Wireless Access

New Contributor

Clearpass onboard with Cisco WLC 2500 controller


We have Clearpass 6.6.8 and we configured cisco WLC 2500 controller as well.

Clearpass= 802.1x + onguard service configured, with Cisco- AVpair = Url-redirect=Http and Cisco-AVpair-acl=PreAuth


Cisco WLC: We configured ACL(PreAuth) = --> and --> permit

       Deny -->

 Layer3 Security = we apply conditional redirect and apply ACL


My Concern:

When the User try to connect AP,

1: 802.1x  Authenticated -OK

2: Connected to SSID -OK

3: Clearpass will do the redirect to onguard download -OK

4:Access to internet deny

 because of ACL on WLC, Can't access Internet (deny>


Moreover,If i opened the ACL as Permit on WLC.  -> permit


Please find my observation:

1: 802.1x  Authenticated -OK

2: Connected to SSID -OK

3: Clearpass will not do the redirect to onguard download -NOK

But because of ACL on WLC, access Internet

WLC permit the traffic and forward to firewall.


" Cisco WLC does not offer hostname based ACL rules such as Aruba so it is not possible to restrict access to only Google Play's hostnames, "android.clients.google.com" and "ggpht.com".  The effect of allowing Google's entire address range is that users in the pre-onboard ACL will not redirect to the captive portal page if they request any Google-owned web addresses such as google.com and gmail.com.  These requests will go straight through the firewall as allowed."


In my case it happened , My need is the user should get the redirect page for Onguard according to the service, if the user is healthy it should get the Internet access directly.


Could you please provide any solution on this issue.



Vishesh Anand

Search Airheads
Showing results for 
Search instead for 
Did you mean: