cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

957
Views
9
Helpful
16
Replies
Highlighted
VIP Engager

H3C WX Series and Central Web Auth

Hi

Anyone had experience with integrating ISE Central Web Auth with H3C WX series wireless controllers (e.g. H3C WX5004 and H3C WX5002V2)?

I had a look at ISE Third-Party NAD Profiles and Configs but that product is not listed there.

I have a suspicion that they don't handle URL redirection.  I find their documentation is a bit tricky to understand.

Everyone's tags (1)
3 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: H3C WX Series and Central Web Auth

Arne if they don’t then you can use the ISE auth vlan dhcp dns feature

VIP Engager

Re: H3C WX Series and Central Web Auth

@Jason Kunst and @smashash

After a whole day of hacking around on the H3C WX 5004, we got it working :-)

 

The trick was to NOT send ACCESS-REJECT as suggested by HPE - but rather, to send ACCESS-ACCEPT.  Grrrrrr!!!!

This of course causes a session to be built in ISE that is then later used for the COA function (a very crucial part of the equation).

The second trick was to always perform dynamic VLAN override - ISE needs to send back the auth VLAN in the "MAC unknown in ISE" flow.  And in the "MAC known in ISE" flow we send back the Guest VLAN.

Booom!  Works.  I can even send an ACL to the controller via the Radius Filter-ID attribute.

 

We're also running some ancient version of Comware for those who are interested - Release 2509P51

 

VIP Engager

Re: H3C WX Series and Central Web Auth

Hi @Jason Kunst

I finally got around to writing up my solution to this question in a new article here.

 

16 REPLIES 16
Cisco Employee

Re: H3C WX Series and Central Web Auth

Arne if they don’t then you can use the ISE auth vlan dhcp dns feature

Advocate

Re: H3C WX Series and Central Web Auth

I did work with another account team, to prove out the WX5002 under ISE 2.0 (before Auth VLAN feature.  Most flows were successfully validated including some enhancements to ensure proper working with BYOD.  Since this testing conducted outside of Cisco QA and before we started posting to community, the NAD profile and config were never collected for posting.  From my notes, default HP Wireless profile was used.

VIP Engager

Re: H3C WX Series and Central Web Auth

Hi Craig

I started testing ISE Guest integration with an H3C WX5004 today and we used the H3C's CLI config snippet posted on the community forum.  It's somewhat useful and we have a half working solution so far.  I am wondering how you got the CoA working?  Does the H3C understand CoA?

And then how do you tell it which ACL's to apply (e.g. Portal ACL vs Guest Authenticated ACL)?

regards

Arne

Advocate

Re: H3C WX Series and Central Web Auth

Mixed feedback on the CoA support.  One report for WX5002 was that it did not, but then had another team validate the same platform with CWA and other web-enabled flows with CoA.  So there may be changes based on version deployed or hw revs.  Ultimately would need validation with your specific product and version.

The sample config posted shows that the H3C supports static URL.  In that case, you set the portal to be the one generated in the ISE Authorization Profile for 3rd-party redirect. The URL redirect type is set in NAD Profile.

Here is example for posted H3C config:  HP-H3C-A5500-NAD-Config

#

portal server iseportal ip 10.10.13.188 port 8443 url https://10.10.13.188:8443/portal/gateway?portal=a6b8fa70-fc3e-11e4-a67c-005056bf2f0a&action=cwa

#

portal free-rule 10 source ip any destination ip any

#

In the above example, the actual redirect URL was listed.  However, we provide option to set a "normalized URL" to reduce the length of entry.  Example:

     https://iseHost:8443/portal/g?p=6Rqz8dJ91WOjPibM6BAP5JQPEb

Once user redirected to PSN, it will be redirected again to more detailed example shown in config snippet.

Craig

Cisco Employee

Re: H3C WX Series and Central Web Auth

Hi,

The following H3C WLAN  devices are supporting RADIUS CoA.

Software version:

  • WX2500E-CMW520-E3703P61 (WX2540E)
  • WAC360-CMW520-E3703P61 (WAC360 series)
  • WX5004-CMW520-R2509P61 (WX5000 series)
  • WX3500E-CMW520-R3709P61 (WX3500E series)
  • WX6103-CMW520- R2509P61 (WX6000 series)
  • WX5500E-CMW520-R2609P61 (WX5500E series)
  • WX3000-CMW520-R3509P61 (WX3000E series)

HPE (H3C) 830 WLAN also.

To configure the CoA client  on NAD:

"radius dynamic-author client trusted ip < ISE ip-address>"

"undo radius dynamic-author client trusted"    to remove it

Default behavior is:

The device does not trust the DAE packets sent by any IP addresses.

To configure the CoA port  on NAD:

"radius dynamic-author port"  to specify the UDP port for listening for and receiving DAE packets.

Default value: UDP port number is 3799.

To validate if your device supports CoA you should try  this command on device "radius dynamic-author client trusted ip < ISE ip-address>"

VIP Engager

Re: H3C WX Series and Central Web Auth

Hi @smashash and @Jason Kunst

 

I have revisited this topic and I noticed something that I'd like confirmation on please.  

The HPE wireless controller that I am working with is supported, but after speaking to HPE and Aruba engineers, they tell me that I have to use an auth-vlan mechanism on the HPE controller. And when I implemented this as they directed, I can't get it to work because I never see the CoA from ISE.

 

Here is what happens

1) HPE Controller sends MAC address to ISE

2) ISE does lookup and doesn't find it - ISE sends Access-Reject to HPE controller (this is the crux of it)

3) HPE gets Access-Reject and places user in auth-vlan and kicks off a URL redirection (which points to ISE)

4) User logs into ISE portal successfull - getsuccess page because credentials match.

5) .....*BOOOOOM* - ISE doesn't send a CoA because it doesn't have a session for this portal login .... since ISE sent an Access-Reject.   

 

CoA only seems possible if ISE has an active session as a result of a positive MAB auth.  Is this true?  I mean, if I send an Access-Reject to a NAS, I don't expect an Accounting Start to come back as a result!!!  That would be weird.

 

If Craig were still around I would have asked him this, but he mentioned in earlier responses in this thread that the ISE 2.0 config was never captured.  Pity.  

 

 

Cisco Employee

Re: H3C WX Series and Central Web Auth

Hi Arne,

That is correct. it requires active session in ISE to send CoA.

 

Have you tried the Auth-VLAN (Guest-VLAN)  solution for 3rdparty NADs?

more info:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-21/200604-Configure-Third-Party-NAD-Redirection-on.html

 

VIP Engager

Re: H3C WX Series and Central Web Auth

@smashash - thanks for the link - @Jason Kunst my customer has started evaluating this but it's not a trivial matter, since we have around 900 locations, each needing its own DHCP scope.  The PSN's are centrally located in two DC's. 

And then the operational overhead - try adding 900 scopes into an ISE GUI!!!  And then we don't only have one PSN - we have 4. This config doesn't replicate across PSN's.  How does one manage the DHCP leases?  Is there management and monitoring for this in ISE?

 

Cisco Employee

Re: H3C WX Series and Central Web Auth

The subnet can only reside on one psn so there would be no replication or config sync needed right?

Have to research the other question but likely no way to monitor from what you see now


Cisco Employee

Re: H3C WX Series and Central Web Auth

Ise manages actives sessions in order to send COA

Why not use ise auth vlan instead?
VIP Engager

Re: H3C WX Series and Central Web Auth

@Jason Kunst and @smashash

After a whole day of hacking around on the H3C WX 5004, we got it working :-)

 

The trick was to NOT send ACCESS-REJECT as suggested by HPE - but rather, to send ACCESS-ACCEPT.  Grrrrrr!!!!

This of course causes a session to be built in ISE that is then later used for the COA function (a very crucial part of the equation).

The second trick was to always perform dynamic VLAN override - ISE needs to send back the auth VLAN in the "MAC unknown in ISE" flow.  And in the "MAC known in ISE" flow we send back the Guest VLAN.

Booom!  Works.  I can even send an ACL to the controller via the Radius Filter-ID attribute.

 

We're also running some ancient version of Comware for those who are interested - Release 2509P51

 

Cisco Employee

Re: H3C WX Series and Central Web Auth

Nice! Good job!


Cisco Employee

Re: H3C WX Series and Central Web Auth

Nice work Arne can you put in a new document to share the clean assessment?
VIP Engager

Re: H3C WX Series and Central Web Auth

Sure thing.  Is there any particular format/template or location for this document?  I was planning to put the document under Cisco Community > Technology and Support > Security > Identity Services Engine (ISE)

Give me a few days and it will be done.