topic Re: ISE 2.x Guest with Comware 5 (or 7) in Network Access Control

ISE 2.x Guest with Comware 5 (or 7)

sstanic6112 — Mon, 14 May 2018 15:52:01 GMT

Hi,

is it possible to integrate ISE Guest with comware 5 or comware 7 switches (HPE).

Basic example, failed authentication puts user in Guest VLAN where we redirect web traffic to ISE Guest Portal. After successful portal authentication we do CoA and apply new authorization rights.

I think that NAD profile delivered with ISE does not support this but not sure is there a way to create custom profile and make it work.

Re: ISE 2.x Guest with Comware 5 (or 7)

Jason Kunst — Mon, 14 May 2018 15:54:36 GMT

You will need to ask the vendor what they support for standards and lab it up and see what you can get to work

Please read over the following information

https://communities.cisco.com/docs/DOC-75329

Re: ISE 2.x Guest with Comware 5 (or 7)

sstanic6112 — Mon, 14 May 2018 16:05:19 GMT

Same response from both vendors.

I'll try with the lab and see where it goes..

Re: ISE 2.x Guest with Comware 5 (or 7)

Craig Hyps — Mon, 14 May 2018 20:55:04 GMT

See ISE Third-Party NAD Profiles and Configs NAD profiles and sample working configs working with Comware (HP H3C) for wired and wireless.

Re: ISE 2.x Guest with Comware 5 (or 7)

sstanic6112 — Tue, 15 May 2018 12:13:50 GMT

Thank you for all links but i am already familiar with all of them. I am also in contact with other vendor.

What i know so far:

1. Cisco ISE has 2 NAD profiles for H3C devices (HPWired, HPWired_SNMP_CoA) and none of them has redirect action and Web Authentication flow type by default - so i have to play with custom profiles.

2. Comware documentation describes few concepts (Com5 or Com7, local or external portal) and neither is describing requirements for ISE.

3. Comware 7 seems more advanced but is using some aditional VSA atributes. We are able to add them to RADIUS dictionary on ISE but not sure are they supported on comware 5 (actually question fro HPE).

4. From design point of view, it looks to me that Cisco is performing CWA and Comware 5 some kind of hybrid Web Auth.

What is surprising me is that i cannot find working example of such integration. Lab that i have to set up will be based on partial information from each vendor form different concepts and that will be time consuming so before i dig into that i would like to rephrase my question.

Is it possible?

Is there anybody who has done it?

thanks

Re: ISE 2.x Guest with Comware 5 (or 7)

Craig Hyps — Tue, 15 May 2018 12:46:57 GMT

Is it possible? YES

Is there anybody who has done it? Not sure. Sounds like your particular combination not covered by current examples.

To clarify, ISE will ALWAYS use CWA for web auth, unless the switch is using another mechanism completely outside of ISE to capture credentials and submit them separately via RADIUS.

If switch supports option to return a URL redirect/portal page via RADIUS, that may work like Cisco switches. Otherwise, if portal URL is local to switch, then need to leverage option in ISE to set a specific portal string derived from AuthZ Profile config. If switch has no portal redirect capabilities, then need to implement ISE as DNS/DHCP server in Auth VLAN.

Re: ISE 2.x Guest with Comware 5 (or 7)

sstanic6112 — Wed, 16 May 2018 12:42:46 GMT

Still not convinced but i think we are getting somewhere..

Comware 5 has two options for portal authentication. Local Guest Portal (on the switch) or external Guest Portal. With external portal, switch uses its Layer 3 interface to communicate with Portal (capture credentials) and RADIUS (submit credentials), in my case both of this communication are targeting ISE.

Not sure is ISE OK with that approach.

Comware 5 expect this...

1. Client access Portal to start authentication (enter user/pass)
2. Portal server and switch exchange CHAP messages if CHAP is used. If PAP is used this step is skipped.
3. Portal server assembles username and password into an authentication request message and sends it to the switch.
4. Switch and RADIUS server exchange RADIUS packets to authenticate the user.
5. Switch sends an authentication reply to the portal.
6. Portal server sends an authentication success message to the client.
7. Portal server sends an authentication reply acknowledgment message to the switch.

As i said earlier, this example is not based on ISE as both Portal and RADIUS server, so not sure where would this guide lead me to. Some of this can be configured on ISE and some of it can be configured on HPE switch but i am affraid i do not have complete information.

I would like to understand it before i start setting up lab.

Re: ISE 2.x Guest with Comware 5 (or 7)

Craig Hyps — Wed, 16 May 2018 13:11:06 GMT

The flow sounds similar to LWA to local or external portal in Cisco switches/controllers. However, there are specific requirements on the web portal to support the credential exchange which Comware must have documented. Not sure if their external portal requirements can be met by ISE guest portal, but sounds like you can minimally use switches LWA capability to local or some other web server portal and have it exchange credentials to ISE via RADIUS, or force the CWA flow via ISE portal. This would need to override switches basic LWA flow and ISE would handle the web auth directly without a separate RADIUS transaction. Switch may not need to even know it is occurring. After completion of web login on ISE, a CoA would be sent before completion of LWA flow and allowed access based on session state.