NOTE: Create the Bounce Host-Port profile and the Guest Login profile only if they do not already exist.
For the Bounce Host-Port profile, configure Captive Portal so that the RADIUS CoA message that includes the Port Bounce VSA is sent to force the second RADIUS re-authentication after the user registers their device and makes it known.
Procedure
-
In ClearPass, go to
Configuration ->
Enforcement ->
Profiles
-
Click
Add.
-
Enter the Profile Name:
HPE Bounce Host-Port
-
Enter the Description:
Custom-defined profile to bounce host port (HPE).
-
Select the type
RADIUS_CoA.
-
Select the action
CoA.
-
Add all of the attributes required for a CoA message, and specify the port bounce duration (valid values are between 0 and 60). This is the amount of time in seconds the port will be held in the down state. The recommended setting is 12 seconds.
-
Repeat
Step 2 to
Step 6 to configure the Guest Login profile that will be sent as part of the first RADIUS Access-Accept and enforce the redirect to the Captive Portal on ClearPass. For this profile, select
RADIUS as the type and
Accept as the action.
-
Add all of the NAS-Filter-Rule attributes specified below, replacing the IP address in the first two NAS-Filter-Rule attributes with your ClearPass address. Add the HPE-Captive-Portal-URL attribute to specify the redirect URL, replacing the IP address with your ClearPas address. This will cause the client to be redirected to the Captive Portal on ClearPass. You can add other attributes, such as a VLAN to isolate onboarding clients, or a rate limit to help prevent DoS attacks.
NOTE: The
HPE-Captive-Portal-URL
value must be a URL normalized string. The scheme and host must be in lower case, for example
http://www.example.com/
.