Security

Reply
Highlighted
Occasional Contributor II

URL Redirect not working with Cisco Switch

I have followed the Wired Policy Enforcement guide to get a basic configuration working with the self registration portal. Essentially, I am just looking to use ClearPass to detect if a device is Unknown status, and if so, direct the device to the self registration portal.

 

Relevant switch configuration: (Cisco 3650 and 2960)

##Global

aaa new-model
!
aaa group server tacacs+ HFCU
server 10.60.96.66
!
aaa authentication login default group tacacs+ local
aaa authentication enable default enable
aaa authentication dot1x default group radius
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
!
aaa server radius dynamic-author
client 10.60.96.66 server-key xxx
port 3799
auth-type all
!
aaa session-id common

ip dhcp snooping

!

device-tracking policy policy1
trusted-port
no protocol udp
tracking enable

!

dot1x system-auth-control
dot1x critical eapol

!

vlan configuration 1-4094
device-tracking attach-policy policy1

!

ip access-list extended CLEARPASS-REDIRECT
deny ip any host 10.60.96.66
permit tcp any any eq www
permit tcp any any eq 443

!

tacacs-server host 10.60.96.66 timeout 5 key 7 xxx
!
radius-server attribute 11 default direction in
radius-server dead-criteria time 10 tries 3
radius-server deadtime 5
!
radius server 10.60.96.66
address ipv4 10.60.96.66 auth-port 1645 acct-port 1646
key xxx
!

###Switchport configuration

interface GigabitEthernet1/0/xx
switchport access vlan 150
switchport mode access
switchport voice vlan 48
authentication event server dead action authorize vlan 16
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 5
dot1x max-req 1
dot1x max-reauth-req 1
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
service-policy input MARK-IN
!

 

I have attached screenshots of the ClearPass config.

 

So what I would expect to happen is a device with status Unknown connects, and its URL redirected to the self registration portal. Instead, when a device connects, ClearPass looks to be doing everything it needs to be. dACL is applied, URL redirect is sent, and device is dropped to the proper VLAN 150. However, the device is not receiving the VLAN and DHCP assignment and no URL redirect occurs.

 

If I remove the HFCU-Cisco-SelfReg-Redirect profile from the MAC Auth service enforcement rule, the Unknown connecting device receives its VLAN and DHCP assignment, and dACL is applied without issue.

 

So I am experiencing some sort of disconnect when the Self Registration profile is applied to the enforcement rule. Is anyone able to help me determine what is causing this issue?

 

Thanks!

Highlighted
Frequent Contributor II

Re: URL Redirect not working with Cisco Switch

Three things to check/try from what I recall on testing wired redirect.

1. Does your switch have an IP address on the access VLAN? I believe this is required, the same way a WLC needs an IP address on the client VLAN for wireless redirect. 

2. ip http/http secure-server enabled on the switch?

3. Last is the certificate, I don't recall if there is a requirement for the correct cert (matching captive portal, or at least 'trusted') to be loaded on the switch for https to work. 

 

Edit: if you aren't even getting DHCP, maybe the problem is before all the above. Have you tried without these commands? 

authentication event server dead action authorize vlan 16
authentication event server dead action authorize voice
authentication event server alive action reinitialize

Highlighted
Occasional Contributor II

Re: URL Redirect not working with Cisco Switch

Issue turned out the CLEARPASS-REDIRECT ACL needed to be added to the upstream switch I was connecting from.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: