Hello, I'm not sure is this is correct discussion group but I think yes, because I need some developer answer. Maybe somebody here can help.
Use case in short:
guest is connecting to "free wifi" (mab filtering)
guest is redirecting to external guest portal with some cripting on server-side (this is not ISE build-in guest portal, but external web server with some custom logic)
guest insert login and pass in external guest portal
external portal verify guest against ISE
and starts CoA (this is the step where I have question)
WLC v8.5, ISE v2.3
external guest portal is running on Linux machine (apache2/nginx with php capapilities)
above described steps in detail:
step1a: WLC and ISE configuation is clear. with redirection is operational. no problem here.
step1b: ISE configuration is clear. ISE send in RADIUS answer some av-pairs:
cisco avp: "url-redirect=https://<ext-portal>/?sessionId=sessionIdValue" ("sessionIdValue" string is replacing with session id by ISE)
cisco avp: "url-redirect-acl=acl-redirect"
step2a: guest is connected and checking internet connectivity. matches (deny definition) ACL (defined in "url-redirect-acl" radius answer from step1b). WLC send back to guest "HTTP Location: <redirecting-location>" (redirecting location is "url-redirect" value from radius answer in steb1b)
step3: guest is entering login and pass. webform's action send data back to external guest portal (server side). in other words I have:
from my guest portal:
from ISE (see previous step)
sessionId (this is "session id" for ISE and I think shared with WLC)
calling_station_id (this is MAC address of the guest)
nas_ip_address (this is IP address of the WLC)
Note: Both methods are initiated from PHP script running on external portal
AUTH part: I can authorize login+pass to RADIUS server (it is working, radius server is ISE)
CoA part: QUESTION1: if auth is passed, then I need send RADIUS CoA to WLC (I'm not sure how correct can I build RADIUS CoA pattern - see end of this post)
or "HTTP" method:
QUESTION2: Another solution can be (can be?) "HTTP call" from script directly to build-in guest portal (ISE) with information in answer about "authentication state". When auth is correct, CoA process is started (is it?) from ISE point of view (Am I correct?).
Everything till step4 is clear and working. I'd like to solve QUESTION1 (build correct CoA to WLC) because i think it's better solution. If it's not possible, my other QUESITION2 is about authenticating guest against HTTP build-in (ISE) portal as backend HTTP call from ext-portal script if it's possible.
This article will consider the options for using the CMX API to solve business tasks and also some features of using JSON data obtained from CMX.Thanks to the Cisco CMX solutions, Wi-Fi, as an usual network access tool, can turn into a powerful analytics ...
Just completed a demo project to use the Meraki Dashboard APIs with Node-RED.The goal was to build a simple web form that could send the information to Meraki. I thoughtbuilding an Admin tool would be helpful. It can easily be adjusted as a registration f...
Get the Meraki Postman Collection!Postman Collection: Meraki Dashboard Prov APIDashboard Docs: Meraki DashboardAboutMeraki has an API for managing your cloud network. Although the Dashboard website is very powerful, you may want to manage your network in ...
What is whereis?Earlier this year I created the whereis Spark Bot (email@example.com) to address a challenge I faced in the new Cisco North Sydney office (see - The Australian). While the space gives maximum flexibility in work style, and the technology...