Best Practices
Use the Port Bounce VSA via a CoA message, instead of the Disconnect message, to cause the second RADIUS authentication to occur during the Captive Portal exchange. This is the more reliable method for forcing a re-DHCP for the client.
Configure Captive Portal such that the first
ACCESS_ACCEPT
returns a rate limit VSA to reduce the risk of DoS attacks. This configuration enables rate limiting for the HTTP/HTTPS ACL for traffic sent to ClearPass.Do not use the keyword
cpy
in any otherNAS-Filter-Rules
. The keywordcpy
in the enforcement profile attributes is specific to ClearPass use. It is only supported with thedeny
attribute. If you configure thecpy
keyword topermit
, no ACL will be applied.