Posted on March 29, 2021 9:32 am
 |  Asked by Karthik Reddy Katamreddy
 |  76 views
Tags:
0
0
Print Friendly, PDF & Email

We are trying to implement the dot1x on the wired with authentication server as Aruba clearpass. It’s working fine for the corporate devices while coming to the guest devices where we need the users to get the captive portal for the registration it’s not working. It hit the right service on ClearPass and is sending the attributes to the switch but I didn’t see any redirect on the end device.

What are the correct attributes to be sent to the Arista switch from the clearpass for the redirection page and URL?  PFA  and Is there anything that needs to be enabled on the switch for the captive portal?

Device details:

Arista CCS-720XP-48ZC2-F

Software image version: 4.25.2F

Switch  config:

aaa authentication login default local group clearpass
aaa authentication enable default local group clearpass
aaa authentication dot1x default group clearpass
aaa authorization exec default local group clearpass
aaa authorization commands all default local group clearpass
aaa accounting exec default start-stop group clearpass
aaa accounting system default start-stop group clearpass
aaa accounting commands all default start-stop group clearpass

interface Ethernet5
description *** test dot1x ***
switchport access vlan 551
spanning-tree portfast
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-host authenticated
dot1x mac based authentication host-mode common
dot1x timeout tx-period 10
dot1x timeout reauth-period server
dot1x reauthorization request limit 5
!
dot1x system-auth-control

IP Access List clearpass-redirect
10 deny ip any host 10.x.x.x
20 permit tcp any any eq www
30 permit tcp any any eq https

 

0
Posted by Miguel Balagot
Answered on March 30, 2021 2:01 pm

Hello,

A couple of assumptions in your testing, you're using the same device on 1x and captive portal authentication, you've applied ip helper-address on VLAN 551 and your dhcp server is external from the switch.  Try the following.

  1. Add dhcp and dns services in your ip access-list clearpass-redirect
  2. The same test device may have its arp entry on the switch already.  You may want to clear the arp cache in order to test the same device on 1x and captive portal authentication.  Be careful with clearing the arp cache in a production network as the clients will broadcast to resolve the MAC/IP resolution.  In a test environment, this has a very minimum disruptive effect.
  3. If you're using Clearpass' as the captive portal server, check to ensure the web login page is correctly configured with correct redirection method.
0
Posted by Miguel Balagot
Answered on April 5, 2021 2:57 pm

Hello,

Ensure that you also enable captive portal <URL> and associate the clearpass-redirect access-list to the captive portal sub-command.

Post your Answer

You must be logged in to post an answer.