Central Web Authentication (CWA) for guests with ISE

Document

Fri, 11/06/2015 - 11:14
Aug 11th, 2012
User Badges:
  • Cisco Employee,



Introduction


There are multiple ways of doing Web Authentication on the WLC. The first one is Local Web Authentication. In this case, the WLC will redirect the HTTP Traffic to an internal or external server where the user will be prompted to authenticate. The WLC will then fetch this credentials (sent back via HTTP GET Request in case of external server), and make a radius authentication. In case of guest user, we need an external server (like ISE or NGS), as the portal can provide some feature like Device Registering, Self Provisionning, ...


The flow would be the following:


-User associate to the Web Auth SSID

-User starts its browser

-The WLC Redirect to the guest portal (ISE/NGS)

-The user authenticate on the portal

-The Guest Portal redirect back to the WLC with the credentials entered

-The WLC Authenticate the guest user via Radius

-The WLC Redirects back to the original URL.


That makes a lot of redirection. The new approach is to use Central Web Authentication. This works with ISE  > 1.1 and WLC > 7.2.


The flow in this case would be:


-User associate to the Web Auth SSID

-User starts its browser

-The WLC Redirect to the guest portal (ISE)

-The user authenticate on the portal

-The ISE send a Radius Change Of Authorization (CoA - UDP Port 3799) to indicate to the controller that the user is valid, and eventually push radius attributes (ACL for example).

-The User is prompted to retry his original URL


Setup Used




Presentation2.png


The version used are:

ISE: 1.1.1.268

WLC: 7.2.110.0


WLC Configuration


The WLC Configuration is pretty straight-forward. We uses a "trick" (same as on Switches) to get the dynamic authentication URL from the ISE (as it is using CoA, a session needs to be created, and the session ID is part of the URL). We need to configure the SSID to use MAC Filtering. We will configure the ISE to return an access-accept even if the mac address is not found, so that it will sends the redirection URL for all users.


In addition to this, we need to enable Radius NAC and AAA Override. The Radius NAC allows the ISE to send a CoA Request to indicate that the user is now authenticated and can access the network. It is also used for Posture Assessment, in which case the ISE would change the user profile based on posture result.


We need also to be sure that the radius server have RFC 3576 (CoA) enabled, which is by default.




WLC_Rad.png




WLAN_New.png




WLAN_Sec.png



WLAN_Rad.png




WLAN_Adv.png



The final step is to create a Redirect-ACL. This ACL will be referenced in the access-accept of the ISE and will define what traffic should be redirected (denied by ACL), and what traffic shouldn't (permitted by the ACL). Basically, we need to permit DNS and traffic to/from ISE.



WLC_ACL.png



Everthing is now complete on the WLC. Let's configure the ISE


ISE Configuration


On the ISE, we need to make authorization profile, and then we can configure authentication and authorization. The WLC should already configured as a network device.


In the authorization profile, we need to put the name of the ACL has been created earlier on the WLC:




ISE_Author_Pf.png



Now, we need to make sure the ISE is accepting all the MAC Authentication from the WLC and return the profile:



ISE_Auth.png



We can use the Built-In Wireless MAB condition, which match :


-Radius:Service-Type : Call Check (Mac Authorization use Call Check on WLC and Switches).

-Radius:NAS-Port-Type: Wireless - IEEE 802.11


Now, we need to configure the authorization. One important thing to understand is that there will be 2 authentication / authorization:

-One when the user associate to the SSID, and when we need to return the cwa profile

-Another when the user authenticate on the web portal. This one will match the default rule (internal users), in my situation (you can configure it as you want). What is important is that the authorization part doesn't match the CWA Profile again, otherwise we would have a redirection loop. We can use the attribute "Network Access:UseCase Equals Guest Flow" to match this second authentication.


The result looks like this:



ISE_Author.png


Test


Once we associate to the SSID, we can see the auth in the ISE page:



ISE_Auth_1.png



And if we check the client details in the WLC, we can see the Redirection URL and ACL are applied:



WLC_Client.png



Now, when we open any address on the client, we are redirected to our ISE (be careful to have DNS setup correctly).




ISE_Guest.png



Then the user needs to accept the policies, and then it will be granted access to the network.



ISE_Guest2.png



If we look back at my ISE, we can now see the authentication, the change of authorization, and that the profile applied is permitAccess:



ISE_Guest_auth.png



On the controller, the Policy Manager State and Radius NAC State should change from "POSTURE_REQD" to "RUN"

Loading.
Tarik Admani Sat, 08/11/2012 - 22:24
User Badges:
  • Green, 3000 points or more

Bastien,


I have configured ISE many times and was curious as to how you were able to validate the following statement:


"The WLC Redirects back to the original URL."


My experiences when using CWA that you always get redirected to the page that shows the exit button and to retry the orignal url request.


Thanks,

Tarik Admani

Bastien Migette Sun, 08/12/2012 - 01:10
User Badges:
  • Cisco Employee,

Hello Tarik, You are right, with CWA, the ISE shows a message indicating the user he can retry his original URL. This is a current limitation, as the ISE doesn't know the original URL.

What you can do is to create a custom portal with HTML Files and modify the success page to redirect to an arbitrary web page.

Peter Nugent Mon, 08/20/2012 - 03:35
User Badges:
  • Cisco Employee,

Just getting started with ISE.


This looks ok but could use a little more detail if I could ask around creating the Authorization policy Guest redirect.


However its only valid for code 7.2. It seems a lot more complicated in 7.0.


Any chance you could do this for 802.1x PEAP? Also with code 7.0. as I am really struggling getting my gead around the interface and policy creations.

Bastien Migette Mon, 08/20/2012 - 03:45
User Badges:
  • Cisco Employee,

Hello Peter,


Welcome to the ISE world... It can be hard to do what we want at first glance due to numerous features, but after some time you'll get used to it.

Concerning the guest redirect, here's basically how it works:

-The Guest user associate to the WLC

-The WLC send a MAB Request to ISE

-the ISE match the first authorization rules, and send the redirect parameters (acl and URL)

-The WLC will redirect the GUEST to the ISE

-Once the guest is authenticated, the ISE will make a second authorization (that we call Radius Change of Authorization - CoA, which require 7.2 Code). In this second authorization, we need to return a profile so the guest is permitted access to the network. We can use usecase: guestflow to easily match this second authorization.


For PEAP, you may have a look at this doc, there's an example of 802.1x:

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bba10d.shtml


I hope this is clear.

Peter Nugent Mon, 08/20/2012 - 05:02
User Badges:
  • Cisco Employee,

It is becoming clear! Just the ability to run 7.2 is an issue for me at the present time. Also there are alot of features as you say.

Bastien Migette Mon, 08/20/2012 - 05:04
User Badges:
  • Cisco Employee,

Good,

You can still use Local Web Auth (LWA) with WLC 7.0. There's an example in the BYOD Guide (link above) as well.

CB90021204 Sun, 02/08/2015 - 22:34
User Badges:

Hi Bastien,

I'm implementing the same scenario as Dominic above using a foreign/anchor controller.

Do you know what firewall ports are required to allow communication between the wireless controller and ISE?

Do the ports below look correct?

 UDP:1645, 1812 (RADIUS Authentication)

UDP:1646, 1813 (RADIUS Accounting)

UDP: 1700 (RADIUS change of authorization Send)

UDP: 1700, 3799 (RADIUS change of authorization Listen/Relay)

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_c-ports.html

Bastien Migette Mon, 02/09/2015 - 05:43
User Badges:
  • Cisco Employee,

Hello,

That should be enough, but keep in mind Radius packets (MAB Requests) and CoA will be handled at Foreign WLC.

Accounting will go out from where it is configured, but it is recommended to enable it only at foreign as it can cause issue otherwise.

Lastly, Client traffic to ISE will use port 8443 or 8905/6/9 if you have Posture, and will go out of anchor.

 

I hope this helps.

Philip Gerundt Wed, 10/07/2015 - 07:32
User Badges:

So there is just a Radius communication between foreign and ISE ?

I thought with CWA the Anchor WLC handles the Radius Authentication ?

If no is there any communication between ISE and Anchor WLCs ?

 

Greetings

Philip

Abraham Camacho Mon, 09/14/2015 - 09:45
User Badges:
  • Bronze, 100 points or more

Hi Bastien,

 

I am currently testing 1.4 patch3 - latest version on ISE because I am planning to use PEAP + AUP on HotSpot Option. However, my question on this case is the following:

Based on the link, we have a note that says the next:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/118741-configure-ise-00.html

Note: The CoA Admin-Reset is specific for Hotspot functionality and described in Cisco bug ID CSCus46754. The behavior for ISE Version 1.2 with a guest portal was different; a CoA Re-authenticate or Terminate was sent.

So my question is:

On CWA, are we using CoA Re-authenticate, right?. On what cases are we using Terminate?

thanks

 

 

 

 

 

Bastien Migette Mon, 09/14/2015 - 11:15
User Badges:
  • Cisco Employee,

Hello Abraham, In most of the case you will have reauth action, because the purpose  is to refresh the profile after some events, being profiling, auth, ...

The hotspot feature in 1.3 is a bit different and do not require authentication. In this scenario, the flow will be different, and the bug you mentioned is a documentation bug, meaning the product works as expected but this is not properly documented.

For regular Guest CWA portals, there should not be a difference.

Abraham Camacho Tue, 01/20/2015 - 15:23
User Badges:
  • Bronze, 100 points or more

Hi Bastien, 

We are moving from LWA to CWA so I was wondering what you mean by USECASE:GUESTFLOW. I am assuming that GUESTFLOW has something to do with having the Authorization Profile --- > CWA redirect pointing to DEFAULT. So what happens if I the redirect points to a MANUAL Login Page that I loaded into the ISE instead of Default? Is the USECASE:VALUE still the same as before?

BTW, from the basic CWA configuration example from Cisco link next, that additional AUTHZ Policy with the USECASE:GUESTFLOW is required in order to avoid loops in the AUTHZ part (double authorization is performed).

Thanks for any orientation regarding this question.

 

Bastien Migette Wed, 01/21/2015 - 00:31
User Badges:
  • Cisco Employee,

Hello Abraham,

In CWA, there is 2 authentication sharing the same session. The first one redirects to the portal via MAB, the second one is the actual authentication on the guest portal.

When authenticating on guest portal, ISE sets the flag GuestFlow so we can identify it and apply the correct authorization policy.

I hope this is clear.

Abraham Camacho Wed, 01/21/2015 - 07:51
User Badges:
  • Bronze, 100 points or more

Hi Bastien,

Thanks a lot for your note. Now I understand what means GUESTFLOW and how this Flag is used in the cisco example of the following link in order to avoid the Authorization LOOP mentioned as well on this link.

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

I will give a try in the lab and let you know but I was wondering if the FLAG is set with the same value = GuestFlow when I use a customized login page (Manual option selected in the redirect part of the CWA configuration for the AuthZ profile - see attached image)

 

On the other hand, I have been doing research for a while and I could not find a link or document that explain in details the meaning for all the NETWORKACCESS: USECASE equals to:

-Eap chaining
-Guest Flow
-Host Lookup
-Proxy

Please let me know if you have any link so I can take a look on  it.

 

Attachment: 
Bastien Migette Wed, 01/21/2015 - 07:57
User Badges:
  • Cisco Employee,

Hello Abraham,

Yes, all CWA auth will have the guest flow flag, whether you use a custom portal or not.
For host-lookup, this identifies MAB request (it basically checks service-type=6)
For EAP Chaining, this is when you have eap-chaining: http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-...

Proxy I am not sure, I never had to use it. 
I am not aware of any document that summarize all use-case, this is rather integrated on specific configuration example such as the one you pointed.

Abraham Camacho Tue, 01/27/2015 - 08:11
User Badges:
  • Bronze, 100 points or more

Hi Bastien,

CWA works straightforward based on the Cisco configuration example. The only thing that I found weird is that when I am using Chrome on my Win7 laptop or a Chromebook device and connect to the SSID configured for CWA, 2 browsers are opened simultaneously. Do you have any idea about this?. Maybe this is something to do with the settings on the Chrome Browser but I was wondering if you have seen this before.

