Security

last person joined: 15 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Wired Policy Enforcement Captive Portal

This thread has been viewed 22 times

  • 1.  Wired Policy Enforcement Captive Portal

    Posted Aug 20, 2019 02:06 AM

    I've read the wired policy enforcement guide and have got mac authentications and 802.1x authentications working like a charm.

     

    I'm coming stuck, however, with the captive portal rediret for machines that fail either mac/802.1x

     

    My DUR is downloading successfully, and I can see that the device it is applied to hitting the relevant policy rules, but no redirect happens on the client.

     

    DUR;

    User Role Information

    Name : *DUR_SPLASH_advanced-3038-2
    Type : downloaded
    Reauthentication Period (seconds) : 0
    Logoff Period (seconds) : 300
    Untagged VLAN : 123
    Tagged VLANs :
    Captive Portal Profile : use-radius-vsa_DUR_SPLASH_advanced-3038-2
    URL : https://clearpass.mydomain.com/guest/guest_register.php
    Policy : REDIRECT-POLICY_DUR_SPLASH_advanced-3038-2

    Statements for policy "REDIRECT-POLICY_DUR_SPLASH_advanced-3038-2"
    policy user "REDIRECT-POLICY_DUR_SPLASH_advanced-3038-2"
    10 class ipv4 "DNS_DUR_SPLASH_advanced-3038-2" action permit
    20 class ipv4 "DHCP_DUR_SPLASH_advanced-3038-2" action permit
    30 class ipv4 "CLEARPASS-WEB_DUR_SPLASH_advanced-3038-2" action permit
    40 class ipv4 "WEB-TRAFFIC_DUR_SPLASH_advanced-3038-2" action redirect captive-portal
    exit


    Statements for class IPv4 "DNS_DUR_SPLASH_advanced-3038-2"
    class ipv4 "DNS_DUR_SPLASH_advanced-3038-2"
    10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53
    exit


    Statements for class IPv4 "DHCP_DUR_SPLASH_advanced-3038-2"
    class ipv4 "DHCP_DUR_SPLASH_advanced-3038-2"
    10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
    20 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 68
    exit


    Statements for class IPv4 "CLEARPASS-WEB_DUR_SPLASH_advanced-3038-2"
    class ipv4 "CLEARPASS-WEB_DUR_SPLASH_advanced-3038-2"
    10 match tcp 0.0.0.0 255.255.255.255 192.168.10.1 0.0.0.0 eq 80
    20 match tcp 0.0.0.0 255.255.255.255 192.168.10.1 0.0.0.0 eq 443
    exit


    Statements for class IPv4 "WEB-TRAFFIC_DUR_SPLASH_advanced-3038-2"
    class ipv4 "WEB-TRAFFIC_DUR_SPLASH_advanced-3038-2"
    10 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 80
    20 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 443
    exit

    Tunnelednode Server Redirect : Disabled
    Secondary Role Name :

     

    Statistics for that policy show the action redirect class is being matched, but nothing happens on the client when browsing to an external site (browsing to the clearpass server itself works);

     

    Aruba-2930F-48G-PoEP-4SFPP# sh statistics policy REDIRECT-POLICY_DUR_SPLASH_advanced-3038-2 port 3

    Hit Counts for Policy 204747AC641F-0003

    Total

    10 class ipv4 "DNS_DUR_SPLASH_advanced-3038-2" action permit

    ( 59 ) 10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53

    20 class ipv4 "DHCP_DUR_SPLASH_advanced-3038-2" action permit

    ( 1 ) 10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
    ( 0 ) 20 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 68

    30 class ipv4 "CLEARPASS-WEB_DUR_SPLASH_advanced-3038-2" action permit

    ( 5 ) 10 match tcp 0.0.0.0 255.255.255.255 192.168.10.1 0.0.0.0 eq 80
    ( 252 ) 20 match tcp 0.0.0.0 255.255.255.255 192.168.10.1 0.0.0.0 eq 443

    40 class ipv4 "WEB-TRAFFIC_DUR_SPLASH_advanced-3038-2" action redirect captive-portal

    ( 137 ) 10 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 80
    ( 0 ) 20 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 443

     

    The switch is configured as L2, with tagged VLANs up to a L3 core.

    OS version is WC.16.07.0006

     

    Any guidance appreciated.

     

     

     



  • 2.  RE: Wired Policy Enforcement Captive Portal

    EMPLOYEE
    Posted Aug 20, 2019 07:41 AM

    Did you check that the following conditions are met:

    1. Your guest clients get an IP in the assigned VLAN by DHCP.

    2. Your switch has routing enabled.

    3. Your upstream router knows the way back to the client IP subnet therfore your captive portal server can commincate back to the client.

    4. Try a garanteed http (not https) website like http://neverssl.com



  • 3.  RE: Wired Policy Enforcement Captive Portal

    Posted Aug 20, 2019 06:46 PM

    Yes, I'm getting a DHCP.

    Yes, routing is enabled.

    Yes, upstream router know all the routes.

    Tried, http://neversssl.com - still no luck.

     

    As I said, I can directly access the captive portal url https://clearpass.mydomain.com/guest/guest_register.php from my client so there isn't any routing issues.

     

    But any attempt to trigger the action redirect captive-portal doesnt work with any other type of web request :(



  • 4.  RE: Wired Policy Enforcement Captive Portal

    Posted Aug 20, 2019 10:30 PM

    Currently, the VLAN that user resides in, has no IP address on the switch - its purely L2. With the default gateway on a different switch that is tagged.

     

    If I add an IP address on the switch to the VLAN interface the USER is in, then captive-portal redirect works.

     

    So, is this a requirement for captive-portal to work?

     

     

     

     



  • 5.  RE: Wired Policy Enforcement Captive Portal
    Best Answer

    EMPLOYEE
    Posted Aug 21, 2019 03:05 AM

    Yes, it is. This is clearly written in the ClearPass Solution-Guide for Wired-Policy-Enforcement under "ArubaOS-Switch Enforcement / RADIUS-based Enforcement / Configuration Overview / Switch Configuration: 

    ..."To support captive portal redirection, the client VLAN(s) must have an IP address assigned on the switch (ex: vlan 812 ip address 100.81.2.252/24). ..."

     

    The latest version can be downloaded here:
    https://community.arubanetworks.com/t5/Security/ClearPass-Solution-Guide-Wired-Policy-Enforcement/td-p/298161



  • 6.  RE: Wired Policy Enforcement Captive Portal

    Posted Mar 12, 2021 11:35 AM
    Hello, and sorry for digging out some older posts!

    Will the captive portal redirection work if L3 is disabeled at the vlan context?
    vlan 10
name "Guests at LAN"
ip address dhcp-bootp
disable layer3
exit​

    The clearpass solution guide does not discuss this command and also just say, that an IP address must exist for the guest vlan if captive portal redirection should be served on switch level.

    Is L3 functionality mandatory on switch level for captive portal redirection?


    Thank you for clarification!
     



    ------------------------------
    Best regards, mom
    ------------------------------

    Original Message


  • 7.  RE: Wired Policy Enforcement Captive Portal

    MVP GURU
    Posted Mar 12, 2021 12:51 PM
    Good question, i have never try... i think it will be work...
    the IP address is only for redirect (HTTP/302)

    ------------------------------
    PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

    PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

    PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

    ACEP / ACMX #107 / ACDX #1281
    ------------------------------

    Original Message