topic Wired Guest CWA with ISE in Network Access Control

Wired Guest CWA with ISE

andrew.chappelle — Mon, 11 Mar 2019 05:26:39 GMT

Having a heck of a time getting this to work.

First option is for the device to try and authenticate using Dot1X/EAP-TLS - for domain-connected devices only.

If that fails, they want the option to pop a CWA portal where they can enter either AD creds, or internal Guest user creds.

My challenge is the Policies and where to insert.

I'm using Policy Sets in ISE 1.2

Currently, I have these statements in the Default Policy Set:

Rule Name	Conditions	Permissions
Wired Guest Portal Auth	if Net Access:UseCase EQUALS Guest Flow	Permit Access
Wired Guest Redirect	if Wired_MAB	Wired CWA

What i figured is if they fail the .1X, they'll drop down here to Wired MAB, and that will initiate a redirect and Guest Flow.

Couple problems:

First, it does seem to try; a show auth sess shows the proper redirect URL getting sent to the switchport.

Unfortunately, my browser pop gives me a certificate not recognized error, and if i try to continue anyways, it doesn't do anything. Wireless Guest, which I copied works fine.

Second challenge is that it forces the redirect whether i have the switch (NAD) in Monitor Mode or Low Impact Mode. This is a problem because there are multiple sites, and we're cutting each over to Low Impact progressively.

Does anyone have any insight, or a document laying out in step by step terms implementing this?

thanks in advance.

Update. Looks like the

andrew.chappelle — Wed, 11 Feb 2015 19:16:40 GMT

Update. Looks like the certificate issue is with Internet Explorer ?!? Firefox redirects fine.

Still can't figure out why it does this even in Monitor Mode.

Hello Andrew-Monitor mode

nspasov — Thu, 12 Feb 2015 09:33:22 GMT

Hello Andrew-

Monitor mode allows devices/users to "proceed" even if they fail authentication. However, by proceed, I don't mean gaining access to the network. Instead, they are allowed to proceed from the authentication step to the authorization. Thus, you need to have a "catch_all" rule in your authorization section that is set to "Permit Access." to any devices that were not authorized by one of your regular rules. For more info check out the following TrustSec guides:

http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-implementation-design-guides-list.html

Thank you for rating helpful posts!

Thanks Neno,So to clarify;

andrew.chappelle — Thu, 12 Feb 2015 21:12:09 GMT

Thanks Neno,

So to clarify; even in Monitor Mode, AuthZ policies are still processed, and because my GuestFlow and Wired MAB rules are in AuthZ, they'll get used/processed no matter what?

How then do I apply it only to the NADs I want to progressively cut-over? Do I have to add a condition that tests by Location and only match NADs in locations I'm cutting over?

I'm still not 100% sure I have the CWA AuthZ rules where I should, and i think i need to move them even further down the Default Policy set so that they're after any Whitelists I have for phones, printers, etc.

Good news is that the web portal does pop! IE still doesn't like it - or the cert at least.

Andrew

Hi Andrew! Yes, good job on

nspasov — Fri, 13 Feb 2015 01:56:27 GMT

Hi Andrew! Yes, good job on fixing the portal issue!

And yes, the authorization rules are considered even in an open mode! And you are also correct that you will need to create different rules to account for NADs that are in production and for NADs that are in monitor mode. I have always liked using a separate Policy Set for Monitor Mode and a separate Policy Set for Production Mode. Then I used device location to match against these conditions. For each location I have two sub-groups: One for Monitor and one for Production. That way I can move a NAD from monitor mode to full production by simply changing its group.

Lastly, yes, your CWA rules should be at the bottom of your production authorization rules.

Thank you for rating helpful posts!

Thanks Neno for all the

andrew.chappelle — Fri, 13 Feb 2015 20:25:28 GMT

Thanks Neno for all the advice and help!

Now I think I've broken something, because for some reason the clients don't hit my policy any more. I tried adding the Stage as a Condition rather than Location for simplicity?

I haven't used a custom NAD

nspasov — Mon, 16 Feb 2015 09:24:39 GMT

I haven't used a custom NAD group before but don't see any problems using one for simplicity. However, we need to figure out if this is the cause of your break/fix issue. So, in your authentication logs, can you confirm if you are at least hitting the correct "Policy Set" but then NOT hitting the correct rule within the set? Or are you not even hitting the correct "Policy Set" ? If so which one are you hitting.

It would be helpful if you posted screenshots of:

- The live authentication screen

- The detailed authentication screen for the failed authentication

Thank you for rating helpful posts!

Hi Neno,Thanks a lot for the

andrew.chappelle — Mon, 16 Feb 2015 19:35:05 GMT

Hi Neno,

Thanks a lot for the repsonses, been a big help.

Well, the issue(s) have been resolved, and I've got everything working.

In the end the biggest issue was that the client supplicant (native windows) did not have a proper GPO - the Wired AutoConfig wasn't set to start/auto. That made a difference.

Plus I reordered a few rules, to get everything flowing proper.

All in all, things are looking good to cutover into LowImpact mode for production; my policy set condition matches on stage only, and so far it seems to work.

Thanks againn for the replies!

Andrew

Glad that you got your issues

nspasov — Mon, 16 Feb 2015 19:43:43 GMT

Glad that you got your issues resolved and that I was able to help! 🙂

Best regards,

Neno