cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
788
Views
10
Helpful
4
Replies

Best Practices for VLAN switching using WebAuth and AD

bilclay
Cisco Employee
Cisco Employee

Hello - An ISE customer (and partner) of mine is looking for best practice guidance on ISE configuration for VLAN assignment based on AD creds via WebAuth. They would like their students to only have to WebAuth once every 90 days and are placed into a VLAN based on AD group membership.

 

The partner has created an ISE config where a student owned device (mostly Chromebooks)

1. joins the network for the first time and gets defaulted a WebAuth page.

2. Upon inputting AD creds ISE policy runs again and they match a policy based on AD group membership then they throw up a second WebAuth AUP page. That second WebAuth page dumps them into a specific Endpoint Group and

3. after they satisfy the second WebAuth page, ISE policy runs again and they match a VLAN switching AuthZ policy with that Endpoint Group.

4. They then manually perge endpoint groups every 90 days to force new WebAuth sessions. I think there is a better way!

 

I would like to confirm my idea and am curious if it is best practice. My idea:

1. Student owned device (mostly Chromebooks) joins the network for the first time and gets defaulted a WebAuth page.

2. After inputting AD creds, AUP appears. After satisfying AUP all endpoints get placed into the same Endpoint Group.

3. ISE policy runs again and we match a policy based on AD group membership and that single endpoint group. AD group determines which AuthZ VLAN switching policy gets applied and client get dumped into the right VLAN with only ONE WebAuth page.

4. We then use guest timeout settings to automatically force WebAuth every 90 days.

 

Questions:

1. Will this config work? Is there a better way?

2. Will authentication logging capture the AD account associated with the Endpoint during that 90 days? Is this tied together via Session ID or another way?

 

Thanks so much - Trying to avoid 2x WEbAuth pages!

1 Accepted Solution

Accepted Solutions

howon
Cisco Employee
Cisco Employee

1. It is best to avoid VLAN change on a MAC-filtering/Open network if possible. Recommendation is to use 802.1X instead as supplicants can deal with VLAN changes upon reauthentcation. But going back to the question, it will work, but if using reauthentcation CoA, the endpoint may not realize that the VLAN has changed and may get stuck until reconnecting to the same WLAN. ISE guest portal has feature to run client side script to renew IP address for VLAN change, but I don't believe the script works with Chromebooks. To workaround the issue, you can try forcing disconnect CoA instead. The caveat with disconnect CoA is that if there are other SSID that is being broadcasted nearby, the Chromebook may join that instead of reconnecting to the initial SSID. This only happens for initial enrollment every 90 days, but nonetheless will impact user experience.

2. If using ISE 2.4, ISE live logs will show you the user ID that was used for WebAuth for subsequent MAC-Filtering authentication.

By the way, you would be using endpoint purge setting to delete the endpoint every 90 days.

View solution in original post

4 Replies 4

howon
Cisco Employee
Cisco Employee

1. It is best to avoid VLAN change on a MAC-filtering/Open network if possible. Recommendation is to use 802.1X instead as supplicants can deal with VLAN changes upon reauthentcation. But going back to the question, it will work, but if using reauthentcation CoA, the endpoint may not realize that the VLAN has changed and may get stuck until reconnecting to the same WLAN. ISE guest portal has feature to run client side script to renew IP address for VLAN change, but I don't believe the script works with Chromebooks. To workaround the issue, you can try forcing disconnect CoA instead. The caveat with disconnect CoA is that if there are other SSID that is being broadcasted nearby, the Chromebook may join that instead of reconnecting to the initial SSID. This only happens for initial enrollment every 90 days, but nonetheless will impact user experience.

2. If using ISE 2.4, ISE live logs will show you the user ID that was used for WebAuth for subsequent MAC-Filtering authentication.

By the way, you would be using endpoint purge setting to delete the endpoint every 90 days.

ISE script to change VLAN has not been updated to support the newer browser mechanisms and requires Java/activeX. Do not use this.

For wireless you could do the following:
Create different endpoint groups
Create a hotspot portal (with endpointgroup set differently) for each ADgroup

If hotspotportalYendpoint then give VLANY
If hotspotportalXendpoint then give VLANX
If mab and guestflow and ADgroupY then redirect to hotspotportalY
If mab and guestflow and ADgroupX then redirect to hotspotportalX
If mab then redirect to portal


Other options: Scalable Group Tags for segmentation
Dot1x for everyone except guest

If on wired you can try - https://community.cisco.com/t5/identity-services-engine-ise/wired-guest-vlan-change-release-renew-issue/td-p/3687463

Here is the info on the guest reporting and remember me
https://community.cisco.com/t5/security-documents/ise-2-3-remember-me-guest-using-guest-endpoint-group-logging/ta-p/3641150

Thanks Jason! Just one more confirmation if you would be so kind.

 

It appears that your flow still requires 2x URL-redirects, once for initial portal and again for hotspot. In regards to Howon's confirmation of my suggested flow with a single URL-redirect above, I fear it will not match the customer requirements after chatting with a colleague.

 

Question: Using my flow, will ISE retain the AD username to MAC assosiacation for 90 days or would the endpoint be presented a WebAuth page after disconnecting or sleeping? Without placing the endpoint in differeniated endpoint groups I fear that the client will have to satisfy another WebAuth when the session times out which is not what the customer wants.

The only way to remember is to use the remember me flow mentioned in the link

Otherwise they will need to go through that flow again when a new wireless sessions comes in.

Another option is to use a longer user idle timeout on the WLC, this is referred to as sleeping client. This will pin up the session so that when user comes back they have the same session ID.
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/wlan_timeouts.html#d186972e1075a1635

See our guest deployment guide here:
https://community.cisco.com/t5/security-documents/ise-guest-access-deployment-guide/ta-p/3640475

Remember me guest reporting here:
https://community.cisco.com/t5/security-documents/ise-2-3-remember-me-guest-using-guest-endpoint-group-logging/ta-p/3641150