topic Re: Cisco ISE and pfSense - Captive Portal in Network Access Control

Cisco ISE and pfSense - Captive Portal

bonedaddy76 — Thu, 26 Oct 2017 16:15:19 GMT

Hi. I was wondering if anyone has been able to get the captive portal functioning with ISE. We would like to use the ISE portals in this scenario. If anyone has, is there a step by step out there somewhere to follow? I'm running into some issues and need to demonstrate this ability. Thanks in advance!

Re: Cisco ISE and pfSense - Captive Portal

Joseph Johnson — Thu, 26 Oct 2017 17:17:11 GMT

You can find a really good step-by-step here:

http://www.network-node.com/blog/2016/1/2/ise-20-guest-wireless-policy

It is for a sponsored guest portal but you can tweak it if you want to only do a hotspot.

Re: Cisco ISE and pfSense - Captive Portal

Jason Kunst — Thu, 26 Oct 2017 18:05:54 GMT

this is a rather general comment is there a specific use case or flow you're asking for?, there are many docs on how to get started under the communities.

Identity Services Engine (ISE)

Look under guest

ISE Guest & Web Authentication

under documentation there is

ISE Design & Integration Guides

Re: Cisco ISE and pfSense - Captive Portal

Craig Hyps — Thu, 26 Oct 2017 18:37:04 GMT

pfSense is an open source firewall, so my guess is that you are trying to use ISE Guest Portal as a way to webauth firewall users. ISE is not a general purpose web server and web auth via ISE assumes specific capabilities on the access device (the firewall in this example). I would not say impossible, but will say integration may be difficult as would require understanding of how LWA flow works (whereby ISE returns credentials to NAD via POST command) which we don't document. Typical web auth is performed via CWA (a different mechanism whereby ISE never returns credentials to NAD).

/Craig

Re: Cisco ISE and pfSense - Captive Portal

bonedaddy76 — Thu, 26 Oct 2017 19:14:48 GMT

Thanks folks. I appreciate the feedback. The guides are definitely a help. Right now I'm just trying to authorize with the built-in portal and it's getting failed. I have searched quite a bit and can't find anyone who has done this with ISE (or ACS for the matter), so I guess my first issue is getting the right attributes to pfSense. Like chyps says, it is open source and I know that there is going to be some work need put in to make it all run with a portal, but I wouldn't think it would be an issue just to get a RADIUS accept. So I was hoping that someone had this working and could point me in the right direction as to what to send back in the authorization profile.

Re: Cisco ISE and pfSense - Captive Portal

Craig Hyps — Thu, 26 Oct 2017 19:26:47 GMT

Per previous, this is not something we expect to work out of the box, and may not even with some special coding on pfSense side. Access-Accept is tied to a RADIUS session, not a simple web page login. With legacy LWA flow, the user is sent to a web page by NAD and ISE captures and returns the credentials submitted by user back to the NAD which in turn sends to ISE in a separate RADIUS request. I am not aware of any documentation that details the requirements on NAD to allow this flow with 3rd-party. The CWA flow relies on support for URL redirection and CoA, and I highly doubt the firewall is capable of processing this flow without a high amount of customization.

Re: Cisco ISE and pfSense - Captive Portal

bonedaddy76 — Thu, 26 Oct 2017 19:40:49 GMT

So, I guess to be more specific, pfSense has a built-in portal and can simply send out a RADIUS query without engaging the ISE captive portal mechanism. I've been able to get access-accepts from other devices use ISE and RADIUS, but for some reason this device is giving me problems.So I'm not sure if it's getting what it needs from ISE or if there is another issue.

Re: Cisco ISE and pfSense - Captive Portal

Craig Hyps — Thu, 26 Oct 2017 20:24:39 GMT

Christopher,

Your initial query was specific to portal integration so now sounds like you are reverting the conversation to be about pure RADIUS auth without any integration of ISE portal.

"I was wondering if anyone has been able to get the captive portal functioning with ISE. We would like to use the ISE portals in this scenario." => "pfSense has a built-in portal and can simply send out a RADIUS query without engaging the ISE captive portal mechanism"

For starters, make sure you enter IP address of PSN or LB VIP into RADIUS server address in your form! 🙂

Next, you need to enable MSCHAPv2 under the Allowed Protocols for Default Network Access, or create custom Allowed Protocols entry which include MSCHAPv2 to match your auth protocol selection. As a quick test, you can select PAP instead which is enabled by default.

/'Craig

Re: Cisco ISE and pfSense - Captive Portal

bonedaddy76 — Fri, 27 Oct 2017 14:57:45 GMT

Actually, it is about both I wanted to start out with the internal portal and make sure it works and then work in the custom portal. I just posted the pic to show what was available, but I did set up the items as you lay out above. I know pfSense can recognize the wispr attributes, I'm just not sure if anything other than an accept or reject is needed to be returned from ISE to get a good authorization.