Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

captive portal to download onguard persistant client

This thread has been viewed 0 times

  • 1.  captive portal to download onguard persistant client

    Posted Sep 27, 2019 05:51 PM

    Hello im configuring this and i got almost this set

     

    i configured in pages my page which has the link to download the onguard persistant client which work great.   Im doing 802.1x which also works great 

     

    But the problem i got is that in the captive portal i can redirect to the webpage in the clearpass i want with Cisco AV-Pair ur- redirect and also the other value which tell him which acl he will be using on the cisco switch with av pair url-redirection-acl

     

    On the cisco switch as far i could read i had to do a acl list like this  locally

    ip access-list extended Onguard
    deny tcp any host x.x.x.x
    permit tcp any any

     

    x.x.x.x is the clearpass ip address, i dont understand this access list but what i can see is that i do get redirected to the page i want, the problem ist that i got access to all the network.   I can ping any server, i can even RDP a server if i want, and thats not the idea.

    How can i fix this? any idea?

     

    Carlos



  • 2.  RE: captive portal to download onguard persistant client

    Posted Sep 28, 2019 11:18 AM

    any idea of this?

    I mean everything i want to do is  working fine

    The only problem is that when the client is on a state that it unhealty or does not have any onguard installed i redirect him to a remediation webpage in which he can for example download the onguard installer if he doesnt have it(because is the first time he log in the network).

    He actually has access to all the network

    i bealvie is the cisco acl i got and i dont understand that acl how it works 

    it denying the access to the clearpass, but in the practice what it does it just redirect it to it, the problem is that i can do rdp to any server, 

     

    I can think of a solutino but it will take more work which is create a remediation vlan that will just have specific access to those resourses i want like clearpass in some ports, dns, and dhcp. 

     

    But i was thinking to do is just using the same vlan i was using but using the downloadble acls to restrict those access 

     

    Carlos



  • 3.  RE: captive portal to download onguard persistant client

    Posted Sep 28, 2019 01:37 PM

    Okay i make it work with adding a addional policy profile which is a downloadable ACL which tells the devices that they dont have access to the internal network.

     

    So it works like this 

     

    All my ports are ona vlan that just exist in that switch which is a vlan for untrusted devices.

     

    Witht he clearpass if it authenticate correctly with 802.1x it will change the vlan to vlan X  then comes the downlodable ACL which tell it you just got access to this and this, then comes the rule that tell him which is the page that it need to redirect with the weird ACL i need to configure on the cisco switch which i dont understand

     

    Someone can explain me that ACL on cisco switch which is the ACL that the clearpass call for the redirection to the captive portal?

     

    ip access-list extended Onguard_ACL
    deny   tcp any host 192.168.1.102
    permit tcp any any

     

    I would really want to understand what im doing here.... because i dont know

     

    Carlos