Solved: Re: Any possibility of using Guest wireless CWA without opening port 1700 CoA

umahar · ‎09-18-2018

Hi,

Is it remotely possible using any workarounds for wireless CWA to work without CoA over 1700 ?

I will try and send CoA AVPs in radius Access-Accept but I believe I already tested that long time back and it din't work.

However I've been on calls where TAC suggested that this worked in one of their environments.

Basically the customer does not want ISE in DMZ zone to reach back to WLC on port 1700 in inside network.

Jason Kunst · ‎09-19-2018

some more information on this - https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_01000.html#task_C8B71CEB05BB4E8BA00384EF122486DB

View solution in original post

Arne Bier · ‎09-18-2018

A CoA does not take place during authentication. That's the whole point. You can put arbitrary attributes into an Access-Accept but the NAS will just ignore them. CoA is not used in this context at all, because CoA is not used during an authentication flow.

When Radius was invented, the flow was always NAS->Radius_Server - typical client/server stuff. The Radius server never initiated anything. Until CoA came along. Because there was a need for the Radius server to *occasionally* do something to the NAS. It had to change the state of a previous authorization (CoA). And that's the point - the Radius server now needs to talk to the NAS using Radius protocol - but the RFC didn't re-use 1645/1812 - they decided to keep it separate and used RFC standard UDP/3799 (or in Cisco world, UDP/1700). This should not pose a security risk to anyone really. If customer is concerned then perhaps they can try Radius Sec (DTLS) - but funnily enough, that runs on yet another UDP port :-p

Jason Kunst · ‎09-18-2018

I was looking for information on this. With 3rd party profiles you might be able to change the port number (might be restricted to only 2 choices for coa ports) but then what about the wireless controller?

Jason Kunst · ‎09-19-2018

some more information on this - https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_01000.html#task_C8B71CEB05BB4E8BA00384EF122486DB

howon · ‎09-20-2018

Being able to CoA is central (No Pun intended) to make CWA work. Realize that, we are forcing two separate MAB here with CWA. Initial MAB is where we simply assign URL Redirect parameters (ACL and redirect destination) and second MAB after user successfully logs in to the ISE portal page. Since NAD is not aware of whether portal login was successful or not, it has to be ISE, which notifies the NAD to re-authenticate so ISE can remove the redirect parameters and assign proper policy for the user.

Just to entertain the though here for a bit, imagine if there was no such thing as CoA. You could make the NAD re-authenticate the endpoint every X seconds to see if the portal login succeeded. However, you would end up with overwhelming # of MAB requests until the user enters correct username and password.

Alternatively, you can look into LWA instead which doesn't rely on CoA.

umahar · ‎09-24-2018

Thank you all for your responses.

I totally agree with all of you and expressed the same message to the customer.

Was wondering if there is even a remotely possible option out there (even out of box)

Better that customer hears it from me than someone else :P

PS: I did select the email notification option but dint get any email of responses.

Jason Kunst · ‎09-24-2018

Don't know of one otherwise would share. Would recommend telling customer there isn't option and this is a standard.

Not sure what email notification is referring to? If its a problem with the community please reach out to their support.