External webauth portal for webauth on EWC Catalyst Access Point

Fredo23 · ‎07-04-2023

Hi there,

I set up a guest access point with an external captive portal (OPNSense) but it doesnt work.

I have an AP configured in EWC mode and a corporate network works already.

Description of my network

Client ------- AP --------FW ------- OPNSense Captive Portal

Configuration on controller :

I have set up a parameter map with :

In General :

Type : webauth

In Advanced :

Redirect URL for login : <url of my external captive portal>

Portal IPV4 Address : <IP of my external captive portal>

On my guest WLAN I set up :

In Security :

Layer 2 Security Mode : None

Layer 3 : Web Policy Checked / Web Auth Parameter Map : the good policy is checked.

When I connect a PC on the guest WiFi Network : no redirection append but if i manually check in my browser the url of the external portal it works and I can log on.

Unfortunately, even with a successfull logon on my external portal, the AP does not let my computer pass on the WiFi network.

Thanks for the help.

Flavio Miranda · ‎07-04-2023

Hello,

"When I connect a PC on the guest WiFi Network : no redirection append"

This can be a DNS problem or a client problem. When you connect to a guest network, you are not allowed to access anything until you put your credentials on the portal. But, you need to have access to some services before you put your credentials. One of this service is DNS. Which means, when first connect to a guest network, your machine need to be able to talk with your DNS server from guest network in order to resolve the portal to an IP address and then talk to the portal server.

Another issue that usually happen on this situation is that some clients try to reach the internet when you connect them to a new network. Usually Androids try to access google, Apple devices the Apple and etc. If they can not access, they drop from the network and try another one.

Those are two problem I´ve seen related to the portal redirect.

"but if i manually check in my browser the url of the external portal it works and I can log on."

Where did you do this test? on the guest network or out of it? If out of it, it only means you can access the internet as your portal in on the internet. If you run the test inside the guest network, this is good cause this means the DNS is working.

"Unfortunately, even with a successfull logon on my external portal, the AP does not let my computer pass on the WiFi network."

This can be related to some Access list not being applied to your clients. The idea of guest is like this.

You connect to a open network and you must have not access but DHCP, DNS and guest portal. For this, must exist some kind of ACL.

Then, you get the portal, you put your credentials and then you get another ACL which will allow you to access the internet.

How to setup this ACL depends on how the guest works. This can an attribute send by the Radius server (on your case OPNSense)

or it can be assigned by the EWC. If send by OPNSense, you need to enable "allow aaa override" on the EWC.

But, you need to talk with OPNSense and ask them how you should configure your device. They must guide you on how to prepare your side.

Fredo23 · ‎07-04-2023

Where did you do this test ?

I did the test connected on the guest network.

On guest network i have access, as you mentionned, to DHCP, DNS resolving portal address and https access to my external portal.

On guest network with a web browser, i access to the external portal before any authentication.

The authentication on the external portal is a simple HTTPS username/password page linked to a internal database on the opnsense.

How the EWC can retrieve the information of a successfull login on this portal ?

Thanks a lot for your help.

Flavio Miranda · ‎07-04-2023

"How the EWC can retrieve the information of a successfull login on this portal ?"

It depends. If you are using CWA, which means you have a external radius dealing with the authetication process, the radius must sent to the WLC the information about sucess or failure based radius attributes. And for that, you need "aaa override " enable on the WLC.

Take a look on this guide. It might give you some direction.

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html#anc8

Fredo23 · ‎07-04-2023

Thanks for the link.

And what for an external web portal that use a simple username/password with a internal database ?

Flavio Miranda · ‎07-04-2023

https://www.cisco.com/c/en/us/td/docs/wireless/controller/ewc/16-12/config-guide/ewc_cg_16_12/central_web_authentication.html

I think this link is more apropriated for your case.

When you say internal database you say the users will be created on the WLC, right?

Well, it was possible in other Cisco WLC but not sure if is possible with EWC.

Looking on the link above, I see this:

Check the Web Redirection (CWA, MDM, NSP, CPP) check box, and choose Centralized Web Auth from the drop-down list.

The option I see that can be used in your case is CWA, which requires a external radius.

Take a look on the security config for web auth and see the options. Unfortunatelly I dont have on EWC here.

Fredo23 · ‎07-04-2023

When you say internal database you say the users will be created on the WLC, right?

No, the user database is on the opnsense.

Check the Web Redirection (CWA, MDM, NSP, CPP) check box, and choose Centralized Web Auth from the drop-down list.

I dont have this options on EWC but I think its on ISE and i dont have it.

Flavio Miranda · ‎07-04-2023

CWA not necessary means ISE but an external radius. If opensense is a radius server, then it should work.

Can you share some prints on the WLAN and Guest configuration?

External webauth portal for webauth on EWC Catalyst Access Point

Liens rapides