Thanks

Abraham

Bastien Migette Tue, 01/27/2015 - 08:33
User Badges:
  • Cisco Employee,

Hello Abraham,


Glad you made this work. Concerning the issue with 2 browser being opened, I don't recall having seen anything similar, sorry.

acontes Tue, 02/10/2015 - 05:00
User Badges:

Any hints how to configure this with a second ISE as backup? How does the redirect acl look like?

John Capobianco Thu, 11/21/2013 - 08:37
User Badges:

"

Hello Tarik, You are right, with CWA, the ISE shows a message indicating the user he can retry his original URL. This is a current limitation, as the ISE doesn't know the original URL.

What you can do is to create a custom portal with HTML Files and modify the success page to redirect to an arbitrary web page."


When is this limitation being overcome? It seems very clunky to have users not directly go to their homepage or the URL they specified initially or to have to force a user to go to a landing page.


Thanks


John

edondurguti Thu, 08/23/2012 - 13:18
User Badges:

I have a default deny rule in the authorization and if users come in first time they are always denied, they have to re-connect manually and once that's done they are okay forever.

CoA is globally enabled for ReAuth.

I've tried many things but never got it working and kinda found a workaround with isolated vlan with ip helpers :s

Bastien Migette Thu, 08/23/2012 - 13:24
User Badges:
  • Cisco Employee,

Hello Edondurguti,


It's hard to give you an answer without knowing the details of your setup. Maybe you should try to open a separate post on this forum, or open a TAC Case if you have a support contract.


Regards,
Bastien

Dominic Stalder Fri, 08/31/2012 - 15:17
User Badges:

Hi Bastien


thanks a lot for this great post!


I have a question about CWA design in association with an anchor / foreigner installation. We would like to use CWA in this scenario:


- The ISE is located in the internal server subnet

- The foreign WLC is located in the same server subnet

- The anchor WLC ist located in the DMZ subnet


Between the server subnet and the DMZ, the traffic is blocked (except for guest mobility and so on --> no ISE traffic allowed).


No our problem:


1. The client connects to the guest SSID and does need to do a MAB (Layer 2), this works fine because the foreign WLC has connection to the ISE


2. The client gets an IP address via DHCP from the anchor WLC (Layer 3), so the client is now located in a quarantine VLAN behind the firewall and does not have any connection to the ISE, BUT the client should be redirected to the guest portal of the ISE


Now my question, is CWA the right way or should we better use LWA for anchor / foreign scenarios. And if CWA is good, what is a good design to implement it in these scenarios?


Thanks a lot in advance and best regards

Dominic

Bastien Migette Mon, 09/03/2012 - 01:53
User Badges:
  • Cisco Employee,

Hello Dominic,


When you have anchor/foreign, the web auth traffic always go to the anchor, so with CWA, the traffic from the anchor to the ISE will need to be permitted.


Now, both LWA and CWA works fine, but CWA is the new way to do things, and I personnally think it's a bit more cleaner, regarding the process flow than LWA...


If this is not an option to open connectivity to the ISE from behind the firewall, then I guess you will have to go for LWA.


Regards,

Bastien

Dominic Stalder Mon, 09/03/2012 - 13:58
User Badges:

Hi Bastien


thanks a lot for your feedback, I think it would be nice to have CWA, but if the communication should not be possible, then LWA is the way to go.


Thanks and best regards

Dominic

Dominic Stalder Wed, 09/19/2012 - 23:29
User Badges:

Hi Bastien


one more question about the design above. You use the "Mac Filtering" to have a redirect to the guest portal of the ISE, this makes it necessary, that Layer 2 authentication traffic flows from the foreign controller to the ISE. In the "Cisco Bring Your Own Device (BYOD) Smart Solution Design Guide" I can see, that this is solved via the "External Web Auth URL" under Security > Web Auth > Web Login Page:


1.png


So we don't have any traffic from the foreign controller to the ISE. Is that correct?


