Security

Reply
Occasional Contributor II

Wired Policy Enforcement Captive Portal

I've read the wired policy enforcement guide and have got mac authentications and 802.1x authentications working like a charm.

 

I'm coming stuck, however, with the captive portal rediret for machines that fail either mac/802.1x

 

My DUR is downloading successfully, and I can see that the device it is applied to hitting the relevant policy rules, but no redirect happens on the client.

 

DUR;

User Role Information

Name : *DUR_SPLASH_advanced-3038-2
Type : downloaded
Reauthentication Period (seconds) : 0
Logoff Period (seconds) : 300
Untagged VLAN : 123
Tagged VLANs :
Captive Portal Profile : use-radius-vsa_DUR_SPLASH_advanced-3038-2
URL : https://clearpass.mydomain.com/guest/guest_register.php
Policy : REDIRECT-POLICY_DUR_SPLASH_advanced-3038-2

Statements for policy "REDIRECT-POLICY_DUR_SPLASH_advanced-3038-2"
policy user "REDIRECT-POLICY_DUR_SPLASH_advanced-3038-2"
10 class ipv4 "DNS_DUR_SPLASH_advanced-3038-2" action permit
20 class ipv4 "DHCP_DUR_SPLASH_advanced-3038-2" action permit
30 class ipv4 "CLEARPASS-WEB_DUR_SPLASH_advanced-3038-2" action permit
40 class ipv4 "WEB-TRAFFIC_DUR_SPLASH_advanced-3038-2" action redirect captive-portal
exit


Statements for class IPv4 "DNS_DUR_SPLASH_advanced-3038-2"
class ipv4 "DNS_DUR_SPLASH_advanced-3038-2"
10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53
exit


Statements for class IPv4 "DHCP_DUR_SPLASH_advanced-3038-2"
class ipv4 "DHCP_DUR_SPLASH_advanced-3038-2"
10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
20 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 68
exit


Statements for class IPv4 "CLEARPASS-WEB_DUR_SPLASH_advanced-3038-2"
class ipv4 "CLEARPASS-WEB_DUR_SPLASH_advanced-3038-2"
10 match tcp 0.0.0.0 255.255.255.255 192.168.10.1 0.0.0.0 eq 80
20 match tcp 0.0.0.0 255.255.255.255 192.168.10.1 0.0.0.0 eq 443
exit


Statements for class IPv4 "WEB-TRAFFIC_DUR_SPLASH_advanced-3038-2"
class ipv4 "WEB-TRAFFIC_DUR_SPLASH_advanced-3038-2"
10 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 80
20 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 443
exit

Tunnelednode Server Redirect : Disabled
Secondary Role Name :

 

Statistics for that policy show the action redirect class is being matched, but nothing happens on the client when browsing to an external site (browsing to the clearpass server itself works);

 

Aruba-2930F-48G-PoEP-4SFPP# sh statistics policy REDIRECT-POLICY_DUR_SPLASH_advanced-3038-2 port 3

Hit Counts for Policy 204747AC641F-0003

Total

10 class ipv4 "DNS_DUR_SPLASH_advanced-3038-2" action permit

( 59 ) 10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53

20 class ipv4 "DHCP_DUR_SPLASH_advanced-3038-2" action permit

( 1 ) 10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
( 0 ) 20 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 68

30 class ipv4 "CLEARPASS-WEB_DUR_SPLASH_advanced-3038-2" action permit

( 5 ) 10 match tcp 0.0.0.0 255.255.255.255 192.168.10.1 0.0.0.0 eq 80
( 252 ) 20 match tcp 0.0.0.0 255.255.255.255 192.168.10.1 0.0.0.0 eq 443

40 class ipv4 "WEB-TRAFFIC_DUR_SPLASH_advanced-3038-2" action redirect captive-portal

( 137 ) 10 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 80
( 0 ) 20 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 443

 

The switch is configured as L2, with tagged VLANs up to a L3 core.

OS version is WC.16.07.0006

 

Any guidance appreciated.

 

 

 

Aruba Employee

Re: Wired Policy Enforcement Captive Portal

Did you check that the following conditions are met:

1. Your guest clients get an IP in the assigned VLAN by DHCP.

2. Your switch has routing enabled.

3. Your upstream router knows the way back to the client IP subnet therfore your captive portal server can commincate back to the client.

4. Try a garanteed http (not https) website like http://neverssl.com

Highlighted
Occasional Contributor II

Re: Wired Policy Enforcement Captive Portal

Yes, I'm getting a DHCP.

Yes, routing is enabled.

Yes, upstream router know all the routes.

Tried, http://neversssl.com - still no luck.

 

As I said, I can directly access the captive portal url https://clearpass.mydomain.com/guest/guest_register.php from my client so there isn't any routing issues.

 

But any attempt to trigger the action redirect captive-portal doesnt work with any other type of web request :(

Occasional Contributor II

Re: Wired Policy Enforcement Captive Portal

Currently, the VLAN that user resides in, has no IP address on the switch - its purely L2. With the default gateway on a different switch that is tagged.

 

If I add an IP address on the switch to the VLAN interface the USER is in, then captive-portal redirect works.

 

So, is this a requirement for captive-portal to work?

 

 

 

 

Aruba Employee

Re: Wired Policy Enforcement Captive Portal

Yes, it is. This is clearly written in the ClearPass Solution-Guide for Wired-Policy-Enforcement under "ArubaOS-Switch Enforcement / RADIUS-based Enforcement / Configuration Overview / Switch Configuration: 

..."To support captive portal redirection, the client VLAN(s) must have an IP address assigned on the switch (ex: vlan 812 ip address 100.81.2.252/24). ..."

 

The latest version can be downloaded here:
https://community.arubanetworks.com/t5/Security/ClearPass-Solution-Guide-Wired-Policy-Enforcement/td-p/298161

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: