Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
467
Views
0
Helpful
0
Replies
Martin Kyrc
Participant
Participant
‎10-18-2019 05:50 AM
‎10-18-2019 05:50 AM

Authentication and CoA from external guest portal

Hello,
I'm not sure is this is correct discussion group but I think yes, because I need some developer answer. Maybe somebody here can help.

Use case in short:

  1. guest is connecting to "free wifi" (mab filtering)
  2. guest is redirecting to external guest portal with some cripting on server-side (this is not ISE build-in guest portal, but external web server with some custom logic)
  3. guest insert login and pass in external guest portal
  4. external portal verify guest against ISE
  5. and starts CoA (this is the step where I have question)

my setup:

  • WLC v8.5, ISE v2.3 
  • external guest portal is running on Linux machine (apache2/nginx with php capapilities)

above described steps in detail:

step1a: WLC and ISE configuation is clear. with redirection is operational. no problem here.

step1b: ISE configuration is clear. ISE send in RADIUS answer some av-pairs:

  • cisco avp: "url-redirect=https://<ext-portal>/?sessionId=sessionIdValue" ("sessionIdValue" string is replacing with session id by ISE)
  • cisco avp: "url-redirect-acl=acl-redirect"

step2a: guest is connected and checking internet connectivity. matches (deny definition) ACL (defined in "url-redirect-acl" radius answer from step1b). WLC send back to guest "HTTP Location: <redirecting-location>" (redirecting location is "url-redirect" value from radius answer in steb1b)

step2b: guest sends "GET https://<ext-portal>/?sessionId=sessionIdValue"

step2c: script on ext-portal get's guest data (It is not possible use RestAPI for this reason. this is only one option how to get information from guest).

How to get "session information" values:

GET https://<ise>/admin/API/mnt/Session/Active/SessionID/<sessionId>/0

<activeSessionList noOfActiveSession="1">
  <activeSession>
    <calling_station_id>6C:FA:A7:44:D8:B6</calling_station_id>
    <orig_calling_station_id>6c-fa-a7-44-d8-b6</orig_calling_station_id>
    <session_state_bit>0</session_state_bit>
    <session_source>0</session_source>
    <acct_session_time>0</acct_session_time>
    <nas_ip_address>192.168.119.10</nas_ip_address>
    <framed_ipv6_address/>
    <auth_method>mab</auth_method>
    <auth_protocol>Lookup</auth_protocol>
    <endpoint_policy>Microsoft-Workstation</endpoint_policy>
    <server>lab-ise</server>
    <paks_in>0</paks_in>
    <paks_out>0</paks_out>
    <bytes_in>0</bytes_in>
    <bytes_out>0</bytes_out>
  </activeSession>
</activeSessionList>

step3: guest is entering login and pass. webform's action send data back to external guest portal (server side). in other words I have:

  • from my guest portal:
    • username
    • password
  • from ISE (see previous step)
    • sessionId (this is "session id" for ISE and I think shared with WLC)
    • calling_station_id (this is MAC address of the guest)
    • nas_ip_address (this is IP address of the WLC)

step4: QUESTION

  • Note: Both methods are initiated from PHP script running on external portal
  • RADIUS method:
    • AUTH part: I can authorize login+pass to RADIUS server (it is working, radius server is ISE)
    • CoA part: QUESTION1: if auth is passed, then I need send RADIUS CoA to WLC (I'm not sure how correct can I build RADIUS CoA pattern - see end of this post)
  • or "HTTP" method:
    • QUESTION2: Another solution can be (can be?) "HTTP call" from script directly to build-in guest portal (ISE) with information in answer about "authentication state". When auth is correct, CoA process is started (is it?) from ISE point of view (Am I correct?).

Everything till step4 is clear and working. I'd like to solve QUESTION1 (build correct CoA to WLC) because i think it's better solution. If it's not possible, my other QUESITION2 is about authenticating guest against HTTP build-in (ISE) portal as backend HTTP call from ext-portal script if it's possible.

I'm starting from this document: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-aaa-15-sy-book/sec-rad-coa.html.

Here is part of PHP script with CoA list of parameters that are sending to WLC (RADIUS_* are constants based on RFC radius atributes):

radius_create_request($res, RADIUS_COA_REQUEST);
radius_put_addr($res, RADIUS_NAS_IP_ADDRESS, $nas_ip_address);
radius_put_string($res, RADIUS_CALLING_STATION_ID, $calling_station_id);
radius_put_string($res, RADIUS_USER_NAME, $user);
radius_put_vendor_string($res, RADIUS_VENDOR_CISCO, RADIUS_CISCO_AV_PAIR, "subscriber:command=reauthenticate");
// radius_put_string($res, RADIUS_ACCT_SESSION_ID, $sessionId); << I'm not sure if this is required

Can anybody help with this? Thanks.

At the end: I can't use build-in ISE guest portal because above described scenario is a part of bigger customized solution for customer.

Labels:
0 Helpful
0 REPLIES 0
Latest Contents
Creating additional applications that can help businesses ma...
Created by Oleksii_ on 04-04-2018 01:18 AM
0
0
0
0
This article will consider the options for using the CMX API to solve business tasks and also some features of using JSON data obtained from CMX.Thanks to the Cisco CMX solutions, Wi-Fi, as an usual network access tool, can turn into a powerful analytics ... view more
Meraki Dashboard API - Create Admin User with Node-RED
Created by DexterLabora on 06-10-2017 03:35 PM
1
5
1
5
Just completed a demo project to use the Meraki Dashboard APIs with Node-RED.The goal was to build a simple web form that could send the information to Meraki. I thoughtbuilding an Admin tool would be helpful. It can easily be adjusted as a registration f... view more
Postman Collection for the Meraki Dashboard API - Updated
Created by DexterLabora on 05-30-2017 03:37 AM
1
1
1
1
Get the Meraki Postman Collection!Postman Collection: Meraki Dashboard Prov APIDashboard Docs: Meraki DashboardAboutMeraki has an API for managing your cloud network. Although the Dashboard website is very powerful, you may want to manage your network in ... view more
Enhancing Google Form capabilities
Created by nakashima_k on 05-25-2017 04:22 PM
0
4
0
4
Hi Community !I’ve used Google forms before for basic surveys and recently learned a few new tricks with Google Apps Script (JavaScript based) thanks to a colleague - Cory Guynn. You can really enhance a basic form’s capabilities with the built-in script ... view more
whereis Spark Bot - Integrating Spark and CMX
Created by Matthew Fowler on 05-15-2017 06:35 PM
1
10
1
10
What is whereis?Earlier this year I created the whereis Spark Bot (whereis@sparkbot.io) to address a challenge I faced in the new Cisco North Sydney office (see - The Australian). While the space gives maximum flexibility in work style, and the technology... view more
Content for Community-Ad