Configuration example : central web-authentication with a switch and Identity Service Engine

Document

Sep 5, 2011 6:34 AM
Sep 5th, 2011

This document now went live on cisco.com at the following URL:

http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml

Document ID: 113362

Average Rating: 5 (3 ratings)

Comments

ToX1c1986 Mon, 11/28/2011 - 00:58

Thank you sooo much!

Could you explain me about Posture Compliance like this?

RRBLEEKER_2 Tue, 11/29/2011 - 09:44

I agree with ToX1c1986 - I could use more examples like this one. It explains the flow of events.

fabianbeck Wed, 03/14/2012 - 13:09

Where can I find the complete Switch configuration? I tried the commands above, but it doesnt redirect the traffic.

Nicolas Darchis Thu, 03/15/2012 - 00:21 (reply to fabianbeck)

Hi Fabien,

please open a new discussion (i.e. post a question in the AAA forum) with your switch config and ISE screenshot. I'll be glad to check your setup and try to understand what is missing. This doc is meant to be basic config, so depending on the rest of your config, there might be a few traps.

jroberts110 Mon, 04/02/2012 - 14:04

Nicholas, you say that you attached the full switch config at the end of the document but I don't see it anywhere.  Is it available for download?  Thanks.

Nicolas Darchis Tue, 04/03/2012 - 00:28 (reply to jroberts110)

I forgot to attach it apparently :-) Thanks for the heads-up. I will redo the setup in my lab and will try to attach it in the coming days.

eng.malak Mon, 10/01/2012 - 06:44

i did the same configuration and everything is ok except that the guest web browser is not automatically redirected to the portal and when i manually copy the url from the switch port it works as expected , how can i force the guest browser to be redirected automatically ?

maxime.gerges Tue, 12/11/2012 - 14:03

Great article ! Very interresting.

I got 2 questions regarding this configuration :

  • Is it possible to return a dynamic VLAN (a restricted temporary VLAN) with the redirect address in the "mac not known" ?
  • With this method I am not able to distinguish between corporate user (AD auth) and Guest (internal). I might create a new authorization rule "is-a-CORPORATE" but in the 2nd AUTH (which define de VLAN) I can't make a difference between the 2. Any idea how to distinguish CORPORATE login from GUEST with CWA and apply a specific VLAN ?
Nicolas Darchis Tue, 12/11/2012 - 23:17 (reply to maxime.gerges)

Of course you can return a vlan with the mac-not-known. It should be a vlan with restricted access just for the guests logically.

You can, after the 3rd authorziation (the dynamic authorization, the CoA) return another vlan that will depend on the username typed in the guest portal. that's the magic of CWA.

Distinguishing between a corporate user and a guest ? Theoretically your switchport should be configured to do 802.1x first, which will give the employees the proper attributes. Then if the PC does not do dot1x of fail it, then you fallback to mab and this scenario.

If your employees are supposed to go through the guest portal as well to login, then it's on the 3rd authorization that you can return their attributes, because you learned their username

aijazbeigh Thu, 05/02/2013 - 11:22

Hi Nicholas,

Is it possible to change the redirect url. for example by default url is

https://ip:8443/guestportal/portals/PortalName/portal.jsp

where ip is replaced by PSN hostname and becomed

https://PSN.Domain.com:8443/guestportal/portals/PortalName/portal.jsp

I want to change it to LB
https://lb-ise.domain.com:8443/guestportal/portals/PortalName/portal.jsp



Nicolas Darchis Thu, 05/02/2013 - 12:02 (reply to aijazbeigh)

It is automatic. ISE might display to you "ip:port" in the configuration GUI, but in reality what will be sent is the PSN hostname of the ISE node against which the client authenticated (this is mandatory, only PSN where auth occured can do webauth for the client).

Therfore load balancing is achieved only by load balancing radius authentication. Portal will automatically be balanced as well then.

aijazbeigh Thu, 05/02/2013 - 12:11 (reply to Nicolas Darchis)

My challenge is that I cannot get public certificate for the domain.local as it is not a valid domain. And we do have domain.com but we do not have AD in domain.com. Since I would need to join ISE to domain so it will not accept the certificate with anything apart from its actual fqdn.And customer has this requirement that his guests must not get certificate warning so using public cert is must. I cannot use AD for LDAP as it does not support the MSCHAPV2 in LDAP. so I would need to put PKI infra then only this setup will work it seems there seems no option but Local PKI and use LDAP and then I can have ISE in domian.com withoout integrating it with AD.

Nicolas Darchis Thu, 05/02/2013 - 12:28 (reply to aijazbeigh)

What is the problem with that ?

just configure ISE cli with "ip domain name domain.com". As long as it's a valid DNS domain it's fine. it doesn't require to be an AD domain, there's no link between the 2 at all

aijazbeigh Thu, 05/02/2013 - 12:39 (reply to Nicolas Darchis)

Thats great the. Can you please confirm if my understanding is correct.

1. I will assign ISE name as psn01

2. Use Ip domain name mydomain.com

3. Join ISE to my AD domain which is uk.group.local

And I can use public certificate from verisign with fqdn psn01.mydomain.com. and ISE will let me upload it.

Nicolas Darchis Thu, 05/02/2013 - 13:33 (reply to aijazbeigh)

your ISE still has a certificate issued to the old FQDN, this is why it's still returning the old name for CWA.

I suggest you open a discussion in the forum to discuss your issues rather than commenting on a document though.

Actions

Login or Register to take actions

This Document

Posted September 5, 2011 at 6:34 AM
Stats:
Comments:20 Avg. Rating:5
Views:11794 Contributors:10
Shares:0

Related Content