up on Layer 3 security?

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: