topic Re: Web Redirect to captive portal for Cisco switch with Per-User-ACL (dACL) in ExtremeCloud IQ- Site Engine Management Center

Web Redirect to captive portal for Cisco switch with Per-User-ACL (dACL)

Antonio_Opromol — Fri, 13 May 2022 18:26:58 GMT

Hi, I'm adding a Cisco catalyst swicth 2960G with IOS version 15.0(2)SE11 to my lab environment with a x450-G2 and XIQ-SIte engine (complete of ExtremeControl engine).
I've defined the new switch in the NAC engine with the follow radius attributes:

And my Policy mapping for the role were user assume for the web authentication redirection is:

If I try to use the redirect method that use Policy Based Routing as I do for X450-G2, I've got and error that Cisco don't support CoS defined as I do in the redirect rule for EXOS:

Another problem is that I need to define also ACL on the Redirect ACL on the Cisco switch because if I don't do the authentication fail.

When the device is authenticated, is not redirected to the Extreme NAC captive portal (my ip in the lab is 192.168.30.35)

How can i do Web Redirect using Per-User-ACL method?

Thanks

Re: Web Redirect to captive portal for Cisco switch with Per-User-ACL (dACL)

Ryan_Yacobucci — Mon, 16 May 2022 03:59:23 GMT

Hello,

I have a few questions based on your screenshots.
If you check the "Authorization" column in control what was actually sent for authorization? Did Control actually send the per-user ACL lines or did it send the custom2 and customer3 AVPs which is typically what we seen when using cisco.

These custom2 and custom3 attributes use a web based redirect and not a PBR. You should only need one or the other, so if you're using the redirect ACL with URL redirect you don't need PBR to redirect as well. You won't need to redirect packets that have already been redirected to NAC URL.

If you take a packet capture on a client in this state do you see the clients web packets get a 307 Temporary Redirect with the URL you configured?

Yes we have per-user-ACL capabilities with Cisco where we can send the ACL lines through RADIUS attributes, but you appear to not be using that by using the cisco-avipair=redirecturl attribute.

Thanks
-Ryan

Re: Web Redirect to captive portal for Cisco switch with Per-User-ACL (dACL)

Antonio_Opromol — Mon, 16 May 2022 12:33:03 GMT

Hi Ryan,

my intention is to use only Per-user-ACL with Cisco in my configuration, so if Custom2 and Custom3 attributes are not necessary with this method, I remove these from my configuration, but in this case I don’t know how to redirect my guest user to the NAC porta using only the Policy Roles and services associated to my Redirect Role Profile (I’m using PBR only for the Extreme’s switches and I use the CoS in the http rule in the Policy Domain associated to these switches only).

Do you have and example on how use dACL with web redirect?

Thanks,
Antonio

Re: Web Redirect to captive portal for Cisco switch with Per-User-ACL (dACL)

Antonio_Opromol — Thu, 26 May 2022 23:05:44 GMT

I Ryan,

now web redirection with Per-User-ACL works in my lab.
My access ports are configured as:
interface GigabitEthernet0/x
switchport access vlan 10
switchport mode access

and the uplink port between my cisco and x450-g2 is
interface GigabitEthernet0/1
description "Uplink with X450-G2 port 16"
switchport trunk native vlan 10
switchport mode trunk

If I use the VLAN 10 in my policy mapping for the Policy Role, and all works well, in the sense that the web redirection works well, and also if I connect with a user with a policy role in where I set a different VLAN, this is correctly set in the port.
But If I use a different VLAN in the Policy role used for the web redirection (for example a different on-boarding vlan that is not the native VLAN defined in my trunk uplink interface) , the redirection on cisco switch in this case don't work.
Any ideas?
Thanks

Re: Web Redirect to captive portal for Cisco switch with Per-User-ACL (dACL)

Antonio_Opromol — Wed, 01 Jun 2022 16:04:01 GMT

Solved.
The problem was my http server on cisco switch with no ip address on the non default vlan ...giving an IP the redirect works.