Best regards

Dominic

Bastien Migette Fri, 09/21/2012 - 00:11
User Badges:
  • Cisco Employee,

Hello Dominic,


When you have Anchor/Foreign, basically all L2 Authentication is made on the foreign, but all L3 Traffic (including webauth) is going through the anchor, so whether you use CWA or External Server, the traffic will need to be allowed from anchor to ISE. If you don't want this, then you can use Local Web Auth, and use the ISE as radius server, but still the foreign will need to be allowed to contact the ISE via Radius.


Hope this is clear.

Dominic Stalder Fri, 09/21/2012 - 01:08
User Badges:

Hi Bastien


thanks, that's clear and that is what I want: ONLY allow traffic from the anchor to the ISE, but NOT from the foreign as it would go with L2 MAC authentication bypass.


Short summary:


- CWA with MAB as you mentioned above --> L2 from foreign AND L3 from anchor

- CWA with external server -> ONLY L3 from anchor


Best regards and have a nice weekend

Dominic

guillerm Tue, 02/19/2013 - 10:37
User Badges:

Hello,


I have set up a Guest Portal with WLC 5508 7.4 and ISE 1.1.1 ;


everything is OK, except one thing :


the Guest VLAN, associated to the Guest SSID is, actually, a DMZ behind my customer firewall and the DHCP parameters provided to the wireless Guest equipement connected on this VLAN include the public ISP DNS servers addresses, not the customer internal DNS serveurs addresses;


this seems OK since the idea of this Guest SSID is to give a pure Internet access to the Guests, and no connection at all towards the customer internal servers;


the problem is that, when the wireless guest receives the redictect URL from ISE (URL to access the ISE Guest Portal), this URL is based on the ISE DNS name, not on its IP address; so, the PC can't resolve this internal DNS name by using the ISP DNS servers addresses provided by the DHCP server, and, so, it can't access the Guest Portal at all ;


Apart from changing those DNS values in the DHCP server (the customer does not accept this solution), how could we solve this problem ?


I have tried to code, in the CWA Authorization profile, the equivalent URL redirect via the CISCO av-pair as follows :

cisco-av-pair=url-redirect=https://192.168.1.10:8443/guestportal/gateway?sessionId=sessionIdValue&action=cwa,


but, it does not work, since the sessionIdValue is not replaced by its real value when sent to the wireless client


any comment welcomed

moises.rodriguez Wed, 09/24/2014 - 13:52
User Badges:

Hi Guillerm

I now you posted this long time ago, but I'm having the same issue, I'm just wondering if you got it resolved and how.

 

Thanks

Bastien Migette Wed, 09/24/2014 - 23:36
User Badges:
  • Cisco Employee,

Hello Moises,

Starting ISE 1.2, you have the ability to select "Static ip/hostname" in the authorization profile, under the WebAuth part. That way you can put ISE's Policy Node IP address if you don't have correct DNS Entry.

jwhiteak Tue, 04/02/2013 - 07:05
User Badges:
  • Cisco Employee,

Do we have a sample seutp for the IOS controllers running IOS-XE 3.2.0SE release with ISE ?

aporcaro01 Thu, 04/18/2013 - 06:21
User Badges:

Hi,


I´m trying to configure a certificate in order to gain access to the Internet for a guest wvlan, the problem is that an error message says that the certificate isn´t trusted and click next to continue...  i´m using a certificate from the www.digicert.com.


Could you gave me a tip or document explain how to configure a certificate on Ise.


I have a WLC that redirect to a web pagen login on Cisco ISE.


Tks for the help

Adriano Porcaro

Christos Stefaneskou Fri, 06/07/2013 - 07:48
User Badges:
  • Bronze, 100 points or more

Hello,


Has anyone tested web authentication for wireless guest access using WS 3850?



Regards,


Chris

Bastien Migette Fri, 06/07/2013 - 08:26
User Badges:
  • Cisco Employee,

Hello Christos,


From my head I believe the current NGWC image have no support or no full support for CoA, therefore you should be able get redirected to the ISE, but the CoA wouldn't work. This will be fixed in the next release.

Christos Stefaneskou Fri, 06/07/2013 - 08:37
User Badges:
  • Bronze, 100 points or more

Hi Bastien,


Thanks for your response.

