Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1152
Views
0
Helpful
0
Replies

Authentication and CoA from external guest portal

Martin Kyrc
Level 3
Level 3

‎10-18-2019 05:50 AM - edited ‎10-18-2019 08:36 AM

Hello,
I'm not sure is this is correct discussion group but I think yes, because I need some developer answer. Maybe somebody here can help.

Use case in short:

  1. guest is connecting to "free wifi" (mab filtering)
  2. guest is redirecting to external guest portal with some cripting on server-side (this is not ISE build-in guest portal, but external web server with some custom logic)
  3. guest insert login and pass in external guest portal
  4. external portal verify guest against ISE
  5. and starts CoA (this is the step where I have question)

my setup:

  • WLC v8.5, ISE v2.3 
  • external guest portal is running on Linux machine (apache2/nginx with php capapilities)

above described steps in detail:

step1a: WLC and ISE configuation is clear. with redirection is operational. no problem here.

step1b: ISE configuration is clear. ISE send in RADIUS answer some av-pairs:

  • cisco avp: "url-redirect=https://<ext-portal>/?sessionId=sessionIdValue" ("sessionIdValue" string is replacing with session id by ISE)
  • cisco avp: "url-redirect-acl=acl-redirect"

step2a: guest is connected and checking internet connectivity. matches (deny definition) ACL (defined in "url-redirect-acl" radius answer from step1b). WLC send back to guest "HTTP Location: <redirecting-location>" (redirecting location is "url-redirect" value from radius answer in steb1b)

step2b: guest sends "GET https://<ext-portal>/?sessionId=sessionIdValue"

step2c: script on ext-portal get's guest data (It is not possible use RestAPI for this reason. this is only one option how to get information from guest).

How to get "session information" values:

GET https://<ise>/admin/API/mnt/Session/Active/SessionID/<sessionId>/0

<activeSessionList noOfActiveSession="1">
  <activeSession>
    <calling_station_id>6C:FA:A7:44:D8:B6</calling_station_id>
    <orig_calling_station_id>6c-fa-a7-44-d8-b6</orig_calling_station_id>
    <session_state_bit>0</session_state_bit>
    <session_source>0</session_source>
    <acct_session_time>0</acct_session_time>
    <nas_ip_address>192.168.119.10</nas_ip_address>
    <framed_ipv6_address/>
    <auth_method>mab</auth_method>
    <auth_protocol>Lookup</auth_protocol>
    <endpoint_policy>Microsoft-Workstation</endpoint_policy>
    <server>lab-ise</server>
    <paks_in>0</paks_in>
    <paks_out>0</paks_out>
    <bytes_in>0</bytes_in>
    <bytes_out>0</bytes_out>
  </activeSession>
</activeSessionList>

step3: guest is entering login and pass. webform's action send data back to external guest portal (server side). in other words I have:

  • from my guest portal:
    • username
    • password
  • from ISE (see previous step)
    • sessionId (this is "session id" for ISE and I think shared with WLC)
    • calling_station_id (this is MAC address of the guest)
    • nas_ip_address (this is IP address of the WLC)

step4: QUESTION

  • Note: Both methods are initiated from PHP script running on external portal
  • RADIUS method:
    • AUTH part: I can authorize login+pass to RADIUS server (it is working, radius server is ISE)
    • CoA part: QUESTION1: if auth is passed, then I need send RADIUS CoA to WLC (I'm not sure how correct can I build RADIUS CoA pattern - see end of this post)
  • or "HTTP" method:
    • QUESTION2: Another solution can be (can be?) "HTTP call" from script directly to build-in guest portal (ISE) with information in answer about "authentication state". When auth is correct, CoA process is started (is it?) from ISE point of view (Am I correct?).

Everything till step4 is clear and working. I'd like to solve QUESTION1 (build correct CoA to WLC) because i think it's better solution. If it's not possible, my other QUESITION2 is about authenticating guest against HTTP build-in (ISE) portal as backend HTTP call from ext-portal script if it's possible.

I'm starting from this document: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-aaa-15-sy-book/sec-rad-coa.html.

Here is part of PHP script with CoA list of parameters that are sending to WLC (RADIUS_* are constants based on RFC radius atributes):

radius_create_request($res, RADIUS_COA_REQUEST);
radius_put_addr($res, RADIUS_NAS_IP_ADDRESS, $nas_ip_address);
radius_put_string($res, RADIUS_CALLING_STATION_ID, $calling_station_id);
radius_put_string($res, RADIUS_USER_NAME, $user);
radius_put_vendor_string($res, RADIUS_VENDOR_CISCO, RADIUS_CISCO_AV_PAIR, "subscriber:command=reauthenticate");
// radius_put_string($res, RADIUS_ACCT_SESSION_ID, $sessionId); << I'm not sure if this is required

Can anybody help with this? Thanks.

At the end: I can't use build-in ISE guest portal because above described scenario is a part of bigger customized solution for customer.

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents