Configure the URL key

You can optionally configure a URL hash key to provide some security for the Captive Portal exchange with ClearPass. The key is a shared secret between ClearPass and the switch. When configured, the switch generates a HMAC-SHA1 hash of the entire redirect URL, and appends the hash to the URL to be sent to ClearPass as part of the HTTP redirect. If ClearPass is configured to check the hash, it will generate the hash of the URL using its version of the URL hash key and compare against the value provided by the switch. The action taken by ClearPass upon a match or mismatch is determined by what is configured on ClearPass.

ClearPass provides the following options: 
  • Do not check - login will always be permitted 

  • Deny login on validation error - login will not be permitted

The URL hash key is globally configured and will be used for all redirects to Captive Portal. This key is not configured on a per ClearPass or RADIUS server basis. If the key is not specified, the hash is not added to the URL. The URL hash key is an ASCII string with a maximum length of 64 characters.

The URL key supports the FIPS certification feature encrypt-credentials and can optionally be encrypted for more robust security. This option is only available when the global encrypt-credentials is enabled.

To configure a plain text captive-portal URL key: 
switch(config)# aaa authentication captive-portal url-hash-key plaintext <KEY>
        
 
To configure an encrypted captive-portal URL key when encrypt-credentials is enabled:
switch(config)# aaa authentication captive-portal url-hash-key encrypted <ENCRYPTED-KEY> 
        
To clear a captive-portal URL key: 
switch(config)# no aaa authentication captive-portal url-hash-key