topic Re: H3C WX Series and Central Web Auth in Network Access Control

H3C WX Series and Central Web Auth

Arne Bier — Tue, 27 Mar 2018 22:44:09 GMT

Anyone had experience with integrating ISE Central Web Auth with H3C WX series wireless controllers (e.g. H3C WX5004 and H3C WX5002V2)?

I had a look at ISE Third-Party NAD Profiles and Configs but that product is not listed there.

I have a suspicion that they don't handle URL redirection. I find their documentation is a bit tricky to understand.

Re: H3C WX Series and Central Web Auth

Jason Kunst — Tue, 27 Mar 2018 22:59:59 GMT

Arne if they don’t then you can use the ISE auth vlan dhcp dns feature

Re: H3C WX Series and Central Web Auth

Craig Hyps — Wed, 28 Mar 2018 05:20:42 GMT

I did work with another account team, to prove out the WX5002 under ISE 2.0 (before Auth VLAN feature. Most flows were successfully validated including some enhancements to ensure proper working with BYOD. Since this testing conducted outside of Cisco QA and before we started posting to community, the NAD profile and config were never collected for posting. From my notes, default HP Wireless profile was used.

Re: H3C WX Series and Central Web Auth

Arne Bier — Tue, 01 May 2018 05:07:55 GMT

Hi Craig

I started testing ISE Guest integration with an H3C WX5004 today and we used the H3C's CLI config snippet posted on the community forum. It's somewhat useful and we have a half working solution so far. I am wondering how you got the CoA working? Does the H3C understand CoA?

And then how do you tell it which ACL's to apply (e.g. Portal ACL vs Guest Authenticated ACL)?

regards

Arne

Re: H3C WX Series and Central Web Auth

Craig Hyps — Tue, 01 May 2018 16:58:28 GMT

Mixed feedback on the CoA support. One report for WX5002 was that it did not, but then had another team validate the same platform with CWA and other web-enabled flows with CoA. So there may be changes based on version deployed or hw revs. Ultimately would need validation with your specific product and version.

The sample config posted shows that the H3C supports static URL. In that case, you set the portal to be the one generated in the ISE Authorization Profile for 3rd-party redirect. The URL redirect type is set in NAD Profile.

Here is example for posted H3C config: HP-H3C-A5500-NAD-Config

portal server iseportal ip 10.10.13.188 port 8443 url https://10.10.13.188:8443/portal/gateway?portal=a6b8fa70-fc3e-11e4-a67c-005056bf2f0a&action=cwa

portal free-rule 10 source ip any destination ip any

In the above example, the actual redirect URL was listed. However, we provide option to set a "normalized URL" to reduce the length of entry. Example:

https://iseHost:8443/portal/g?p=6Rqz8dJ91WOjPibM6BAP5JQPEb

Once user redirected to PSN, it will be redirected again to more detailed example shown in config snippet.

Craig

Re: H3C WX Series and Central Web Auth

smashash — Wed, 02 May 2018 07:38:29 GMT

Hi,

The following H3C WLAN devices are supporting RADIUS CoA.

Software version:

WX2500E-CMW520-E3703P61 (WX2540E)
WAC360-CMW520-E3703P61 (WAC360 series)
WX5004-CMW520-R2509P61 (WX5000 series)
WX3500E-CMW520-R3709P61 (WX3500E series)
WX6103-CMW520- R2509P61 (WX6000 series)
WX5500E-CMW520-R2609P61 (WX5500E series)
WX3000-CMW520-R3509P61 (WX3000E series)

HPE (H3C) 830 WLAN also.

To configure the CoA client on NAD:

"radius dynamic-author client trusted ip < ISE ip-address>"

"undo radius dynamic-author client trusted" to remove it

Default behavior is:

The device does not trust the DAE packets sent by any IP addresses.

To configure the CoA port on NAD:

"radius dynamic-author port" to specify the UDP port for listening for and receiving DAE packets.

Default value: UDP port number is 3799.

To validate if your device supports CoA you should try this command on device "radius dynamic-author client trusted ip < ISE ip-address>"

Re: H3C WX Series and Central Web Auth

Arne Bier — Mon, 22 Oct 2018 03:54:04 GMT

Hi @smashash and @Jason Kunst

I have revisited this topic and I noticed something that I'd like confirmation on please.

