Hello,
I'm not sure is this is correct discussion group but I think yes, because I need some developer answer. Maybe somebody here can help.
Use case in short:
- guest is connecting to "free wifi" (mab filtering)
- guest is redirecting to external guest portal with some cripting on server-side (this is not ISE build-in guest portal, but external web server with some custom logic)
- guest insert login and pass in external guest portal
- external portal verify guest against ISE
- and starts CoA (this is the step where I have question)
my setup:
- WLC v8.5, ISE v2.3
- external guest portal is running on Linux machine (apache2/nginx with php capapilities)
above described steps in detail:
step1a: WLC and ISE configuation is clear. with redirection is operational. no problem here.
step1b: ISE configuration is clear. ISE send in RADIUS answer some av-pairs:
- cisco avp: "url-redirect=https://<ext-portal>/?sessionId=sessionIdValue" ("sessionIdValue" string is replacing with session id by ISE)
- cisco avp: "url-redirect-acl=acl-redirect"
step2a: guest is connected and checking internet connectivity. matches (deny definition) ACL (defined in "url-redirect-acl" radius answer from step1b). WLC send back to guest "HTTP Location: <redirecting-location>" (redirecting location is "url-redirect" value from radius answer in steb1b)
step2b: guest sends "GET https://<ext-portal>/?sessionId=sessionIdValue"
step2c: script on ext-portal get's guest data (It is not possible use RestAPI for this reason. this is only one option how to get information from guest).
How to get "session information" values:
GET https://<ise>/admin/API/mnt/Session/Active/SessionID/<sessionId>/0
<activeSessionList noOfActiveSession="1">
<activeSession>
<calling_station_id>6C:FA:A7:44:D8:B6</calling_station_id>
<orig_calling_station_id>6c-fa-a7-44-d8-b6</orig_calling_station_id>
<session_state_bit>0</session_state_bit>
<session_source>0</session_source>
<acct_session_time>0</acct_session_time>
<nas_ip_address>192.168.119.10</nas_ip_address>
<framed_ipv6_address/>
<auth_method>mab</auth_method>
<auth_protocol>Lookup</auth_protocol>
<endpoint_policy>Microsoft-Workstation</endpoint_policy>
<server>lab-ise</server>
<paks_in>0</paks_in>
<paks_out>0</paks_out>
<bytes_in>0</bytes_in>
<bytes_out>0</bytes_out>
</activeSession>
</activeSessionList>
step3: guest is entering login and pass. webform's action send data back to external guest portal (server side). in other words I have:
- from my guest portal:
- from ISE (see previous step)
- sessionId (this is "session id" for ISE and I think shared with WLC)
- calling_station_id (this is MAC address of the guest)
- nas_ip_address (this is IP address of the WLC)
step4: QUESTION
- Note: Both methods are initiated from PHP script running on external portal
- RADIUS method:
- AUTH part: I can authorize login+pass to RADIUS server (it is working, radius server is ISE)
- CoA part: QUESTION1: if auth is passed, then I need send RADIUS CoA to WLC (I'm not sure how correct can I build RADIUS CoA pattern - see end of this post)
- or "HTTP" method:
- QUESTION2: Another solution can be (can be?) "HTTP call" from script directly to build-in guest portal (ISE) with information in answer about "authentication state". When auth is correct, CoA process is started (is it?) from ISE point of view (Am I correct?).
Everything till step4 is clear and working. I'd like to solve QUESTION1 (build correct CoA to WLC) because i think it's better solution. If it's not possible, my other QUESITION2 is about authenticating guest against HTTP build-in (ISE) portal as backend HTTP call from ext-portal script if it's possible.
I'm starting from this document: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-aaa-15-sy-book/sec-rad-coa.html.
Here is part of PHP script with CoA list of parameters that are sending to WLC (RADIUS_* are constants based on RFC radius atributes):
radius_create_request($res, RADIUS_COA_REQUEST);
radius_put_addr($res, RADIUS_NAS_IP_ADDRESS, $nas_ip_address);
radius_put_string($res, RADIUS_CALLING_STATION_ID, $calling_station_id);
radius_put_string($res, RADIUS_USER_NAME, $user);
radius_put_vendor_string($res, RADIUS_VENDOR_CISCO, RADIUS_CISCO_AV_PAIR, "subscriber:command=reauthenticate");
// radius_put_string($res, RADIUS_ACCT_SESSION_ID, $sessionId); << I'm not sure if this is required
Can anybody help with this? Thanks.
At the end: I can't use build-in ISE guest portal because above described scenario is a part of bigger customized solution for customer.