I've read the wired policy enforcement guide and have got mac authentications and 802.1x authentications working like a charm.
I'm coming stuck, however, with the captive portal rediret for machines that fail either mac/802.1x
My DUR is downloading successfully, and I can see that the device it is applied to hitting the relevant policy rules, but no redirect happens on the client.
DUR;
User Role Information
Name : *DUR_SPLASH_advanced-3038-2
Type : downloaded
Reauthentication Period (seconds) : 0
Logoff Period (seconds) : 300
Untagged VLAN : 123
Tagged VLANs :
Captive Portal Profile : use-radius-vsa_DUR_SPLASH_advanced-3038-2
URL : https://clearpass.mydomain.com/guest/guest_register.php
Policy : REDIRECT-POLICY_DUR_SPLASH_advanced-3038-2
Statements for policy "REDIRECT-POLICY_DUR_SPLASH_advanced-3038-2"
policy user "REDIRECT-POLICY_DUR_SPLASH_advanced-3038-2"
10 class ipv4 "DNS_DUR_SPLASH_advanced-3038-2" action permit
20 class ipv4 "DHCP_DUR_SPLASH_advanced-3038-2" action permit
30 class ipv4 "CLEARPASS-WEB_DUR_SPLASH_advanced-3038-2" action permit
40 class ipv4 "WEB-TRAFFIC_DUR_SPLASH_advanced-3038-2" action redirect captive-portal
exit
Statements for class IPv4 "DNS_DUR_SPLASH_advanced-3038-2"
class ipv4 "DNS_DUR_SPLASH_advanced-3038-2"
10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53
exit
Statements for class IPv4 "DHCP_DUR_SPLASH_advanced-3038-2"
class ipv4 "DHCP_DUR_SPLASH_advanced-3038-2"
10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
20 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 68
exit
Statements for class IPv4 "CLEARPASS-WEB_DUR_SPLASH_advanced-3038-2"
class ipv4 "CLEARPASS-WEB_DUR_SPLASH_advanced-3038-2"
10 match tcp 0.0.0.0 255.255.255.255 192.168.10.1 0.0.0.0 eq 80
20 match tcp 0.0.0.0 255.255.255.255 192.168.10.1 0.0.0.0 eq 443
exit
Statements for class IPv4 "WEB-TRAFFIC_DUR_SPLASH_advanced-3038-2"
class ipv4 "WEB-TRAFFIC_DUR_SPLASH_advanced-3038-2"
10 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 80
20 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 443
exit
Tunnelednode Server Redirect : Disabled
Secondary Role Name :
Statistics for that policy show the action redirect class is being matched, but nothing happens on the client when browsing to an external site (browsing to the clearpass server itself works);
Aruba-2930F-48G-PoEP-4SFPP# sh statistics policy REDIRECT-POLICY_DUR_SPLASH_advanced-3038-2 port 3
Hit Counts for Policy 204747AC641F-0003
Total
10 class ipv4 "DNS_DUR_SPLASH_advanced-3038-2" action permit
( 59 ) 10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53
20 class ipv4 "DHCP_DUR_SPLASH_advanced-3038-2" action permit
( 1 ) 10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
( 0 ) 20 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 68
30 class ipv4 "CLEARPASS-WEB_DUR_SPLASH_advanced-3038-2" action permit
( 5 ) 10 match tcp 0.0.0.0 255.255.255.255 192.168.10.1 0.0.0.0 eq 80
( 252 ) 20 match tcp 0.0.0.0 255.255.255.255 192.168.10.1 0.0.0.0 eq 443
40 class ipv4 "WEB-TRAFFIC_DUR_SPLASH_advanced-3038-2" action redirect captive-portal
( 137 ) 10 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 80
( 0 ) 20 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 443
The switch is configured as L2, with tagged VLANs up to a L3 core.
OS version is WC.16.07.0006
Any guidance appreciated.