ExtremeCloud IQ- Site Engine & Extreme Management Center

 View Only

 Web Redirect to captive portal for Cisco switch with Per-User-ACL (dACL)

Antonio Opromolla's profile image
Antonio Opromolla posted 05-13-2022 11:26
Hi, I'm adding a Cisco catalyst swicth 2960G with IOS version 15.0(2)SE11 to my lab environment with a x450-G2 and XIQ-SIte engine (complete of ExtremeControl engine).
I've defined the new switch in the NAC engine with the follow radius attributes:
 WS-C2960G-24TC-L   15.0(2)SE11And my Policy mapping for the role were user assume for the web authentication redirection is:
Policy Mapping
If I try to use the redirect method that use Policy Based Routing as I do for X450-G2, I've got and error that Cisco don't support CoS defined as I do in the redirect rule for EXOS:
Redirect with PBR
Another problem is that I need to define also ACL on the Redirect ACL on the Cisco switch because if I don't do the authentication fail.
ACL on switch
When the device is authenticated, is not redirected to the Extreme NAC captive portal (my ip in the lab is 192.168.30.35)
Per-User-ACL redirect
How can i do Web Redirect using Per-User-ACL method?

Thanks

Ryan Yacobucci's profile image
Ryan Yacobucci

Hello,

I have a few questions based on your screenshots.
If you check the "Authorization" column in control what was actually sent for authorization? Did Control actually send the per-user ACL lines or did it send the custom2 and customer3 AVPs which is typically what we seen when using cisco.

These custom2 and custom3 attributes use a web based redirect and not a PBR. You should only need one or the other, so if you're using the redirect ACL with URL redirect you don't need PBR to redirect as well. You won't need to redirect packets that have already been redirected to NAC URL.

If you take a packet capture on a client in this state do you see the clients web packets get a 307 Temporary Redirect with the URL you configured? 

Yes we have per-user-ACL capabilities with Cisco where we can send the ACL lines through RADIUS attributes, but you appear to not be using that by using the cisco-avipair=redirecturl attribute.

Thanks
-Ryan


Antonio Opromolla's profile image
Antonio Opromolla

Hi Ryan,

 

my intention is to use only Per-user-ACL with Cisco in my configuration, so if Custom2 and Custom3 attributes are not necessary with this method, I remove these from my configuration, but in this case I don’t know how to redirect my guest user to the NAC porta using only the Policy Roles and  services associated to my Redirect Role Profile (I’m using PBR only for the Extreme’s switches and I use the CoS in the http rule in the Policy Domain associated to these switches only).

 

Do you have and example on how use dACL with web redirect?

 

Thanks,
Antonio