The HPE wireless controller that I am working with is supported, but after speaking to HPE and Aruba engineers, they tell me that I have to use an auth-vlan mechanism on the HPE controller. And when I implemented this as they directed, I can't get it to work because I never see the CoA from ISE.

Here is what happens

1) HPE Controller sends MAC address to ISE

2) ISE does lookup and doesn't find it - ISE sends Access-Reject to HPE controller (this is the crux of it)

3) HPE gets Access-Reject and places user in auth-vlan and kicks off a URL redirection (which points to ISE)

4) User logs into ISE portal successfull - getsuccess page because credentials match.

5) .....*BOOOOOM* - ISE doesn't send a CoA because it doesn't have a session for this portal login .... since ISE sent an Access-Reject.

CoA only seems possible if ISE has an active session as a result of a positive MAB auth. Is this true? I mean, if I send an Access-Reject to a NAS, I don't expect an Accounting Start to come back as a result!!! That would be weird.

If Craig were still around I would have asked him this, but he mentioned in earlier responses in this thread that the ISE 2.0 config was never captured. Pity.

Re: H3C WX Series and Central Web Auth

smashash — Mon, 22 Oct 2018 07:58:10 GMT

Hi Arne,

That is correct. it requires active session in ISE to send CoA.

Have you tried the Auth-VLAN (Guest-VLAN) solution for 3rdparty NADs?

more info:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-21/200604-Configure-Third-Party-NAD-Redirection-on.html

Re: H3C WX Series and Central Web Auth

Jason Kunst — Mon, 22 Oct 2018 12:44:25 GMT

Ise manages actives sessions in order to send COA

Why not use ise auth vlan instead?

Re: H3C WX Series and Central Web Auth

Arne Bier — Mon, 22 Oct 2018 22:26:33 GMT

@smashash - thanks for the link - @Jason Kunst my customer has started evaluating this but it's not a trivial matter, since we have around 900 locations, each needing its own DHCP scope. The PSN's are centrally located in two DC's.

And then the operational overhead - try adding 900 scopes into an ISE GUI!!! And then we don't only have one PSN - we have 4. This config doesn't replicate across PSN's. How does one manage the DHCP leases? Is there management and monitoring for this in ISE?

Re: H3C WX Series and Central Web Auth

Jason Kunst — Mon, 22 Oct 2018 22:39:00 GMT

The subnet can only reside on one psn so there would be no replication or config sync needed right?

Have to research the other question but likely no way to monitor from what you see now

Re: H3C WX Series and Central Web Auth

Arne Bier — Tue, 23 Oct 2018 05:55:30 GMT

@Jason Kunst and @smashash

After a whole day of hacking around on the H3C WX 5004, we got it working 🙂

The trick was to NOT send ACCESS-REJECT as suggested by HPE - but rather, to send ACCESS-ACCEPT. Grrrrrr!!!!

This of course causes a session to be built in ISE that is then later used for the COA function (a very crucial part of the equation).

The second trick was to always perform dynamic VLAN override - ISE needs to send back the auth VLAN in the "MAC unknown in ISE" flow. And in the "MAC known in ISE" flow we send back the Guest VLAN.

Booom! Works. I can even send an ACL to the controller via the Radius Filter-ID attribute.

We're also running some ancient version of Comware for those who are interested - Release 2509P51

Re: H3C WX Series and Central Web Auth

smashash — Tue, 23 Oct 2018 07:13:00 GMT

Nice! Good job!

Re: H3C WX Series and Central Web Auth

Jason Kunst — Tue, 23 Oct 2018 13:01:25 GMT

Nice work Arne can you put in a new document to share the clean assessment?

Re: H3C WX Series and Central Web Auth

Arne Bier — Mon, 05 Nov 2018 21:48:24 GMT

Sure thing. Is there any particular format/template or location for this document? I was planning to put the document under Cisco Community > Technology and Support > Security > Identity Services Engine (ISE)

Give me a few days and it will be done.

Re: H3C WX Series and Central Web Auth

Arne Bier — Thu, 15 Nov 2018 12:04:04 GMT

Hi @Jason Kunst

I finally got around to writing up my solution to this question in a new article here.

Re: H3C WX Series and Central Web Auth

Jason Kunst — Thu, 15 Nov 2018 13:20:31 GMT

Thank you!