Wireless Access

i am tring to configure the 5760controller redirecting to clear pass web page for AUTH, but some config is getting messed up and not getting the page.

Any one has the complete config for 5760? do we need parameter map in 5760?

Thanks

We need more details.  What are you trying to do and what have you tried to make it work?

hi colin,

attached the configs,

I am always getting the web-auth page from the controller and not from clear pass,

Mac auth is working fine. But whn mac-auth failes, i suppose to get the page from clear pass which is not getting. instead getting it from the controller.

Attachment(s)

COnfig.txt   18 KB 1 version

Hi Im workign here with Selvaraj,

The CPPM is at version 6.4.4.7

Were seeing it reject the MAC-CHECK and expect to see it redirect to the Web Server

If you have mac caching enabled this is a normal behavior .

Initially the mac auth will fail when the mac address of device is unknown by ClearPass and then it will be redirected to the captive portal

On the Cisco Controller you need to do the following:

- Layer 2 needs to be Mac auth Filtering

- Layer 3 enabled Web policy Authentication 

  - Enabled ACL override 

  - Assign the Preauth ACL

  - Type the URL redirect of guest captive portal page (https://<clearpassserver>/guest/<pagename>.php)

ClearPass you need the following:

- Create two services from the template : Guest Mac Auth

- Also Set the reject packet delay to "0" 

Ok. I think i got nailed with cisco TAC. Here is the URL i got from cisco engineer.

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116877-technote-wlan-00.html#anc16

He helped me to get this working to some level. I am still trying for the full working config of MAC-filter + web-auth. So once i have this i will send the full template here.

aaa new-model
aaa session-id common
!
aaa authentication login default group tacacs+ local
!
aaa authentication login LOG-AUTH group ClearPass-RADIUS
aaa authorization network NET-AUTH group ClearPass-RADIUS
aaa authorization network LOG-AUTH group ClearPass-RADIUS

!
!
!
!
!
!
!
radius server Clearpass1
 address ipv4 x.x.x.x auth-port 1812 acct-port 1813
 key 7 passwd
!
radius server Clearpass2
 address ipv4 x.x.x.x auth-port 1812 acct-port 1813
 key 7 passwd
!
!

!
aaa group server radius ClearPass-RADIUS
 server name Clearpass1
 server name Clearpass2
 subscriber mac-filtering security-mode mac
!
!
!
!
!

!
!

wlan SSID-LAB 23 SSID-LAB
 band-select
 client vlan default-non-usable
 no exclusionlist
 ip access-group web ACL-REDIRECT
 mac-filtering NET-AUTH
 peer-blocking drop
 no security wpa
 no security wpa akm dot1x
 no security wpa wpa2
 no security wpa wpa2 ciphers aes
 no security ft over-the-ds
 security web-auth
 security web-auth authentication-list LOG-AUTH
 security web-auth on-macfilter-failure
 security web-auth parameter-map LOG-Redirect
 session-timeout 1800
 no shutdown

parameter-map type webauth global
 virtual-ip ipv4 172.16.253.253
 max-http-conns 200

parameter-map type webauth LOG-Redirect
 type webauth
 redirect for-login https://<Clear pass IP>/guest/cisco.php
 redirect portal ipv4 <Clear pass IP>

ip access-list extended ACL-REDIRECT
 permit udp any eq bootps any
 permit udp any any eq bootpc
 permit udp any eq bootpc any
 permit udp any any eq domain
 permit udp any eq domain any
 permit ip any host <Clear pass IP>
 permit ip host <Clear pass IP> any

This is the config i am using, Unfortunatly, i get web page from clear pass ,the pre-auth works from clear pass. but the web-auth is not going to clear pass and looping back and from on vitual IP in 5760. Since the web-auth timing out from clear-pass, not getting successfull and looping back to authendication.

I am also facinf the same issue, Did u get this fixed

Regards

Nikhil

No,

i Switched to CISCO ISE box, and all worked for me. i was not able to test any further with clearpass.

Sorry about it.