Occasional Contributor II

clearpass cisco wired onguard with dot1x

hello everyone,


am facing issue on deployin clearpass onguard cisco wired url-redirect,

customer doesnt want to push onguard .msi file from AD as gpo , they want to clearpass and cisco to redirect them to web loging page to install the onguard agent,

so far we did it ,

we have one clearpass connected to core switch and we complete all wireless services and working fine,


we have 2 cisco switch ,

one of them connected direct to core switch and its working perfect with url-redicrecting on web loging page to download the onguard.


second one is connected to disribution switch and its pingable to core and clearpass , but doesnt redirect to web login page,


we have created extend access list on l2 cisco switch which is connected to distribution as below;

 ip access list extend cppm

deny tcp any host 'clearpass ip"

permit tcp any any

we've created the services and enforcment profile,as below:


one of the rule in enforcment poliyc is chcking if the onguard is installed or no:


tips posture equal uknown --->>> onguard-redirect enforcment profile


onguard -redirect enforcment profile as below:

cisco avp-air  url-redirect-acl=cppm

cisco avp-air url-redirect=https://" clearpasip/web/onguard.php


l2 switch with no gw configured just vlan ids and trunk to distribution,

 do we need to assign gw of core to l2 switch ?

we can see the dot1x is done on access trucker but we cant redirect to url on 2nd switch






Guru Elite

Re: clearpass cisco wired onguard with dot1x

Take a look at the Solution Guide for Wired Policy Enforcement. While it doesn't directly cover OnGuard deployment, the scenario is very similar to a guest configuration.

| Tim Cappalli | Aruba Security | @timcappalli | |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: clearpass cisco wired onguard with dot1x

its working fine with 1st switch,


do i need to configure 2nd switch as l3 switch and assign gw of core to it

to work,


as its similar to guest scenerio, guest is l3 deployment , right?



Re: clearpass cisco wired onguard with dot1x

I would a layer-2 fabric to work whether or not there's an intermediate switch. I'd look at what makes one switch different from the other.

Is the VLAN tagging the same throughout?

Default and tagged VLANs the same and passing unaltered through the trunk?


if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Occasional Contributor II

Re: clearpass cisco wired onguard with dot1x

Hi msabin,
When we test the first switch it was a mac caching service enabled ,

Now we disabled the mac caching service ,
Do we need to enable mac caching service?

All vlan and default vlan on trunk same, and no alerting on switches,

When i type show access list am just getting hit on second rule of my extend list which is

Permit tcp any any
No hit on deny tcp any host "cppm ip"

Re: clearpass cisco wired onguard with dot1x

Do you have enabled the following:

ip device tracking
ip dhcp snooping
ip http server
ip http secure-server
Thank you

Victor Fabian
Lead Mobility Architect @WEI
Occasional Contributor II

Re: clearpass cisco wired onguard with dot1x

thanks victor,


i missed ip http server , it was no



Search Airheads
Showing results for 
Search instead for 
Did you mean: