Best Practices

  • Use the Port Bounce VSA via a CoA message, instead of the Disconnect message, to cause the second RADIUS authentication to occur during the Captive Portal exchange. This is the more reliable method for forcing a re-DHCP for the client.

  • Configure Captive Portal such that the first ACCESS_ACCEPT returns a rate limit VSA to reduce the risk of DoS attacks. This configuration enables rate limiting for the HTTP/HTTPS ACL for traffic sent to ClearPass. 

  • Do not use the keyword cpy in any other NAS-Filter-Rules. The keyword cpy in the enforcement profile attributes is specific to ClearPass use. It is only supported with the deny attribute. If you configure the cpy keyword to permit, no ACL will be applied.