I don't need CoA for wireless guest access.I managed to setup ISE + WLC 2504 for web authentication but the same scenario using ISE + SW 3850 failed.

I used as reference the folowing guide:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/security/configuration_guide/b_sec_1501_3850_cg_chapter_010010.html

It's not very clear how web authentication works on 3850 wlan.


Best regards,

Chris

jerry.larson Wed, 07/31/2013 - 12:07
User Badges:

If I do not see Wireless_Mab under conditions for the Authorization Policy, how do I add it?


thanks,

Bastien Migette Wed, 07/31/2013 - 23:08
User Badges:
  • Cisco Employee,

Hi Jerry,

It should be by default in later ISE version (starting 1.1.2 I think).

Otherwise you can match service-type = call-check (10) and nas-port-type=802.11

Tiago Andrade d... Tue, 08/27/2013 - 17:25
User Badges:

Guys,
I have some problems with this design.
First: My WLC is 7.0.240 IOS version. obs: I can´t search 7.2 WLC IOS to download int cisco website.
My ISE version is 1.2.
Wired authentication is ok for 802.1x with Digital certificate and Guest wired too, with redirect page + acl on switch port.
The problem is WIFI:
802.1x wifi ok
BUT  Guest redirect isn´t Working.

In the Client logs i can´t see Url Redirect - none  and I see just the ACL.
In the SSID Guest - Radius Nac State I cant put to enable cuz the WLC show the message : "

radius nac is available only for wlan with 802.1x/WPA/WPA2 Layer 2 security"

My WebAuth Athorization profile is correct. My access-list in WLC permit DNS and all ip to ISE.
Somebody have some Idea why can´t redirect to the guest portal????




I need this Help for a important implementation.

gnijs Mon, 10/07/2013 - 03:06
User Badges:
  • Bronze, 100 points or more

I have the same problem. I think it is becuase i am still running 7.0.230.0, i think i have to go to > 7.2

grabonlee Mon, 10/07/2013 - 03:55
User Badges:
  • Bronze, 100 points or more

Hi,


Mac Authentication Bypass is only supported from 7.2 and above. Hence it's only supported on WLC 5508 and higher controllers.

Cristian Popescu Wed, 11/06/2013 - 02:18
User Badges:

Hi,

When using MAC Filtering on the Controller, as in the example above, the guest sessions where not visible anymore in Operations->Catalog->Session Directory.

After reverting back to WLC L3 web redirect with external authentication, the sessions were once again available.

Is there anything else that could be done to have the Session feature available? We really need it for controlling the guests...


The current design with L3 web auth on the WLC and the link statically configured on WLC has some problems with redirection after sunccessful login - some browser don't accept the WLC page with the virtual ip framed in a page form the ISE server.

Bastien Migette Wed, 11/06/2013 - 02:30
User Badges:
  • Cisco Employee,

Hello Cristian,

As far as I know, the guest sessions should be visible once the guest users logs in. You may open a TAC case to sort this if you can reproduce this behaviour.

Otherwise, ISE 1.2 has greatly improved the redirection process for external Web Auth on WLC, as it pushes back credentials over POST, and no longer via iFrames as depending on certificate trust and browser configuration, this used to have some issues.

Note: I have also tested this in ISE 1.2, I could see my guest users in the active sessions with CWA:

Screen Shot 2013-11-06 at 11.29.42.png

1s.bancha Fri, 07/31/2015 - 06:56
User Badges:

Do you know if WLC CWA with ISE supports to intercept https traffic and redirect to guest portal?

If not, any roadmap?

 

Thank you,

Bancha

Carlos Valderrama Thu, 10/01/2015 - 18:21
User Badges:

Hello, i would like to know if it's possible to make https redirection in a WLC with CWA and ISE?

Carlos Valderrama Sun, 10/04/2015 - 09:47
User Badges:

Hello Bastien.

Thanks for your soon reply, i tested the command, but our client complains about the certificate error with the https redirection.

On the link you provide says that it's unavoidable, but just to confirm, is there any posible way to fix the certificate error? otherwise we gonna have to unmount the ise guest solution because of that.

Actions

This Document

Related Content

 

 

Trending Topics - Security & Network