my intention is to use only Per-user-ACL with Cisco in my configuration, so if Custom2 and Custom3 attributes are not necessary with this method, I remove these from my configuration, but in this case I don’t know how to redirect my guest user to the NAC porta using only the Policy Roles and services associated to my Redirect Role Profile (I’m using PBR only for the Extreme’s switches and I use the CoS in the http rule in the Policy Domain associated to these switches only).
Do you have and example on how use dACL with web redirect?
I have a few questions based on your screenshots.
If you check the "Authorization" column in control what was actually sent for authorization? Did Control actually send the per-user ACL lines or did it send the custom2 and customer3 AVPs which is typically what we seen when using cisco.
These custom2 and custom3 attributes use a web based redirect and not a PBR. You should only need one or the other, so if you're using the redirect ACL with URL redirect you don't need PBR to redirect as well. You won't need to redirect packets that have already been redirected to NAC URL.
If you take a packet capture on a client in this state do you see the clients web packets get a 307 Temporary Redirect with the URL you configured?
Yes we have per-user-ACL capabilities with Cisco where we can send the ACL lines through RADIUS attributes, but you appear to not be using that by using the cisco-avipair=redirecturl attribute.