topic The Wired NAD with Local in Network Access Control

ISE Wired captive portal

Alexmpj376 — Mon, 11 Mar 2019 05:15:29 GMT

I've a new ISE Integration, I've implemented captive portal for wireless and wired guests, for Wireless all is working perfect

For Wired I can see that ISE put the url captive on the interface of the switch but from the laptop of windows machine, I'm unable to see the link on browser, please advice

Do you have:- Redirect ACL

nspasov — Thu, 11 Dec 2014 06:58:18 GMT

Do you have:

- Redirect ACL configured on the switch. If yes, please provide the syntax here

- Redirection policy in ISE that references the redirect ACL. If yes, please attach some screenshots here

- Can you browse to the captive portal by entering the address manually in the browser

Thank you for rating helpful posts!

Below is the ACLExtended IP

Alexmpj376 — Thu, 11 Dec 2014 07:56:37 GMT

Below is the ACL

Extended IP access list REDIRECT
10 deny icmp any any
20 deny udp any any eq bootps
30 deny udp any any eq bootpc
40 deny udp any any eq domain
50 deny ip any host 10.171.0.51
60 deny ip any host 10.171.0.52
70 permit tcp any any eq www (1226 matches)
80 permit tcp any any eq 443 (5358 matches)

- The screenshot is attached

- Yes I can browse to the captive portal by entering the address manually in the browser

The Wired NAD with Local

mohanak — Thu, 11 Dec 2014 09:33:56 GMT

The Wired NAD with Local WebAuth flow follows these steps:

1. Cisco ISE requires a login.html file with HTML redirect, to be uploaded to the NAD. This login.html is returned to the client browser for any HTTP/HTTPS request made.

2. The client browser in turn is redirected to the Cisco ISE guest portal where the user's credentials are submitted.

3. After the AUP and change password is processed (if configured in the Multi-Portal configuration), the guest portal redirects the client browser to post the user credentials on to the NAD.

4. The NAD makes a RADIUS request to the Cisco ISE to authenticate and authorize the user.

Refer the link http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html#wp1117489

I'm using Wired NAD

Alexmpj376 — Thu, 11 Dec 2014 09:52:44 GMT

I'm using Wired NAD interaction for Central WebAuth

In the same document you

mohanak — Thu, 11 Dec 2014 10:08:23 GMT

In the same document you have

Wired NAD Interaction for Central WebAuth

If your client's machine is hard wired to a NAD, the guest service interaction takes the form of a failed MAB request that leads to a guest portal Central WebAuth login.

The Central WebAuth triggered by a MAB failure flow follows these steps:

1. The client connects to the NAD through a hard-wired connection. There is no 802.1X supplicant on the client.

2. An authentication policy with a service type for MAB allows a MAB failure to continue and return a restricted network profile containing a URL-redirect for Central WebAuth user interface.

3. The NAD is configured to post MAB requests to the Cisco ISE RADIUS server.

4. The client machine connects and the NAD initiates a MAB request.

5. The Cisco ISE server processes the MAB request and does not find an end point for the client machine. This MAB failure resolves to the restricted network profile and returns the URL-redirect value in the profile to the NAD in an access-accept. To support this function, ensure that an Authorization Policy exists featuring the appropriate "NetworkAccess:UseCase=Hostlookup" and "Session:Posture Status=Unknown" conditions.

The NAD uses this value to redirect all client HTTP/HTTPS traffic on ports 8080 or 8443 to the URL-redirect value. The standard URL value in this case is:

https://ip:port/guestportal/gateway?sessionId=NetworkSessionId&action=cwa.

6. The client initiates an HTTP or HTTPS request to any URL using the client browser.

7. The NAD redirects the request to the URL-redirect value returned from the initial access-accept.

8. The gateway URL value with action CWA redirects to the guest portal login page.

9. The client enters the username and password and submits the login form.

10. The guest action server authenticates the user credentials provided.

11. If the credentials are valid, the username and password are stored in the local session cache by the guest action server.

12. If the guest portal is configured to perform Client Provisioning, the guest action redirects the client browser to the Client Provisioning URL. (You can also optionally configure the Client Provisioning Resource Policy to feature a "NetworkAccess:UseCase=GuestFlow" condition.)

Since there is no Client Provisioning or Posture Agent for Linux, guest portal redirects to Client Provisioning, which in turn redirects back to a guest authentication servlet to perform optional IP release/renew and then CoA.

13. If the guest portal is not configured to perform Client Provisioning, the guest action server sends a CoA to the NAD through an API call. This CoA will cause the NAD to reauthenticate the client using the RADIUS server. This reauthentication makes use of the user credentials stored in the session cache. A new access-accept is returned to the NAD with the configured network access. If Client Provisioning is not configured and the VLAN is in use, the guest portal performs VLAN IP renew.

14. With redirection to the Client Provisioning URL, the Client Provisioning subsystem downloads a non-persistent web-agent to the client machine and perform posture check of the client machine. (You can optionally configure the Posture Policy with a "NetworkAccess:UseCase=GuestFlow" condition.)

15. If the client machine is non-complaint, ensure you have configured an Authorization Policy that features "NetworkAccess:UseCase=GuestFlow" and "Session:Posture Status=NonCompliant" conditions.

16. Once the client machine is compliant, ensure you have an Authorization policy configured with conditions "NetworkAccess:UseCase=GuestFlow" and "Session:Posture Status=Compliant" conditions), From here, the Client Provisioning issues a CoA to the NAD. This CoA will cause the NAD to reauthenticate the client using the RADIUS server. This reauthentication makes use of the user credentials stored in the session cache. A new access-accept is returned to the NAD with the configured network access.

See, The authorization policy

Alexmpj376 — Thu, 11 Dec 2014 10:09:24 GMT

See,

The authorization policy is proper since I get the url guest on the switch on the right port

The authorization policy is

Alexmpj376 — Thu, 11 Dec 2014 10:10:09 GMT

The authorization policy is proper since I get the url guest on the switch on the right port

but on the client machine I'm not getting HTTP redirect

I can browse to the captive

Alexmpj376 — Thu, 11 Dec 2014 10:18:08 GMT

I can browse to the captive portal by entering the address manually in the browser

meaning that ISE config are good

Verify that the redirection

Venkatesh Attuluri — Mon, 15 Dec 2014 16:53:03 GMT

Verify that the redirection URL specified in Cisco ISE via Cisco-av pair “URL
Redirect” is correct per the following options:
• CWA Redirection URL:
https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
• 802.1X Redirection URL:
url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&a
ction=cpp

Re: ISE Wired captive portal

juanfaure — Wed, 15 Jun 2022 05:06:25 GMT

Hi guys,n

I am looking for a guest redirection to an external captive portal, not to use ISE as captive portal, could anybody provide some reference about?

Kind Regards,

Juan