Security

Hi

There is some type of attribute RADIUS IETF to redirect a denied access user  to a web page?

Or

There is some way to redirect blacklisted users to a web page after authenticating in the Captive Portal?

I tried using a enforcement profile (ARUBA CAPTIVE PORTAL URL and  CISCO AV PAIR )  but it  doesnt work.

Im using CISCO WLC + Clearpass Policy Manager 6.7.5

Thanks for your response.

But I need to create a ACL for this to work?

AV-PAIR works with Wireless?

Im working with CAPTIVE PORTAL and MAC AUTH.

Just to confirm,  create an ACL in the WLC?

Thanks.

Hi Luis,

Just create an ACL on the WLC that allows traffic to your page (you can add this with an IP rule or url) and allows dns.

Within ClearPass, add the following to your enforcement profile:

Radius:Cisco>Cisco-AVPair => url-redirect=<your url>

Radius:Cisco>Cisco-AVPair => url-redirect-acl=<the name of the ACL defined on wlc>

Then, on the WLAN config under WLC just make sure NAC state advanced option is set to "ISE NAC" or "RADIUS NAC".

Thank you Ricardo.

 I see on the ACCESS TRACKER in the output TAB the Radius Response of the enforcement,   but I am redirected to the web login again.

You can see on the attached image the results of the ACCESS TRACKER.

On the WLC NAC STATE options I only have SNMP NAC and ISE NAC.  I suppose to use ISE NAC but Im not sure because we dont have any ISE.

I do not have much experience in Clearpass or WLC so I ask fo so many details.

Hi,

You must set the NAC option to "ISE NAC" (it will work with ClearPass despite having ISE in the name), otherwise redirect will not work.

Also, redirect will only happen when you access a site/ip that is not whitelisted. So, if you are already at your page the controller will not redirect you to a new page on the same address, if it was whitelisted.

You can see if the RADIUS integration is working by looking at the endpoint details at the WLC to see if the state os WEB_REQD and the redirect URL and ACL shows there.

For your case, you also have to make sure you enables "MAC Filtering" on the WLAN.

Regards.

Hi Ricardo,

This error appears when I put on NAC STATE --- ISE NAC.

Any other suggestion.  Thanks.

To redirect the traffic you disable all Layer 3 security option on the WLAN, enable mac filter on Layer 2 and then enable ISE-NAC.

What exactly are you setting up on Layer 3 security?

Hi

Sorry about the delay in responding. Currently this is the configuration that we maintain at layer 3 level.

Should I disable this configuration to be able to do the redirect?

Thanks for your time.

Hi,

Do this:

WLC:

- Remove the Layer 3 securiy

- Within Layer 2, enable Mac Filtering

- Then go to Advanced and set NAC to ISE (I noticed a bug where the setting will revert to none when you change AAA servers; so make sure the value is set to ISE)

- Still on Advanced, enable AAA Override.

ClearPass:

- Set a redirect enforcement profile and set the URL address to the one you had under "Layer 3 URL"

- Set the PreAuth ACL (url-redirect-acl av pair) to CLEARPASS_INVITADOS

And it should work.

Hi Ricardo.

Just a question.

Is  it possible that this does not work for me because I do not have an Onboard License?

Thanks.

hi everyone 

i have same issue about the redirect url. i built the cisco switch and clearpass for web authentication. i set the authentication method "allow all mac auth" for the unknown mac continuing ti go to web-auth. but the switch does not receive the redirect url. 

do you have any advice? thanks

regards

mike