Configure the URL key
You can optionally configure a URL hash key to provide some security for the Captive Portal exchange with ClearPass. The key is a shared secret between ClearPass and the switch. When configured, the switch generates a HMAC-SHA1 hash of the entire redirect URL, and appends the hash to the URL to be sent to ClearPass as part of the HTTP redirect. If ClearPass is configured to check the hash, it will generate the hash of the URL using its version of the URL hash key and compare against the value provided by the switch. The action taken by ClearPass upon a match or mismatch is determined by what is configured on ClearPass.
Do not check - login will always be permitted
Deny login on validation error - login will not be permitted
The URL hash key is globally configured and will be used for all redirects to Captive Portal. This key is not configured on a per ClearPass or RADIUS server basis. If the key is not specified, the hash is not added to the URL. The URL hash key is an ASCII string with a maximum length of 64 characters.
The URL key supports the FIPS certification feature encrypt-credentials and can optionally be encrypted for more robust security. This option is only available when the global encrypt-credentials is enabled.
switch(config)# aaa authentication captive-portal url-hash-key plaintext <KEY>
switch(config)# aaa authentication captive-portal url-hash-key encrypted <ENCRYPTED-KEY>
switch(config)# no aaa authentication captive-portal url-hash-key